What is IAB’s Multi-State Privacy Agreement (MSPA)?

Another day, another way for the ad tech alphabet soup plot to thicken.

But this time, it seems to be a step in the right direction towards unifying compliance across state privacy laws called the Multi-State Privacy Agreement (MSPA).

As of late, IAB and the IAB Tech Lab is committed to encouraging the advertising ecosystem to put consumer privacy first. Along with that goal, they updated their privacy protocols and agreements to support publishers, advertisers, and ad tech companies. For months, we’ve speculated there would be just one contractual framework to ensure privacy compliance across all the current state-led privacy legislations, and this may be it.

“The patchwork of state regulations creates an increasingly complicated compliance landscape for the digital advertising industry,” said Michael Hahn, EVP, General Counsel, IAB, and IAB Tech Lab. “The IAB Legal Affairs Council has been focused on meeting this challenge for the past year. We believe the MSPA – the product of collaboration from stakeholders across the industry – is a crucial tool to solve this challenge.”

The Multi-State Privacy Agreement (MSPA) supplies a refurbished framework to ensure privacy compliance across five new state privacy laws. It works alongside the IAB Tech Lab’s US State Signals initiative, also recently released as an extension of the Global Privacy Platform (GPP). Both are available for public comment until October 27, 2022.

How Will the MSPA Help Streamline Privacy Concerns?

Think of the MSPA as the big brother of the Limited Services Provider Agreement (LSPA), which was initiated to guarantee compliance with the California Consumer Privacy Act (CCPA). 

The great thing about this agreement is it serves as a watchdog over all privacy legislations. The CCPA, the California Privacy Rights Act (CPRA, coming January 2023), and all the others going into effect in 2023; the Colorado Privacy Act (CoPA), Connecticut Data Privacy Act (CDPA), Utah Consumer Privacy Act (UCPA), and Virginia’s Consumer Data Protection Act (VCDPA).

This agreement and its partner in crime, IAB Tech Lab’s GPP, including its state-level signaling, will assist member companies in handling the ever-so-complex global privacy compliance landscape and managing the different consent signals from multiple jurisdictions.

“The MSPA does four things. First, it provides a scaled way of incorporating terms in the service provider contracts and agreements covering third-party “sales” of personal information,” Hahn explains. 

“Second, it covers contractual gaps in the digital advertising distribution chain where parties will need contracts covering “sales” of personal information. However, no such contract type presently exists between industry participants. Third, it provides a legal framework for service providers to measure ads and set a frequency cap. Fourth, it provides an optional “national approach” to find the highest common denominator in the privacy requirements across the five new state laws.”

Will Implementing the MSPA Serve As a Gift or a Curse to Publishers?

Only time will tell if MSPA will serve as a gift or a curse to publishers. As we all know, a few IAB-initiated privacy measures have fumbled, but everything is trial and error in this industry. 

We know this is the first privacy agreement we are seeing that kind of puts all the new state laws under one umbrella to simplify things seemingly. 

Still, there’s reason to pause. None of us can forget how the Belgian Data Protection Authority (BDPA) went after IAB Europe’s Transparency and Consent Framework (TCF) for breaching GDPR rules.

And some ad tech experts have a profound uneasiness about the Tech Lab’s GPP about a month ago, implying that it causes more harm than it will help the ecosystem. In particular, Washington Post Engineering Lead, Aram Zucker-Scharff, is concerned that “GPP fails to provide any real change over TCF, besides this bolt-on of new string encoding methods.”

“GPP does not represent a significant technical change from TCF, and it is hard to see how it could meet the basic objections from EU courts,” he tweeted last month. He also questioned the IAB’s push towards vendor list specification and the potential fingerprinting risk it opens up. And he doesn’t seem to be alone in his worries. 

Crawling before walking might be the mantra here.