IAB Expands Multi-State Privacy Agreement

The Interactive Advertising Bureau recently revised its Multi-State Privacy Agreement -- a contractual framework aimed at helping companies comply with state privacy laws -- by broadening coverage to a total of 19 states.

The multi-state pact, launched in 2022 by the IAB, initially incorporated privacy laws in five states -- California, Colorado, Connecticut, Utah, and Virginia.

Since then, numerous other states have passed privacy measures. The updated pact now covers privacy laws in 14 of those additional states.

The IAB describes the agreement as “a set of privacy-protective terms that spring into place among a network of signatories and that follow the data as it flows through the digital ad supply chain.”

advertisement

advertisement

The organization says the agreement works in conjunction with the IAB Tech Lab's “Global Privacy Platform,” described as “a uniform privacy signaling specification that allows companies to communicate and honor consumer choices throughout the ads ecosystem.”

To date, 1,300 companies have signed the pact, according to IAB Tech Lab CEO Anthony Katsur.

He adds that the initiative aims to give signatories “greater peace of mind” that the digital ad companies they do business with aren't violating state laws.

The IAB Tech Lab is also renaming the Global Privacy Platform's US National Section, which will now be called the Multi-State Privacy Agreement US National Section.

While all of the recent state privacy laws attempt to give consumers more control over their data, the specific requirements vary.

For instance, states including California, Colorado, Connecticut, Montana, New Hampshire, New Jersey and Oregon require companies to let residents use a universal mechanism, like the Global Privacy Control, to reject targeted advertising. Such mechanisms allow people to opt out of all targeted advertising, as opposed to opting out company-by-company. (Texas requires companies to honor universal mechanisms if the companies honor such mechanisms in other states.)

Some other states with privacy laws, such as Utah, require businesses to allow people to opt out of targeted advertising, but don't require those companies to honor universal opt-out mechanisms.

And yet other states -- including Iowa, Kentucky and Tennessee -- passed privacy laws that don't require companies to let people opt out of ad targeting based on pseudonymous information, like data linked to cookies or device identifiers. Common behavioral ad targeting techniques rely on pseudonymous identifiers to track people across the web and infer their interests.

This article has been updated.

Next story loading loading..