The Multi-State Privacy Agreement (MSPA) was launched at the end of 2022 by the Interactive Advertising Bureau (IAB) and the IAB Tech Lab. It provides a single framework which aims to help organizations meet the legal requirements of an increasingly complex consumer privacy landscape in the US.

The Headlines

• The US consumer data privacy landscape is becoming increasingly complicated to navigate as five different states (California, Colorado, Connecticut, Utah, and Virginia) introduce their own compliance legislation in 2023.
  
  
• Each new law requires companies to make it easy for consumers to protect their personal data, but has slightly different requirements.
  
  
• The MSPA has been created by the IAB and the IAB Tech Lab to take a singular approach to make it easier to tackle the ‘patchwork of state regulations’.
  

What is the Multi-State Privacy Agreement (MSPA)?

The MSPA is a newly developed framework from the collaboration between the IAB and the IAB Tech Lab that introduced the Global Privacy Platform (GPP) in 2022. 

It's intended to help businesses adhere to new privacy laws as different US states introduce their own individual legal requirements, creating what is often referred to as a ‘patchwork of state regulations’, which are making the privacy compliance landscape increasingly complex.

Specifically, its current remit is to address compliance with five new state privacy regulations that have either been introduced or are scheduled to launch in 2023. The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), and the Virginia Consumer Data Protection Act came into force on January 1st, the Connecticut Data Privacy Act and the Colorado Privacy Act are scheduled for July 1st, and the Utah Consumer Privacy Act will take effect on December 31st, 2023. As their names suggest, these all focus on consumer privacy, but their requirements and nuances all differ.

In 2020, the IAB released its Limited Service Provider Agreement (LSPA) with the aim of enabling compliance with the CCPA. However, new privacy laws—including the CPRA—require an expanded approach, which the MSPA aims to solve.

How the Multi-State Privacy Agreement (MSPA) works

The aim of the MSPA is to create a single contractual framework which ensures consumer privacy compliance across the current state-led privacy legislations, while enabling the online advertising sector to continue to function. To do so, the MSPA offers guidance on two methodologies—state-by-state and national—that empower publishers to choose how they wish to approach data compliance.

If the state approach is taken, the new state laws require companies to offer consumers an easy way to opt out of the collection and sale of their personal data, as well as targeted advertising. This new approach is complicated by the privacy laws applying to where a consumer lives, not where the organization in question is based. With limited/no visibility into the location of people visiting the site, it is difficult to determine their data rights.

The MSPA’s national option takes on the highest common denominator for compliance (widely regarded as California’s privacy laws, which several states have since used as a template). Using the GPP, it also ensures that downstream partners convey consumers’ opt-out signals.

The CPRA requires that whenever a business “sells” a user’s personal information (which happens during common practices such as the delivery, measurement and frequency capping of ads and may not include a financial exchange), it is done on a contractual basis. But there isn’t necessarily a contract in place for every element of the programmatic advertising supply chain—and the number of transactions taking place make instigating this an impossible task.

Put very simply, the MSPA, along with the GPP, use the highest common denominator for compliance (the CPRA) as the standard to instigate privacy contracts where they don’t normally exist. The aim is to safeguard a consumer’s data, while allowing the digital advertising sector to continue to operate with as little disruption as possible.

What does this mean for publishers?

The key premise of the MSPA is that consumers have an easy way to opt out of having their personal data collected and sold. A first step for complying is for publishers to build consent management capability into their website, as well as preparing an agreed text that explains to site visitors how their data is used.

The MSPA offers a uniform method for publishers to indicate an individual's decision to opt out to ad technology vendors’ usage of their data while still allowing publishers to utilize their own first-party data for a less extensive form of processing, such as facilitating contextual targeting.

It also provides publishers a choice as to how they want to approach user privacy in the United States moving forward. By taking a state-level approach, publishers can maximize their revenues with the challenges of increased data organization and implementation. On the other hand, a national approach, while more straightforward, may leave money on the table in states that do not currently have data privacy laws.

Want to learn more about the MSPA and how it might affect you as a publisher? Reach out to The MediaGrid team to talk about your best strategy for user consent management.