Privacy compliance becomes a more complicated and costly issue for organizations with each new law passed. IAB Tech Lab, a non-profit research firm that focuses on the marketing industry, has introduced its Global Privacy Platform (GPP) in an attempt to streamline this process for organizations in the digital advertising space.
The project uses a single protocol that presently assists with existing European Union (EU) and California Consumer Privacy Act (CCPA) privacy compliance requirements. The platform essentially acts as a middleman to ensure that inbound customer traffic has had local privacy and consent requirements applied to it properly, and move that traffic between the various involved parties (such as tech platforms and digital advertising firms) in a way that ensures compliance is maintained throughout the process.
IAB attempts to streamline international privacy compliance, but platform still in development
The GPP is a portion of the “Project Rearc” initiative, launched by IAB in 2020 to address how digital advertising will proceed as the traditional tracking cookie is increasingly filtered out of the ecosystem. The project involves experts in various aspects of digital advertising and privacy regulation from over 480 companies around the world, and has announced plans for a variety of future projects https://iabtechlab.com/project-rearc/ such as an open source universal user ID token standard and a platform that allows companies in a supply chain to more easily verify that they are meeting privacy compliance obligations.
For now, the GPP is looking to automate the handling of two of the biggest privacy regulations that international firms are required to deal with: Europe’s Transparency & Consent Framework, and California’s CCPA. The project is currently in a public comment period that will last until August 1, and further details are scheduled to be revealed at the IAB Tech Lab Summit: Transcend taking place on June 9.
Anthony Katsur (CEO of IAB Tech Lab) described this as the “first version” of the GPP, implying future expansion. Jason J. Raqueno (Senior Director of Privacy at IAB Tech Lab) specifically named California’s upcoming CPRA (slated to replace the CCPA on January 1 2023) and Canada’s PIPEDA as regulatory frameworks the GPP was built to address, along with “numerous new local privacy laws.” Katsur added that the organization is seeking to work with Brazil, which passed its General Data Protection Law (LGPD) in 2020.
In addition to checking data in motion to ensure that the required local privacy compliance elements have been collected at each stage, the GPP will automate the checking of other elements that can trip an organization up in terms of data storage. It will also incorporate a global list of vendors that have registered with IAB at both regional and global levels. The GPP’s specifications indicate it will function by having a global API that accesses a set of localized IAB APIs, which in turn each address a particular privacy compliance law. This structure allows for new APIs to be created and quickly onboarded for new privacy and digital advertising regulations as they emerge. This is to include support for “non-web” devices such as mobile apps and streaming services.
Digital advertising fights to adapt as national regulations chip away at it
The GPP, and the IAB’s Rearc efforts in general, anticipate the near future of privacy compliance as being an even larger and messier web of regional requirements rather than one global standard that makes life easier for the digital advertising world. This means real added costs for all sorts of businesses as each new regulation comes online; the average annual cost of GDPR compliance is now over $1.3 million, and the average cost of compliance with just the CCPA in the US ranges from $50,000 to $2 million depending on company size.
Katsur does not anticipate a national privacy compliance standard emerging in the US for at least several years. In the meantime, a handful of states have enacted laws with comparable terms to those in the CCPA and even more are seeing legislators begin to raise and debate the issue. Some of these digital advertising laws cover state residents even as they visit other states; for example, California residents are always subject to the CCPA terms but may also be covered by the terms of the state they are visiting simultaneously.
The GPP looks to identify the user’s location and status and ensure that all of the required privacy compliance elements for the situation are collected. The cost savings is expected to be proportional to how many consent laws are currently applicable; for example if a California resident visits another state and accesses a site based in / storing data in a third state, the GPP could cut the compliance cost by two-thirds.