Compliance is not a choice. But companies have some choice in how they tackle it.
There are two main approaches.
Businesses can implement a compliance program on a state-by-state basis, essentially devising different data strategies to meet the legal requirements in each state where they have customers.
Or they can take a national approach by applying the strictest guidelines (say, California’s statute) across all jurisdictions.
With so many US state privacy laws either already or about to become enforceable – we’ll be up to 17 once the governor of Maryland gets out his pen – companies are increasingly opting for the national route to make compliance less complicated.
Now, so is Google – which is a big deal, because Google’s POV carries weight.
Where Google goes …
On Thursday, the Google Ad Manager account on LinkedIn posted that “coming soon, Google will support the MSPA US National Privacy Technical Specification (National String) as part of the IAB Tech Lab’s Global Privacy Platform (GPP).”
In English, that means Google is advocating a national approach as one viable option for privacy compliance in the US.
The MSPA is the Multi-State Privacy Agreement, a so-called “springing contract” that creates a legal relationship between signatories to enable compliance with multiple state laws as data flows through the digital supply chain. The National String transports user opt-ins and opt-outs between partners in the US.
The Global Privacy Platform (GPP) is the API-based technology that underpins the whole shebang and actually passes the strings. As of now, the GPP supports consent strings for California, Colorado, Connecticut, Utah and Virginia with more states on the way.
’Member the TCF delays?
Although the MSPA can facilitate either a state-by-state or national approach to compliance, the IAB and the IAB Tech Lab have been pushing for the latter. Taking a standardized highest common denominator approach to compliance is less madness-inducing (and more consistent) than trying to comply with the proverbial patchwork.
But the MSPA and GPP are the Tech Lab’s babies. It’s not surprising that they’re ballyhooing them.
Google backing the National String in GPP (what a jargon fest!) is more impactful because where Google goes so goes the online ad industry. If Google is endorsing the national approach to compliance, you can expect ad tech companies, publishers and brands to follow suit.
Forgive a girl for being a little cynical, however. I can’t help it. The words “coming soon” in Google’s post give me a little pause.
Remember when Google promised to integrate the Transparency and Consent Framework into its CMP when GDPR went into effect in 2018 … and then it took Google two years of hemming, hawing and delays before it finally happened?
I’d suggest keeping an eye out but not holding your breath.
****************************************************************************
In other news, I attended Frankfurt Kurnit Klein & Selz’s tech law summit in New York City on Thursday and heard a few excellent gems. But as we were operating under Chatham House rules, I can only share them without attribution.
These are my favorite nuggets:
On compliance in the US: “A single privacy law would be better than a multitude of privacy laws, but I don’t think the sky is falling. By and large, with some imperfections along the way, folks have largely adjusted to this new reality. As additional privacy laws come online, as long as they fit within the rough framework … I still think it’s manageable. Not ideal, but certainly manageable.”
On Washington State’s My Health My Data Act: “[With] a national approach to health data, pharma companies would not even be able to advertise.”
On why else a national approach isn’t a panacea: “A lot of small companies in our ecosystem don’t necessarily know exactly where all their data is coming from and haven’t done the hard work of data mapping.”
And a little deadpan third-party cookie humor: “If today we announced a technology that was knowable, seeable, deletable, resettable on your computer and that allowed you to determine what you want to do with it in terms of the collection of your data, we would see that as a privacy-enhancing technology. (Pause for dramatic effect) That’s a cookie. And now all of a sudden, cookies are evil.”
🙏 Thanks for reading! As always, feel free to drop me a line at [email protected] with any comments or feedback. And remember to consult your lawyer about important issues such as this.
Story updated to reflect that Google hasn’t committed to adopting a national approach to privacy compliance in the US, but is rather backing a national approach as one potential pathway to compliance via the MSPA.
