IAB Tech Lab Launches Working Group to Update India’s DPDPA 2023
A new era of data protection was ushered in when India’s Digital Personal Data Protection Act (DPDPA) went into effect on August 11, 2023. Digital advertising is anticipated to be significantly impacted by the law. To update the DPDPA 2023-specific details, the IAB Legal Affairs Council plans to form a dedicated working group. It will be formed under the Cross Jurisdiction Privacy Project (CJPP) – India. Meanwhile, brands and agencies will collaborate to understand how they must comply with the new legislation.
IAB’s global collaboration
IAB, IAB Tech Lab, and IAB Southeast Asia and India teams will make up the India chapter. It started a cooperative process in February and requested everyone’s approval before going public. It has asked for collaborative input from all members. This is especially policy teams, on comprehending and interpreting Indian law for the Global Privacy Platform (GPP). This has led to the creation of the GPP. It combines regulations from the General Data Protection Regulation (GDPR) and other sources. Furthermore, it ensures that multinational corporations operate seamlessly across regulatory landscapes.
Global members of the IAB Tech Lab are inherently included in this working group on technology and policy. These include industry heavyweights like Google and The Trade Desk (TTD). But its objective is to promote involvement from companies that are specific to India, like brands and local ad tech providers like ESPs or proprietary ad stacks like The Times of India.
Valuable local and international insights
It is anticipated that the upcoming CJPP – India chapter will give professionals from both local and international businesses valuable insights into how India’s recently passed privacy law is being implemented in the digital advertising industry. Its main goals are to update the CJPP – India chapter and provide legal inputs to improve the Global Privacy Platform (GPP) technical specification by the IAB Tech Lab. The latter will include a special section that addresses the implications of the DPDPA.
CJPP provides a summary of digital advertising regulations across several jurisdictions, including the US, Europe, and Brazil. It was developed following a thorough policy analysis based on regional legislation, such as India’s DPDPA, in cooperation with local IABs in the US and Europe. Currently, that cooperation is being expanded to include IAB Southeast Asia.
Read More: Google Reaches $5 Billion Class-Action Privacy Lawsuit Settlement
Expert Insights
According to Michael Hahn, EVP & general counsel, IAB Tech Lab, the chapter in the CJPP compendium needs to be revised to better reflect the new legal framework. The DPDPA raises the bar for privacy regulations in the industry. Moreover, it highlights how important it is to consider how to communicate customer privacy preferences throughout the digital ad ecosystem. It aims to improve the legal inputs for the GPP technical specification to establish accountability. As a result, publishers, ad tech intermediaries, and advertisers will be able to connect seamlessly and ensure that consumer privacy preferences are followed in compliance with local laws.
The CJPP has been one of Hahn’s most important initiatives. According to him, the project’s goal is to simplify legal comprehension and communication in the intricate world of international digital advertising.
IAB Tech Lab’s executive vice president, product, and chief operating officer Shailley Singh stated that the country’s new digital laws have made the establishment of an Indian chapter imperative.
Handling personal data with IAB Tech Lab
It is anticipated that the legal inputs for the India section of the IAB Tech Lab’s GPP technical specification will enable industry players to send out signals about the proper handling of customer personal data. Contractual agreements can utilize this information to incorporate assurances and guarantees about these signals. Furthermore, it is anticipated that this procedure will establish the foundation for a technical framework. This will guarantee market compliance.
IAB Tech Lab will encode the results into a transparency and consent string after CJPP and policy formulation. This string permits usage for things like behavioral advertising and data selling. Responders are informed of acceptable data usage and advertising when this encoded string is sent along with the ad request, which is selected by the user.
Read More: Omnicom, NBCUniversal Pioneer Program-Level At-Scale Reporting
Here’s what they said
Shailley Singh, executive vice president, product and chief operating officer, of IAB Tech Lab said,
This chapter will address the impact on the framework, creating specific elements for India to be integrated into the GPP, ensuring uniform functionality worldwide. The challenge is to align the consent management framework with the global standard. Our approach involves active engagement with our member community and not isolated decision-making. This process ensures a thorough collaboration, incorporating diverse perspectives and legal interpretations. We invite all entities in the advertising realm—publishers, agencies, brands, and Indian ad tech companies—to actively engage in this initiative
Furthermore, she added,
Previously, we adhered to an international framework, but now, with the need to adapt to India’s laws, adjustments are required. The GPP includes a general header for ad origin and consent details, with specific sections for each jurisdiction. A dedicated section for India will be added, ensuring accurate decoding of user permissions from the numerical string when impressions are served in India.
Michael Hahn, EVP & general counsel, IAB Tech Lab commented,
Collaborating with IAB Southeast Asia and India, our objective is to offer the market an initial understanding of how the new Privacy Law applies to the digital ad industry. Drawing on our expertise in understanding data flows, we aim to provide an in-depth analysis, building on our prior work in 11 jurisdictions. Given the timing, this analysis stands as one of the earliest post-law implementation publications. The genesis was a practical problem – the disconnect between Chief Privacy Officers of global companies based in the US and local lawyers engaged overseas. It aimed to bridge this gap by analysing privacy laws within the digital ad use case, addressing concerns around identity, personal information, and data storage. Establishing working groups over a year, we navigated complexities across 11 global jurisdictions
Read More: IAB Tech Lab Launches Two Working Groups for AI and Privacy Sandbox
NYC Bans TikTok On City-Issued Devices Amid Security Concerns
TikTok, a well-known application for short-form videos, has drawn attention from around the world. The most recent entity to impose app usage restrictions is New York City. It has instructed its staff to remove TikTok from phones acquired from the city. By doing this, they join the federal government and more than half of the states in prohibiting the use of the Chinese-owned social media app on government-provided electronic devices. A 30-day deadline has been set by the New York City Cyber Command, a part of the City’s Office of Technology and Innovation, for city employees to quit using TikTok. The division has found that the app puts the city’s technical networks at risk of security. In the previous year, Congress had moved to outlaw TikTok on federal devices, and several states have followed suit.
TikTok-U.S. Hot Waters
In December 2022, the US House of Representatives approved a bill that prohibited the use of TikTok on official equipment. Additionally, the Biden Administration intensified its lobbying campaigns against the app earlier this year to get TikTok to renounce its Chinese heritage and break ties with its parent business ByteDance. This has distinguished the app from other American social media behemoths. Shou Zi Chew, TikTok’s CEO, gave testimony before Congress as well. He put up with five hours of intense grilling from senators who were worried that China was using the app’s user data to jeopardize national security.
In response to worries that TikTok’s parent business, ByteDance, was sharing user data with the Chinese government and spying on Americans, the federal government ordered the staff to uninstall the app from government-issued cell phones earlier this year. Similar prohibitions were established in more than 25 states.
Read More: TikTok Market Struggles In Midst Of Trade War Between USA and China!
NYC bans Tiktok
Due to its connections to China and how it manages user data, TikTok has come under fire from American politicians. As a result of the political response, Montana passed a bill that essentially outlawed the app beginning in 2024. The Montana statute was challenged by TikTok, who claimed that it violated the First Amendment. The platform asserted that claims that the Chinese government had access to user data on TikTok were unfounded.
Since 2020, TikTok use on state-owned phones has been forbidden in New York, with a few exceptions for advertising channels. Officials from TikTok have stated that there is no basis for concern about cybersecurity risks associated with the app’s use. A few New York Public Relations platforms were nevertheless permitted under the policy to use the app for marketing. The software is now prohibited on state-owned devices in 30 states.
Three years after New York State discreetly imposed a comparable restriction on government devices in 2020, New York City has decided to limit TikTok to city-owned devices. The city cited federal laws imposed to outlaw the app, as well as U.S. Office of Management and Budget recommendations limiting its usage on government-owned devices. New York City’s actions are now consistent with those of the federal government. Although TikTok had previously outlined its plans to guarantee the security of U.S. user data, little has been done to quench the fears of the lawmakers.
Here’s what they said
Jonah Allon, a spokesperson for Mayor Eric Adams said in a statement,
While social media is great at connecting New Yorkers and the city, we have to ensure we are always securely using these platforms. NYC Cyber Command regularly explores and advances proactive measures to keep New Yorkers’ data safe.
Scott Reif, a spokesperson for the state Office of Information and Technology stated,
We seek to meet people where they are and remain vigilant in protecting critical state assets, and urge New Yorkers to use caution when using TikTok and all social media platforms to protect their privacy and security.
Three years ago, TikTok and 49 other Chinese apps were first blocked in India, one of the pioneering nations to do so. Following suit, earlier this year New Zealand and Canada implemented preventative measures to block TikTok from some government-owned devices. They explained it away to app users’ privacy and data worries. Social networking applications are feeling the heat of public outrage as privacy and user information issues persist. The user policies of apps like Zoom, Google, and others had to be updated to comply with the constantly evolving legal framework governing technology. We’ll have to wait and see what happens with TikTok in the US and the business.
Read More: TikTok Being Transparent: Revealed It’s Algorithm To The World
An End To A New Beginning: French Websites Ordered To Stop Using Google Analytics
The French Data Protection Authority (CNIL) ordered three French websites to stop using the analytical audience site Google Analytics deemed to violate the General Data Protection Regulation (GDPR). The decision came to light, weeks after a similar groundbreaking decision by the Austrian Data Protection Authority. The websites have 30 days to comply or risk hefty fines up to €20 million, or 4% of the annual turnover.
Google Analytics allows you to track how many people go to your website by integrating it. For each visitor, a unique identifier is assigned. Google transfers this identifier (which is personal data) and the corresponding data to the United States.
CNIL received several complaints from NOYB about the transfer of data collected from their site visitors via Google Analytics to the United States. Max Schrems, chair of the European Center for Digital Rights (NOYB), sent these complaints to several data protection authorities (DPAs), including the Austrian and French DPAs, in 2020.
It’s no secret that many websites use Google Analytics to learn more about their audiences. With privacy laws tightening, especially across Europe, and the GDPR still being sorted out, there will be an increase in services flouting GDPR. A concern in a global economy is the potential for separate products for the EU and the U.S.
Interesting Read: 6 Data Privacy Trends To Look Out For In 2022!
Insufficient Measures under Schrems II
In the course of its evaluation, the CNIL reviewed the consequences of the Schrems II decision of the Court of Justice of the European Union on 16 July 2020, which rendered the Privacy Shield invalid. According to the Court of Justice of the European Union (CJEU), the personal information transferred to the United States could be accessed by American intelligence services if the transfers are not properly regulated.
DPA’s have concluded that transfers to the United States are currently not adequately regulated. As a matter of fact, it says that in the absence of an adequate decision, the transfer of data cannot take place without securing appropriate guarantees for this flow specifically.
However, soon it was found that this was not the case. In fact, Google has adopted additional measures to regulate data transfers when it comes to the Google Analytics functionality, but they are not sufficient to ensure data confidentiality. Therefore, French website users are exposed to risk if they use this service and their data is exported.
As a result, the first decision was issued by the Austrian DPA earlier in January, followed by the decision by CNIL in early February.
Is Europe banning Google Analytics?
The CNIL notes that as a result, the data of Internet users is transferred to the USA in violation of Article 44 GDPR. Therefore, the CNIL ordered the website manager to bring this processing in line with GDPR, so that either Google Analytics will not be used (under current conditions) or a new tool will be used that does not involve a transfer outside the EU.
The CNIL recommends that website measurement and analysis tools should only be used to produce anonymous statistics, thus absolving the controller of any consent requirements if the transfer is legal. It has launched an evaluation program to determine which solutions are exempt from consent. The French data protection authority has also issued other orders to website operators using Google Analytics. Max Schrems said,
“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”
The CNIL is widely regarded as Europe’s regulatory powerhouse. The Dutch regulator has already stated that it will follow in the footsteps of the CNIL. DPAs in Germany, Spain, Portugal, and Poland are expected to make similar decisions in the coming months, cracking down on illegal personal data transfer between the US and the EU.
Interesting Read: Amazon Blocks Google FLoC – Here’s Everything You Need To Know!
6 Data Privacy Trends To Look Out For In 2022!
Data Privacy has been a key element in the last few years in the adtech industry. With a handful of developments across the globe, the industry is facing a new regulatory landscape right now.
So, what can we expect from the data privacy landscape in 2022? In spite of the momentum, data privacy bills and amendments globally are difficult to pass and sign into law, GDPR to elevate the game while privacy spans global, preparing for privacy regulations along with a cookieless world (and companies kick the tires on alternate identifiers) remains a colossal challenge.
The regulatory action is not at par with most market changes. Many tech giants like Apple and industry groups are establishing the ground rules for consumer data privacy. Let us understand the data privacy trends in 2022.
Interesting Read: Your Ultimate Guide to Understanding the Customer Data Platform
State Privacy Legislation Continues
Well, achieving federal privacy law is most unlikely this year in the U.S. Instead, the growing “patchwork” of state privacy laws will continue. In addition to Colorado, Virginia, and California, many others are underway to pass privacy laws this session. There will be more states to contend with than now by the end of 2022.
There is an opportunity since consumer advocates, and industry representatives, want comprehensive privacy legislation. What matters is how, and what it will look like. Those sticking points must be ironed out – particularly in regards to the scope of preemption and a private right of action that will slow the process.
Co-regulation To Address Data Privacy
Self-Policing is better than no policing. Even though industry players are establishing self-regulation, they are not enough. They have not been effective and do not solve the main aim of addressing data privacy.
Gradually the tone is changing to co-regulation. Tech giants and industry groups combined with government regulations can build comprehensive consumer privacy programs to support brands’ efforts to comply with regulations. This private-public partnership can help serve the advertising ecosystem and most importantly, the consumer in the best way.
It will allow them to understand the flow of data- how to collect data, where to find it, how to use it, whom to share with, and the value of that data. This is the premise that will help companies to know those nuances and craft a solution on additional privacy requirements instead of starting from scratch each time. It will address the privacy issues without disintegrating the industry.
Time For New Solutions As Cookies Crumbles
As the cookie crumbles, companies require to determine the use of first-party data to nurture brand equity. CCPA has proposed new regulations and expressed discontent over e-mail based identifiers. This means they will be subjected to the same checks and limitations as currently placed on cookie ID’s and other identifiers.
In a cookie-less world, the companies that will focus on building brand equity to boost consumer trust. Businesses understand that poor accountability and misuse of data will stymie their brand equity and trust among consumers.
Focus On Privacy Centric Tech
The focus of 2022 will be privacy-enhancing technology. Techniques like clean rooms are here to stay as a privacy-centric tech solution. Few other technologies that are gaining popularity are differential pricing and homomorphic encryption along with synthetic data in the privacy-laden environment. As these solutions become more widely available, companies will have to understand the underlying technology and its implications before choosing which to integrate into their system.
Interesting Read: Clean Rooms Explained: How Marketers Can Prepare For Cookieless World
Big Tech And Their Stringent Policies
Big tech platforms and walled gardens will continue to roll out stringent policies for consumer privacy. However, these privacy-enhancing policies and solutions mostly benefit them . They’re focusing their applications on their consumers and the data they collect within their walled gardens. In the open web or across the ecosystem, they are not helping advertisers, publishers, developers, or consumers. Many companies are not ensuing the regulations meaningfully.
As an example, Apple started requiring opt-in consent for Apple to use data for ad personalization earlier this year, in line with its AppTrackingTransparency policies for app developers.
There are more companies offering advanced privacy solutions to consumers without attracting competition scrutiny. Recently, Twitter announced that it will not allow sharing of photos and videos without consent except for public information.
Global Privacy Wave Grows
There is a growing trend worldwide for countries to adopt some form of data privacy legislation, often using the GDPR as a model and adapting it to their own specific market. As a result of the GDPR, the EU set the standard for privacy for other countries like Canada, Saudi Arabia, and China to follow. Likewise, India is updating its privacy laws. States in the US are also attempting to tackle this issue – such as California’s CCPA. Privacy and data protection laws are likely to continue growing around the world in the coming year. If companies want to serve global markets effectively, they will have to navigate a much wider range of privacy issues than just the U.S.
In a nutshell, consumers have made it clear that they don’t want to be tracked at the user-by-user level. Global legislation will increasingly emphasize this principle. Regulatory frameworks in all markets will continue to challenge geo-location-based methods of tracking and targeting.
Interesting Read: 5 Ad Industry Trends That Are Likely To Unveil in 2022!
OpenX Fined $2M for Violating Children’s Data Privacy Law!
The FTC (Federal Trade Commission) announced a $2 million settlement with OpenX, a programmatic advertising platform, for allegedly gathering personal information from children under the age of 13 without parental consent.
The Department of Justice accused the California-based corporation of acquiring geolocation data from consumers who expressly asked not to be followed through the opt-out option, according to the complaint filed on behalf of the FTC.
According to the lawsuit, OpenX, which runs a real-time bidding platform for providing ad space on websites and mobile applications, violated the FTC’s Children’s Online Privacy Protection Act Rule (COPPA).
Interesting Read: Facebook Advertisers Battle Ad Results After Apple’s Privacy Changes
Before collecting, using, or disclosing personal information from children under the age of 13, websites, apps, and other online services that are child-directed or intentionally gather personal information from children must warn parents and obtain their consent.
Hundreds of child-directed applications were inspected by the FTC, and it was discovered that these apps engaged in the OpenX ad exchange, which gathered personal information from children under the age of 13, in violation of the COPPA Rule. The FTC claims that OpenX collected personal data and then passed it on to third parties who used it to serve advertising to these app users.
While OpenX said via a blog post that “to put it plainly, it was a mistake”, FTC commented on the issue –
“OpenX has received millions, if not billions, of ad requests directly or indirectly from child-directed Apps, and transmitted millions, if not billions, of bid requests containing personal information of children to OpenX’s demand-side partners. These requests included location information and persistent identifiers used for online behavioral advertising.”
This agreement demonstrates how US regulators are actively scanning and monitoring digital ad marketplaces, data collecting, and privacy issues on the internet.
Also Read: Outbrain Launches New Native Advertising Header Bidding Capability