A new era of data protection was ushered in when India’s Digital Personal Data Protection Act (DPDPA) went into effect on August 11, 2023. Digital advertising is anticipated to be significantly impacted by the law. To update the DPDPA 2023-specific details, the IAB Legal Affairs Council plans to form a dedicated working group. It will be formed under the Cross Jurisdiction Privacy Project (CJPP) – India. Meanwhile, brands and agencies will collaborate to understand how they must comply with the new legislation.
IAB’s global collaboration
IAB, IAB Tech Lab, and IAB Southeast Asia and India teams will make up the India chapter. It started a cooperative process in February and requested everyone’s approval before going public. It has asked for collaborative input from all members. This is especially policy teams, on comprehending and interpreting Indian law for the Global Privacy Platform (GPP). This has led to the creation of the GPP. It combines regulations from the General Data Protection Regulation (GDPR) and other sources. Furthermore, it ensures that multinational corporations operate seamlessly across regulatory landscapes.
Global members of the IAB Tech Lab are inherently included in this working group on technology and policy. These include industry heavyweights like Google and The Trade Desk (TTD). But its objective is to promote involvement from companies that are specific to India, like brands and local ad tech providers like ESPs or proprietary ad stacks like The Times of India.
Valuable local and international insights
It is anticipated that the upcoming CJPP – India chapter will give professionals from both local and international businesses valuable insights into how India’s recently passed privacy law is being implemented in the digital advertising industry. Its main goals are to update the CJPP – India chapter and provide legal inputs to improve the Global Privacy Platform (GPP) technical specification by the IAB Tech Lab. The latter will include a special section that addresses the implications of the DPDPA.
CJPP provides a summary of digital advertising regulations across several jurisdictions, including the US, Europe, and Brazil. It was developed following a thorough policy analysis based on regional legislation, such as India’s DPDPA, in cooperation with local IABs in the US and Europe. Currently, that cooperation is being expanded to include IAB Southeast Asia.
According to Michael Hahn, EVP & general counsel, IAB Tech Lab, the chapter in the CJPP compendium needs to be revised to better reflect the new legal framework. The DPDPA raises the bar for privacy regulations in the industry. Moreover, it highlights how important it is to consider how to communicate customer privacy preferences throughout the digital ad ecosystem. It aims to improve the legal inputs for the GPP technical specification to establish accountability. As a result, publishers, ad tech intermediaries, and advertisers will be able to connect seamlessly and ensure that consumer privacy preferences are followed in compliance with local laws.
The CJPP has been one of Hahn’s most important initiatives. According to him, the project’s goal is to simplify legal comprehension and communication in the intricate world of international digital advertising.
IAB Tech Lab’s executive vice president, product, and chief operating officer Shailley Singh stated that the country’s new digital laws have made the establishment of an Indian chapter imperative.
Handling personal data with IAB Tech Lab
It is anticipated that the legal inputs for the India section of the IAB Tech Lab’s GPP technical specification will enable industry players to send out signals about the proper handling of customer personal data. Contractual agreements can utilize this information to incorporate assurances and guarantees about these signals. Furthermore, it is anticipated that this procedure will establish the foundation for a technical framework. This will guarantee market compliance.
IAB Tech Lab will encode the results into a transparency and consent string after CJPP and policy formulation. This string permits usage for things like behavioral advertising and data selling. Responders are informed of acceptable data usage and advertising when this encoded string is sent along with the ad request, which is selected by the user.
Here’s what they said
Shailley Singh, executive vice president, product and chief operating officer, of IAB Tech Lab said,
This chapter will address the impact on the framework, creating specific elements for India to be integrated into the GPP, ensuring uniform functionality worldwide. The challenge is to align the consent management framework with the global standard. Our approach involves active engagement with our member community and not isolated decision-making. This process ensures a thorough collaboration, incorporating diverse perspectives and legal interpretations. We invite all entities in the advertising realm—publishers, agencies, brands, and Indian ad tech companies—to actively engage in this initiative
Furthermore, she added,
Previously, we adhered to an international framework, but now, with the need to adapt to India’s laws, adjustments are required. The GPP includes a general header for ad origin and consent details, with specific sections for each jurisdiction. A dedicated section for India will be added, ensuring accurate decoding of user permissions from the numerical string when impressions are served in India.
Michael Hahn, EVP & general counsel, IAB Tech Lab commented,
Collaborating with IAB Southeast Asia and India, our objective is to offer the market an initial understanding of how the new Privacy Law applies to the digital ad industry. Drawing on our expertise in understanding data flows, we aim to provide an in-depth analysis, building on our prior work in 11 jurisdictions. Given the timing, this analysis stands as one of the earliest post-law implementation publications. The genesis was a practical problem – the disconnect between Chief Privacy Officers of global companies based in the US and local lawyers engaged overseas. It aimed to bridge this gap by analysing privacy laws within the digital ad use case, addressing concerns around identity, personal information, and data storage. Establishing working groups over a year, we navigated complexities across 11 global jurisdictions