Data Deletion Request Framework is the IAB Tech Lab specification, aimed at providing digital businesses with a unified, standardized way to communicate and process End Users’ data deletion requests.
What is Data Deletion Request Framework?
As one of the important additions to IAB Tech Lab’s Global Privacy Platform (GPP), the Data Deletion Request Framework is a technical specification, which provides a unified protocol for communicating and handling End Users’ requests (also known as Data Subject Requests, or short: DSR) to delete their Personal Data elements across the digital ad tech ecosystem.
From a technical perspective, the DDR Framework introduces a standardized DSR sequence and distinguishes the requirements towards the user’s 1st-party data recipient (e.g. a publisher), as well as their ad tech vendors, acting as requesters, along with the third parties, which the user’s data has been disclosed/transferred to, acting as the relevant request recipients. These primarily imply each party’s publishing of the dsrdelete.json file on their domain, which includes the relevant configuration parameters, including their public cryptographic key (used for their digital signature verification along with the private key) and the API endpoint, where the data deletion requests and/or their acknowledgement should be sent over to.
The specification also provides a detailed overview of requirements toward the data deletion request packages, including the format of End User’s personal identifiers, request & response signatures, and more.
Potential Benefits
Quite naturally, the introduced DDR Framework is primarily aimed at helping digital businesses to ensure their compliance with the data protection regulations, like GDPR, CPRA and other U.S. data privacy laws, Quebec Law 25, etc., which impose increasingly stricter requirements on companies that collect and process End User’s personally identifiable information.
In the digital advertising industry, in particular, the key benefit of the Data Deletion Request Framework implies the possibility to streamline the handling of the DSR deletion requests, particularly in case the business needs to forward them to partners, hence acting both as a recipient, and a requester at the same time.
Perspectives of Adoption
As of November 2023, the Data Deletion Request Framework is still available for public commentary, so that all players in the online advertising tech ecosystem can contribute their professional expertise in its improvement prior to its finalization.
In view of this, the market adoption of the specification won’t be happening until Q1 – Q2 2024, in the positive scenario.