MSPA stands for Multi-state Privacy Agreement and refers to IAB’s contractual framework, aimed at assisting all parties of the digital advertising ecosystem in their efforts to comply with an array of privacy regulations in several U.S. states, which are coming into effect in 2023. 

The Story Behind MSPA

Since the new privacy laws, which are coming into force in 2023 in five U.S. states, i.e. California, Colorado, Connecticut, Utah and Virginia, introduce stricter regulations regarding the processing and use of End Users’ Personal Data for online advertising purposes, IAB has come forward with its new initiative, which should help all parties involved in the digital ad supply chain ensure their compliance along the way – MSPA.

Designed to work in conjunction with the U.S. State privacy signals and the IAB’s Global Privacy Platform, MSPA, in fact, does NOT present any kind of the so-to-speak template agreement. Instead, it implies the signatories’ obligation to set, send & receive, and honor a range of privacy signals, which would demonstrate how a business (e.g. a publisher) is complying with the new U.S. state-level regulations (e.g. indicate the display of a privacy notice to End Users, notice viewers’ choice to opt-in/opt-out of targeted advertising, etc.).

What’s Inside MSPA

MSPA introduces two key modes to treat the transactions, covered by MSPA, as selected by the first party (publisher/advertiser): a service provider mode and an opt-out choice mode. 

Namely, operating in the service provider mode does NOT allow any sale or sharing of End Users’ Personal Data, or its use for targeted advertising purposes. Instead, what it does allow is the first-party advertising activities (including frequency capping and negative targeting), ad measurement and ad fraud detection, for instance.

Meanwhile, operating in the opt-out choice mode enables the wide scope of activities for the first parties, based on the End Users’ relevant privacy choices, while the downstream participants (ad servers, SSPs, etc.) in the online ad supply chain act as service providers, accordingly, if a consumer decides to opt out of the sale and/or sharing of their Personal Data, and/or targeted advertising. 

Frequent Use Cases 

One of the vivid use cases that MSPA should cover is creating a network of contractual partnerships between publishers, advertisers and their advertising tech providers, e.g. ad servers that currently don’t have any contractual agreements between themselves in place, which cover the legal terms of “sale” and/or “sharing” of Personal Information. . 

The trick is, according to California Privacy Regulation Act (CPRA), which came into effect on January 1, 2023, for instance, such contracts ARE legally required, in case of the sharing or sale of End Users’ Personal Data to service providers (and disclosure of users’ IP addresses to advertisers’ ad serving vendor in this case is likely to be defined as “sharing of Personal Data”, according to CPRA). 

Perspectives of Adoption

As mentioned before, MSPA doesn’t introduce any kind of a model contract, hence is not obligatory for signing by publishers, advertisers and/or other parties involved in the digital advertising supply chain. 

However, the framework might be beneficial for IAB’s GPP users, who wish to streamline their path to compliance with the new U.S. state privacy laws without extra hassle. 

At this point, though, the potential scale of MSPA adoption by publishers and advertisers remains unclear.

Back to Glossary