Key Points
- The IAB updated its Multi-State Privacy Agreement for the first time in three years to reflect new U.S. state privacy laws and enforcement trends.
- The revisions aim to simplify compliance for advertisers and ad tech partners by reducing contract friction and clarifying roles in data processing.
- The framework also streamlines opt-out handling and establishes a standardized compliance baseline across the digital advertising ecosystem.
The Interactive Advertising Bureau (IAB) this week said it made significant improvements to its Multi-State Privacy Agreement (MSPA) to take into account new state laws and their privacy-related requirements.
The overhaul is the first major evolution of the MSPA in three years, and aims to simplify and streamline privacy compliance for advertisers and their partners across the digital advertising ecosystem, the IAB said in a statement on Wednesday.
The updated MSPA is designed to help companies navigate an increasingly complex landscape of U.S. state privacy laws by simplifying contractual requirements, reducing negotiation friction between partners and strengthening consumer data protections. The changes come as regulators across several states intensify enforcement efforts around how companies collect, share and process personal data.
Advertisers face growing legal and operational risks as consumer information flows through agencies, ad technology vendors, measurement firms and other downstream partners involved in digital advertising campaigns.
Recent enforcement actions by state and federal regulators have made it clear that advertisers remain responsible for safeguarding consumer data even when it is shared with third parties for marketing or analytics purposes, the IAB noted.
“This update makes the MSPA an even more powerful tool for the digital advertising ecosystem,” said David Cohen, the Chief Executive Officer of the IAB. “In a time of increasing enforcement and complexity, we’re giving advertisers and their partners a clear, trusted framework that simplifies compliance, accelerates collaboration, and protects them in a meaningful way. As adoption grows, the value multiplies—creating a shared standard that helps the entire industry move faster, with greater confidence, while reinforcing consumer trust and supporting the ad-supported internet people rely on every day.”
Among the most notable changes is a streamlined structure intended to make the agreement easier for brands and technology partners to adopt. The revised framework clarifies how ad technology providers may process personal data and establishes a consistent compliance baseline across covered transactions, reducing the need for custom contract amendments or repeated negotiations between companies.
The updated agreement also formalizes clearer roles for advertisers and their ad technology partners. Under most applicable state privacy laws, ad tech companies receiving personal data through MSPA-covered transactions will generally be treated as service providers to advertisers, aligning with common industry practices and reducing uncertainty around vendor responsibilities.
In addition, the revisions aim to simplify operational requirements when consumers choose to opt out of data collection or targeted advertising. Under the MSPA, advertisers are not required to build or deploy new technical signals to manage opt-out preferences. Instead, partners may continue using suppression-based approaches that limit data use while maintaining essential advertising functions.
The framework also preserves flexibility for targeted advertising use cases that must be treated as third-party data sharing under the California Consumer Privacy Act (CCPA), while maintaining contractual safeguards and purpose limitations intended to ensure compliance.
State regulators have increasingly emphasized the need for strong contractual controls around consumer data. Recent California enforcement actions involving Healthline Media and Honda tied to the CCPA highlighted shortcomings tied to missing or inadequate privacy terms in contracts, IAB said. In the Healthline case, regulators indicated that adopting MSPA-aligned provisions could help restore compliance with state privacy rules.
The MSPA is available to any company participating in digital advertising, regardless of IAB membership. To review the updated MSPA, click or tap here.
