On July 22, 2021, IAB’s Legal Affairs in partnership with OneTrust and BakerHostetler published a compendium outlining findings from its Cross Jurisdiction Privacy Project (CJPP). The project kicked off in 2020 to explore the privacy laws of 11 countries around the world and determine how the different requirements apply to digital advertising participants and the transactions they typically undertake. Ultimately, the end goal is for the IAB Tech Lab to take these findings and create a global string that IAB participants can use to communicate consent and preference in a way that is compliant with multiple jurisdictions.
Download the report: IAB Cross Jurisdiction Privacy Project Compendium
What’s in the IAB Cross Jurisdiction Privacy Project Compendium?
The compendium was created with the help of 150 lawyers from around the globe along with OneTrust DataGuidance helping to identify specific requirements and BakerHostetler’s legal support and working groups.
As you deep dive into the compendium’s ten chapters, you’ll gain insight into:
- The statutes, guidelines, and case law relevant to digital advertising activities;
- Whether and when publishers’ and advertisers’ data processing activities trigger the extraterritorial reach (if any) of the privacy law;
- Key privacy law definitions, including what it means to “collect” personal information and who (the publisher or ad tech company) is deemed to collect personal information when a publisher allows an ad tech company to integrate with its digital properties;
- Whether pseudonymous identifiers, such as mobile advertising IDs, IP addresses, hashed email address, or publisher IDs, constitute personal information, either alone or in combination with other information about a data subject;
- Data controller obligations, including the notice requirements for sharing personal information with third parties for advertising purposes, and the specific digital advertising activities or purposes that must be disclosed to data subjects; whether and what type of consent must be obtained for different types or uses of data; and the available legal bases for specific digital advertising activities;
- The rights available to data subjects and which entities in the advertising chain must provide those rights;
- Contractual requirements for processors to provide digital advertising services on behalf of data controllers, and the cross-border transfer limitations and obligations when ad tech data recipients are in a different jurisdiction;
- Audit, accountability, data retention, and data protection officer requirements for parties in the ad-tech ecosystem;
- The scope of liability for ad-tech companies for the collection activities of publishers and advertisers, and vice versa; and
- Pending privacy bills and regulations that may change the digital advertising landscape if (or when) they go into effect.
Related reading to the IAB Cross Jurisdiction Privacy Project Compendium:
- OneTrust DataGuidance Resources: IAB Cross-Jurisdiction Privacy Project Compendium
- IAB Press Release: IAB Releases Cross-Jurisdiction Privacy Project Compendium and Legal Specifications
- OneTrust DataGuidance Guidance Notes: Cookies & Similar Technologies