Q&A with IAB evp and general counsel Michael Hahn on the lively privacy regulation landscape

Do not envy Michael Hahn. As the recently promoted evp and general counsel of the Interactive Advertising Bureau — with a remit that also spans IAB Tech Lab and Trustworthy Accountability Group — the longtime antitrust lawyer is a central figure in the digital advertising industry’s efforts to comply with privacy regulations as regulatory activity ramps up. And that activity has really been ramping up in the past year.

Last summer, regulators in the U.K. have taken oversight roles in Google’s Privacy Sandbox initiative to replace the third-party cookie. In the fall, the California-formed agency charged with enforcing its privacy law, the California Consumer Protection Act, appointed a vocal critic of targeted advertising, Ashkan Soltani, to lead it. And then this year, the Belgian Data Protection Authority ruled that IAB Europe’s Transparency and Consent Framework — which was designed to help companies comply with the General Data Protection Regulation — was unlawful. Oh, and now the European Union is nearing the passage of the Digital Markets Act that would, among other things, limit the use of personal information for ad targeting without consent.

So yeah, Hahn has a lot on his plate. But he carved out some time to speak with Digiday about how he’s managing that workload, including an effort to amend part of the IAB’s CCPA Compliance Framework for Publishers and Technology Companies to reflect amendments being made to the law that will bring marketers into the fold.

The interview has been edited for length and clarity.

You seem to have as busy of a job as ever. The digital ad industry is still sorting out alternatives to the third-party cookie as well as similarly unstable means of identity tracking like the IP address. And then the Transparency and Consent Framework has been found to be unlawful, and California has updated its privacy law and now has an agency tasked with enforcing that law. Europe seems on the verge of passing the Digital Markets Act. How do you rank the work you’re having to prioritize at the moment?

Last year, the biggest project we worked on was the Cross-Jurisdiction Privacy Project. That involved us pulling together 150 lawyers from 11 countries around the globe to accomplish two things. One is we created a compendium of how privacy laws in those 11 jurisdictions apply to digital advertising. And the second part of our project was to say, “Can we create essentially legal specifications that could become inputs to the IAB Tech Lab’s technical specifications that are being built into the Global Privacy Platform for there to be a concatenated string that can cover all of these countries?”

And then phase three is, Is there a policy that could sit on top of the technical specifications? Think of IAB’s CCPA Compliance Framework or IAB Europe’s TCF. Because the technical specs communicate how industry participants essentially transmit the consumer privacy preferences in a manner that’s compliant with applicable local law. Those are like the pipes. But it doesn’t say what you need to do, what are the circumstances in which you need to send a signal and what do you need to do when you receive the signal. That’s local policy.

There’s a technical spec, but engineers don’t know how to encode for the privacy law in South Korea and Japan and Israel and Nigeria. So we partnered together as in-house counsel and with local counsel across the globe and essentially created the legal spec. 

Those legal specs, in light of what’s happened with the Transparency and Consent Framework and the Belgian DPA saying it’s in violation, that has led to companies — publishers and ad tech companies — saying to what extent are they then liable or what changes do they have to make. Basically, to what extent can they trust the TCF. I imagine that perspective could be applied to the legal specs. So what are you having to do to confirm that the legal specs will pass muster with regulators?

The issue that’s happening in Europe, really only the use of TCF, which sits on the specifications themselves. So, bearing in mind that this is all still subject to appeal in the market courts, the question is does the [Belgian DPA’s] decision, in some way, implicate the legal and technical spec for South Korea or Nigeria or anywhere else? And the answer is no. They have their own sets of laws. What we’re talking about is the plumbing that a policy sits on top of. Granted, the plumbing is complicated stuff. But the Data Protection Authority in Europe didn’t question the plumbing. They questioned how the plumbing was used in the TCF that sits on top of it.

They effectively questioned the interpretation of the GDPR as applied to the plumbing of the TCF.

They talked about OpenRTB and the use of programmatic advertising. But at the end of the day, they said IAB Tech Lab’s OpenRTB specification, that they were not a joint controller in this. So they were clear about that. But would IAB Europe, if it were indeed a joint controller, would new information need to get communicated through a specification? Sure. And I think the specification could certainly accommodate that. But I don’t think that in any way impacts what might be done in South Korea. What we’re doing is providing a compliance opportunity in the jurisdiction. We’re saying, “Hey, if everyone builds to this technical specification, you can actually communicate what that consumer’s privacy preference is.” 

Where I’m coming at with this is: California with the IAB’s Limited Service Providers Agreement, I remember in late 2019 having conversations with publishers and ad tech companies; some thought, “Great, this is going to help us maintain compliance,” and others were wary of whether it was actually going to pass muster with regulators. And so now TCF didn’t pass muster with regulators. And last year Google with Privacy Sandbox seemingly said, “OK we can’t necessarily trust that our interpretations are going to pass muster with regulators, so we’re going to bring in the CMA and ICO in the U.K. and have them take an oversight role.” So with all the work you’re going at the IAB, are you bringing the regulators in a similar fashion to what Google’s doing with the ICO and CMA?

We anticipate that we’re going to [engage] with the regulator, and that’s going to happen at some point in the future. But if there are no guarantees in life of anything, one thing I do know is that if we do nothing, we definitely have a compliance problem. So we have to be focused on trying to build solutions. We have to begin to come up with a framework now because waiting till the end of the year is not enough time. We don’t have regulations yet, so we’re going to have to build what we can now and see how they pair with the regulations and figure out what do we need to change or what do we need to adjust once the regulations come in. So there [are] a lot of pieces that need to fall into place before you have that kind of dialogue. And of course, this also needs to be done in a consensus-driven manner that serves the various parts of the ecosystem from publishers and ad tech to agencies to brands.

Let’s talk about CCPA. Now there’s the California Privacy Rights Act that amends the CCPA. What changes, if any, have been made or need to be made to the CCPA Compliance Framework in light of CPRA?

The existing framework is designed to be signed by principally publishers and ad tech companies. Because of the changes to CPRA, we’re going to need marketers to sign on for their first time. That’s going to be an important change. If we want to be able to do things like measurement and frequency capping, we’re going to need marketers and publishers to be able to jointly designate service providers to act on their behalf. That’s critical to just do the basic functioning aspects in digital advertising.

What’s the timeline for getting marketers on board?

This is a consensus-driven process. So I like to think about it as a maybe more productive version of [the] congressional legislative process. We’re engaged right now through this State Privacy Law Summit series in educating brands and trying to drive consensus. We’re talking about going through data flows together. We have a dozen data flows; we’re going through step by step and talking about how does CPRA apply to each step in these data flows. Is it a sale [of information]? Is it a share [under] CCPA? That education has to be done as part of the process. And we’re going to begin also educating on the structure of the amended Limited Service Provider Agreement. The work has already begun. In fact, we’re deep into it.

Is the amended Limited Service Provider Agreement already out?

There’s a first amended Limited Service Provider Agreement that exists. This would be the second amended Limited Service Provider Agreement that would account for CPRA.

Is there a deadline for that? In a way, CPRA has already taken effect, though it doesn’t become “operative” until January 1, 2023

We are trying to target an implementation date for January 1. The question is how do we get there in a consensus-driven manner. We’re making a lot of progress. We pulled together the measurement companies. We’re spending a month engaged in a three-part series with brands and agencies. We’re going through data flows. We’re talking about what the amended LSPA is going to look like. We’re gaining input. I don’t want it to be Q4 that an LSPA comes out. I want it to be as early in the year as possible. I can’t tell you if that’s going to be May or that’s going to be August. My goal is, obviously, to make sure that it’s earlier rather than later so everyone has a clear set of understandings and expectations and can talk with their outside counsel about this and mull it over.

On that consensus-driven approach, California now has the enforcement agency headed up by Ashkan Soltani. Do you expect to be or are you already working to have Ashkan Soltani and his agency somehow involved in this consensus-level approach to the second amended version of the LSPA?

When I use the term consensus-driven, we’ve got to get consensus among the brands, agencies, ad tech companies, publishers. Engaging the regulator, you need to have a plan in place. We also need to know what the rules are. So all of [these] pieces are not in place at present to have that engagement. But we expect to have that engagement. But it’s almost impossible for us to do it at this particular point in time where there are these variables that still exist.


More in Media

Immediate deepens CMP strategy, slashes ad tech partnerships for sharper data governance

Consent management platforms at Immediate aren’t just about ticking boxes for data laws.

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.