Consumers who want to exercise their right to have their personal data deleted can do so by submitting a request to the company that has their data. These requests can be complicated since they involve deleting data from multiple places. The process can be daunting without an industry standard for handling these requests. IAB Tech Lab is working to reduce the complications by standardizing the process.
Everyone in the ad tech industry seems to be talking about user privacy right now, from how to deal with new regulations to how we interact with consumers’ information online, which will change digital advertising.
A regulation that began as part of the California Consumer Privacy Act, known as the “right to delete,” entitles consumers to ask companies to delete all of their digital data, with some exceptions. This regulation is becoming a privacy standard, necessitating expanding the way our industry addresses these requests.
There is currently no industry standard for completing data deletion requests. To address this, IAB Tech Lab recently called for public opinions and comments to help develop an industry-wide data deletion standard. The comments will inform how IAB Tech Lab moves forward to create a new framework to simplify the process and ensure compliance with privacy laws.
We caught up with Rowena Lam, IAB Tech Lab’s Senior Director of Privacy & Data, to see how they conducted this research, the findings, and the following steps to make a standard Data Deletion Request Framework a reality.
Kacey Perinelli: Can you give me an overview of data deletion requests, what systems currently handle them, and how they fit into the privacy landscape?
Rowena Lam: There isn’t a comprehensive framework to handle these requests throughout the digital ad media ecosystem. We’re seeing players in the ecosystem having to come up with very bespoke solutions because there is no framework to handle these requests. We have yet to finalize the data deletion request framework that we’ve proposed, but it creates a standardized approach to communicate deletion requests. This is particularly relevant as we’ve seen a lot of focus on consumer privacy rights globally. This is both from a consumer perspective and a regulatory standpoint.
Some of the industry understands, but not everyone understands how much of a challenge dealing with data deletion requests truly is. With no standard framework, everybody’s doing their own thing. In most cases, when a consumer requests the deletion of their personal data, it’s not just one organization affected. Organizations utilize service providers and have CDPs, so other systems need to be touched, and in some cases, this is a manual process. A framework like this helps the industry speak the same language and ensures everybody is implementing this in the same way, removing the challenge for them to properly delete the consumer’s data and do it promptly.
KP: Why is it important to have an industry standard for these requests? How will standardization benefit both the ad tech industry and consumers?
RL: There are a few crucial reasons the industry needs standardization for this. The overarching reason is that it provides a practical approach and implementation for handling these deletion requests, which are pretty sensitive because we’re talking about consumers’ personal data. Standardization ensures a consistent approach across the ecosystem, specifically for the ad tech industry; it simplifies their compliance with these privacy laws. The framework is regulation agnostic, which is an added benefit.
This will ultimately help the ad tech industry continue to foster increased trust with consumers, which is an industry priority. This provides a consumer benefit even though this isn’t a consumer-facing mechanism, per se. It ensures the industry has a more efficient and reliable process for making sure that when the consumer reaches out and wants to exercise their data deletion rights, the deletion request can be communicated appropriately throughout the ecosystem. This ensures that the personal data they want deleted is actually deleted as required by law.
KP: Without revealing any names, can you tell me how many and what types of companies contributed their insight to creating the standardized framework?
RL: A diverse range of global businesses participated in the original drafting of the data deletion request framework. As we entered a public comment period, we received feedback from a diverse range of organizations, from startups to major industry players, spanning the entire supply chain. That active involvement from these different companies highlights the engagement in shaping this deletion framework.
KP: How did IAB Tech Lab work to incorporate the many suggestions it received in a way that will be universally applicable?
RL: When we released this, it started with a 30-day public comment period, where we looked for contributions from the perspective of organizations of all sizes. The feedback that we received was mostly positive and sat in a couple of key thematic areas. It touched on subjects like data elements, communication, protocols, signatures, key encryption, acknowledgment of requests, and identifiers. We’re currently working on incorporating these comments to ensure that the framework is universally applicable and that none of these specific vital thematic areas are overly complicated. This guarantees that smaller players, for example, can also utilize the framework.
KP: You noted four thematic areas that IAB Tech Lab is focusing on as it proceeds to create this standardized framework. Going in, did you know if these would be the key areas to focus on?
RL: These themes were already in our minds during the drafting process, and some of the areas are specific to the Object Parameters and API fields: signature keys and encryption, validation, acknowledgment of the requests, and identifiers. The feedback from the public comment period is informing the details of how they could work. That’s helping expedite the finalization of this standard and help us ensure that when we finalize the framework, it addresses the use cases we’re looking to address.
KP: What is the next step to creating the standardization and ensuring it works universally?
RL: The next step for us is to incorporate these specific pieces of feedback in those four thematic areas that I mentioned directly back into the specification. Then, working with the framework’s “working group,” which includes industry representatives, we will reach a final specification that the entire industry can adopt.
We will release a final version once we incorporate all this feedback into the specification. I anticipate that folks will start to adopt, which they can do as soon as we release that final version.
It is very, very exciting. There’s been plenty of engagement. This is a huge positive because it indicates real alignment, at least around the topic. There might be disagreements about the details and specifics of how we view some of it, but there’s a general alignment on the framework itself.