Privacy lawyers and ad tech folks often don’t speak the same language. But at least now they’ve got an acronym in common: MSCA.
It stands for “Multistate Substantial Compliance Assessment,” and it’s a new tool developed by privacy compliance startup SafeGuard Privacy that businesses can use to do vendor due diligence and manage their compliance with multiple comprehensive state privacy laws.
And we’re up to a whopping 19 state privacy laws in the US now. Or is it 20?
Who’s counting?
The number of state privacy laws is oddly difficult to count.
A few days ago, I chatted with Richy Glassberg, the CEO and co-founder of SafeGuard Privacy, to get more information about the MSCA.
He was in the midst of explaining that the new MSCA questionnaire takes a “high bar” approach, meaning it uses the strictest standards from different state privacy laws as the basis for its assessment questions.
That way, companies can meet their compliance requirements without having to do a separate assessment for each state. “Trying to do that would be really difficult,” Glassberg said, “but it also becomes kind of unnecessary as we see more and more overlap between the laws.”
“We’ve gone from over 2,000 questions to under 200,” he told me, referring to the MSCA, “so now you can do due diligence on your partners with one assessment which covers all 19 US states that have comprehensive data privacy laws, and –”
I cut him off. “Wait, Richy. Aren’t there 20 state privacy laws in the US?”
He paused. I paused. We didn’t know.
He told me he’d ask a lawyer friend and get back to me later, which he did. And guess what? There’s no concrete answer! 😂
For example, does Nevada’s rather flimsy privacy law count as comprehensive? Should Washington’s My Health My Data Act be on the list? It’s strict, but it only focuses on health data. Florida has a data privacy law – but it only covers business with over $1 billion in annual global revenue that also derive at least 50% of their revenue from selling online ads, which excludes a lot of companies.
The point is this: It’s chaotic and confusing out there when we can’t even agree on how many privacy laws there are in the US!
Overdue diligence
Navigating this complex legal landscape is a big challenge, and it’ll only get tougher as more US states pass data privacy laws.
The MSCA, which is part of the IAB Diligence Platform, took roughly eight months to develop, according to Glassberg, but it’ll be a much faster process to add new laws to the assessment, because the construct is already in place.
“We’ve mapped out all the obligations and, truth is, most new states pretty much follow what others have done,” he said. “And if they don’t, we can highlight those obligations differently.”
Some “high bar” questions apply to all businesses, such as one about a company’s policies and procedures for granting a request to delete. Other questions can simply be left off the assessment depending on the business.
If a company doesn’t touch health-related data or children’s information, for example, there’s no need to waste time asking them detailed questions about how they handle it.
Businesses that use the platform get notifications whenever there’s an update to regulations, a vendor changes its practices or anything else happens that requires action.
Using the MSCA, Glassberg estimates that businesses can reduce the amount of time they spend managing their own compliance and assessing third-party partner liability from weeks to around a day or two.
But the time savings aside, it’s high time – actually, it’s past overdue – for businesses to check themselves before they wreck themselves, regardless of the compliance technology they decide to use.
“The reality is that, COPPA aside, we’d been living in a mostly unregulated environment,” Glassberg said. “But now we’re operating in a heavily regulated industry – it’s a different world, and people need to wake up.”
🙏 Thanks for reading! And please take a moment to watch the best ad of all time. It’s a bona fide classic that privacy professionals can no doubt relate to. As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
🎟️ In other news, it’s time to get your tickets to Programmatic IO: Innovate, May 19-21 in Las Vegas. We’ve got lots of good stuff on the agenda, including a session with Daniel Goldberg, a partner at Frankfurt Kurnit, on how to recognize red flags when companies are promoting their supposedly “fully privacy safe” or “100% CCPA compliant” solutions. See you there!
