The IAB’s Fifth Amended Multi-State Privacy Agreement introduces advertiser-specific provisions designed to close the contractual gaps that state regulators have already penalized. The updated MSPA takes effect June 2, 2026, and represents the most significant revision to the framework since its launch.

On March 4, 2026, the Interactive Advertising Bureau (IAB) announced the most substantial revision to its Multi-State Privacy Agreement (MSPA) since 2023. The update arrives as state privacy enforcement continues to expand. As state privacy law enforcement accelerates and cure periods expire across multiple jurisdictions, the contractual infrastructure governing how personal data moves through the digital advertising ecosystem is now a direct target of regulatory scrutiny.

The revised version introduces changes aimed squarely at advertisers, addressing the specific contracting and operational pain points that recent enforcement actions have exposed. For privacy and compliance teams managing vendor relationships across an expanding patchwork of state privacy laws, this update warrants close examination.

For more information on the updates from IAB, register for their webinar on March 19, 2026.

The MSPA is a standardized contractual framework developed by the IAB to help advertisers, agencies, ad tech vendors, publishers, and measurement providers comply with U.S. state privacy laws. It is not a model contract or template. Instead, it functions as a set of privacy-protective terms that spring into place among signatories as personal data flows between them for digital advertising purposes.

Any company participating in digital advertising can sign on to the MSPA, regardless of IAB membership. The agreement supplements existing commercial contracts with the privacy terms required by law, and fills gaps where no contracts exist for certain data flows. It works in conjunction with IAB Tech Lab’s Global Privacy Platform (GPP), though the revised advertiser provisions do not require GPP signal implementation.

The core problem the MSPA addresses is structural: the digital advertising supply chain involves dozens of intermediaries, and state privacy laws (particularly the CCPA) require specific contractual terms governing each data disclosure. Maintaining bespoke data processing agreements (DPAs) across every vendor relationship has proven operationally difficult for many advertisers, and recent enforcement actions have exposed exactly where those gaps create liability.

The enforcement catalyst behind this update is worth examining. California regulators have issued a series of enforcement actions where the absence of adequate privacy terms in vendor contracts was a central allegation, not a secondary finding.

In the Healthline Media settlement ($1.55 million), the California Attorney General alleged that Healthline failed to impose proper limitations on how downstream partners could use personal information collected from its visitors. Notably, regulators highlighted that Healthline could return to CCPA compliance in part by adopting the MSPA. Regulators noted MSPA adoption as one possible path toward improving contractual compliance, highlighting the level of specificity expected in vendor agreements.

The American Honda Motor Co. enforcement action followed a similar pattern: regulators requested copies of agreements with ad tech vendors and found the terms insufficient. The IAB’s companion analysis of the MSPA update also references the Todd Snyder action as part of this pattern. In each case, regulators moved beyond evaluating privacy policies and consent mechanisms to examining the contractual chain governing data flows between advertisers and their technology partners.

The table below summarizes the key enforcement actions that shaped this MSPA revision and the contractual gaps each one exposed:

For organizations that have treated data processing agreements as a checkbox exercise, these actions represent a material change in enforcement posture. Vague contractual language (permitting data use “for purposes contemplated under the agreement” or “for internal uses”) no longer meets the standard regulators are applying under the CCPA and related state privacy laws.

The updated MSPA addresses four operational areas that have created compliance friction for advertisers managing data disclosures to ad tech partners:

Closing contractual privity gaps. Advertisers frequently lack direct privacy terms with the ad tech vendors processing their data. When an agency contracts with a demand-side platform or measurement vendor on an advertiser’s behalf, the advertiser may have no direct contractual relationship governing how that vendor handles personal information. The CCPA requires direct privacy-related terms between the disclosing entity and the recipient. The MSPA creates those terms automatically between all signatories that receive personal data, eliminating the need for separate negotiations with each vendor in the chain.

Clarifying service provider and third-party roles. Under the revised framework, ad tech partners receiving personal data from an advertiser default to “service provider/processor” status under applicable state privacy laws. The one exception is under the CCPA, where disclosures for targeted advertising purposes require third-party treatment. This default aligns with how most data flows actually work in practice, reducing ambiguity around vendor classification that has been a persistent source of legal uncertainty.

Simplifying opt-out compliance for advertisers. The MSPA’s advertiser provisions do not require advertisers to build or deploy technical signals (such as Global Privacy Platform signals). Instead, the framework allows advertisers to continue using a suppression approach for consumers who opt out, while partners retain the ability to perform essential advertising functions (measurement, fraud prevention, frequency capping) in a service provider capacity. This is a pragmatic accommodation: it meets advertisers where most currently operate rather than requiring a technical infrastructure buildout as a prerequisite for compliance.

Enumerating permitted data use cases. Consistent with what enforcement actions have demanded, the MSPA enumerates the specific digital advertising activities for which signatories may process personal information. This replaces the broad, purpose-ambiguous DPA language that regulators have penalized and provides the “limited and specified” purpose definitions the CCPA requires.

This MSPA revision arrives at a moment when the operational surface area for privacy compliance is expanding rapidly. As of January 1, 2026, Indiana, Kentucky, and Rhode Island activated new comprehensive state privacy laws. Delaware’s cure period has expired. Montana’s expires in April. California’s new CCPA/CPRA regulations have broadened cybersecurity audit and automated decision-making disclosure requirements.

Across these jurisdictions, the pattern is the same: enforcement is moving from evaluating what organizations say about privacy to examining what their systems, contracts, and data flows actually do. The contractual layer that governs personal data disclosures to third parties is now part of that examination, and regulators have demonstrated they will request and review those agreements.

The California Privacy Protection Agency (CPPA) has also promulgated a regulation stating that whether a business conducts diligence of partners with whom it shares personal information is a material factor in determining liability for those partners’ conduct. Contractual governance and vendor diligence are converging as enforcement priorities, and the MSPA is designed to address both.

For organizations managing digital advertising privacy compliance, the MSPA update creates a practical decision point. The framework offers a standardized alternative to the patchwork of bespoke DPAs that most advertisers currently maintain across their vendor ecosystem.

• Scope: Which data flows and partners are actually covered by MSPA transactions, and are the relevant intermediaries signatories?
    Assess whether agreements with ad tech partners contain the granular, enumerated purpose limitations that California regulators have now demanded in the Healthline, Honda, and Todd Snyder actions. Broad language like “for purposes contemplated under the agreement” or “any business purpose” has been explicitly rejected as insufficient.
• Purpose alignment: Do the MSPA’s “limited and specified” purposes match how partners actually process data for activities like targeting, measurement, and attribution?
    Determine whether your organization has direct privacy terms with every entity receiving personal data on its behalf, or whether those relationships are mediated entirely through agency contracts. The CCPA requires direct privity, and the MSPA provides a mechanism to establish it across all signatories without individual negotiations.
• Role classification: Under what circumstances might a partner shift from service provider/processor status to a “third party,” particularly under the CCPA?
    Review whether ad tech partners are correctly classified as service providers/processors versus third parties under each applicable state law. Misclassification exposes both sides to enforcement risk, and the MSPA’s default role assignment provides a baseline that can be evaluated against actual data flows.
• Opt-out controls: If using a suppression model, how are opt-outs enforced across partners, and what evidence exists demonstrating compliance?
    Confirm that your suppression approach for consumers who opt out of sales, shares, or targeted advertising is reflected in how downstream partners are contractually permitted to process data. The MSPA’s suppression-based model may simplify this alignment.

None of this is purely a legal exercise. The contracts governing personal data flows are only as reliable as the systems enforcing them. An organization can sign the MSPA, maintain compliant DPAs, and still face enforcement risk if the actual behavior of its digital tracking technologies does not match what those agreements describe. Consent management platforms that are configured but not continuously validated, pixels firing on pages they should not appear on, and third-party scripts collecting data outside the scope of contractual permissions are all examples of gaps that contractual frameworks alone cannot close.

The MSPA addresses one critical layer of the compliance architecture: the contractual governance of data flows between ecosystem participants. Organizations positioned to benefit most from it are those that also have visibility into whether their digital properties are operating in accordance with those contractual terms.

Vault JS provides continuous monitoring of digital tracking technologies and the complete Martech stack, identifying privacy and security risks across all web pages and mobile app flows, without installing code on your site or application. Request a free analysis to see where your organization stands.