Consents Covered Under MSPA

This topic deep dives into the different MSPA signals and how to understand them. The MSPA consists of privacy-protective terms that activate among a group of signatories and accompany the data as it moves through the digital advertising supply chain. For more information, see Technicalities of MSPA.

How Does the MSPA Work?

The IAB Multi-State Privacy Agreement (MSPA) is an industry contractual framework designed to assist advertisers, publishers, agencies, and ad tech intermediaries in complying with five state privacy laws that took effect in 2023 (in California, Virginia, Colorado, Connecticut, and Utah). The MSPA collaborates with the IAB Tech Lab’s Global Privacy Platform, a uniform privacy signaling specification that enables companies to communicate and honor consumer choices throughout the ad ecosystem.

The MSPA collaborates with the IAB Tech Lab’s Global Privacy Platform, a standardized privacy signaling specification enabling companies to communicate and respect consumer choices across the advertising ecosystem.

The MSPA complements commercial contracts among signatories with necessary privacy terms. In cases where no commercial contracts are in place, the MSPA sets forth the essential privacy terms mandated by law. 

Additionally, while publishers and advertisers can utilize the MSPA to encompass all their digital ad transactions, it also allows them the flexibility to engage in separate agreements with their ad tech vendors for other transactions using distinct privacy terms. These transactions would simply fall outside the scope of MSPA and not be ‘Covered Transactions’

In the next sections, you will find the different consents covered under MSPA.

Consents Covered Under MSPA

CCPA

Businesses must include a 'do not sell my personal information' link on their homepage and all web pages collecting data. The opt-out link should provide comprehensive details about consumer rights and enable them to decline the sale and sharing of their personal information.

 
Field name GPP Field Type Description What happens in Auto-display consent screen scenario? What happens in Do not Auto-display consent screen scenario?
SaleOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of the Sale of the Consumer's Personal Information

0 Not Applicable. The Business does not sell personal data.

1 Yes, notice was provided

2 No, notice was not provided
This field will be set as 1 - Notice shown as soon as the consent screen auto-triggers successfully. This field will be set as 2- Notice was not provided unless the user clicks on the opt-out link.
SharingOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of the Sharing of the Consumer's Personal Information

0 Not Applicable. The Business does not Share Personal Data.

1 Yes, notice was provided

2 No, notice was not provided
This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
SensitiveDataLimitUseNotice Int(2)

Notice of the Opportunity to Limit Use or Disclosure of the Consumer's Sensitive Personal Information

0 Not Applicable. The Business does not use or disclose Sensitive Data.

1 Yes, notice was provided

2 No, notice was not provided
This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
SaleOptOut Int(2)

Opt-Out of the Sale of the Consumer's Personal Information

0Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly.

This field will be set as 0 - No notice provided till the consent screen is triggered by the end-user.

Once the screen is triggered successfully, based on the user's opt-out value, this field is updated accordingly.

SharingOptOut Int(2)

Opt-Out of the Sharing of the Consumer's Personal Information

0 Not Applicable. SharingOptOutNotice value was not applicable or no notice was provided.

Opted Out

Did Not Opt Out

This field is updated as per user input. This field will be set as 0 - till the consent screen is triggered.
SensitiveDataProcessing N-Bitfield(2,9)

Two bits for each Data Activity:

0 Not Applicable. SensitiveDataLimitUseNotice value was not applicable or no notice was provided.

1 Opted Out

2 Did Not Opt Out

Two bits for each Data Activity:

0 Not Applicable. SensitiveDataLimitUseNotice value was not applicable or no notice was provided.

1 Opted Out

2 Did Not Opt Out

Data Activities:

(1) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Social Security, Driver's License, State Identification Card, or Passport Number.

(2) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Account Log-In, Financial Account, Debit Card, or Credit Card Number in Combination with Any Required Security or Access Code, Password, or Credentials Allowing Access to an Account.

(3) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Precise Geolocation.

(4) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Racial or Ethnic Origin, Religious or Philosophical Beliefs, or Union Membership.

(5) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals the contents of a Consumer's Mail, Email, and Text Messages unless You Are the Intended Recipient of the Communication.

(6) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Which Reveals a Consumer's Genetic Data.

(7) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Consisting of Biometric Information for the Purpose of Uniquely Identifying a Consumer.

(8) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Consisting of Personal Information Collected and Analyzed Concerning a Consumer's Health.

(9) Opt-Out of the Use or Disclosure of the Consumer's Sensitive Personal Information Consisting of Personal Information Collected and Analyzed Concerning a Consumer's Sex Life or Sexual Orientation.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

PersonalDataConsents Int(2)

Consent to Collection, Use, Retention, Sale, and/or Sharing of the Consumer's Personal Data that Is Unrelated to or Incompatible with the Purpose(s) for which the Consumer's Personal Data Was Collected or Processed

0 Not Applicable. The Business does not use, retain, Sell, or Share the Consumer's Personal Data for advertising purposes that are unrelated to or incompatible with the purpose(s) for which the Consumer's Personal Data was collected or processed.

1 No Consent

2 Consent

This field is updated as per user input.

This field will be set as 0 - till the consent screen is triggered.

KnownChildSensitiveDataConsents

N-Bitfield(2,2)

Two bits for each Data Activity:

0 Not Applicable. The Business does not have actual knowledge that it Processes Personal Information of Consumers Less Than 16 years of Age.

1 No Consent

2 Consent

Data Activities:

(1) Consent to Sell the Personal Information of Consumers Less Than 16 years of Age

(2) Consent to Share the Personal Information of Consumers Less Than 16 years of Age

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

VCDPA

Businesses may obtain consent by getting consumers to check a blank checkbox or by typing a written statement.

 
Field name GPP Field Type Description Auto-display consent screen Do not Auto-display consent screen
SaleOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of the Sale of the Consumer's Personal Information

0 Not Applicable. The Business does not sell personal data.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1 - Notice shown as soon as the consent screen auto-triggers successfully.

This field will be set as 2- Notice was not provided unless the user clicks on the opt-out link.

SharingNotice Int(2)

Notice of the Sharing of Personal Data with Third Parties

0 Not Applicable. The Controller does not share Personal Data with Third Parties.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
TargetedAdvertisingOptOutNotice Int(2)

Notice of the Opportunity to Opt-Out of Processing of the Consumer's Personal Data for Targeted Advertising

0 Not Applicable.The Controller does not Process Personal Data for Targeted Advertising.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
SaleOptOut Int(2)

Opt-Out of the Sale of the Consumer's Personal Information

0Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided

Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly.

This field will be set as 0 - No notice provided till the consent screen is triggered by the end-user.

Once the screen is triggered successfully, based on the user's opt-out value, this field is updated accordingly.

TargetedAdvertisingOptOut Int(2)

Opt-Out of Processing the Consumer's Personal Data for Targeted Advertising

0 Not Applicable. TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly. This field will be set as 0 - till the consent screen is triggered.
SensitiveDataProcessing N-Bitfield(2,8)

Two bits for each Data Activity:

0 Not Applicable. The Controller does not Process the specific category of Sensitive Data.

1 No Consent

2 Consent

(1) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.

(2) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Religious Beliefs.

(3) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing a Mental or Physical Health Diagnosis.

(4) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Sexual Orientation.

(5) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Citizenship or Immigration Status.

(6) Consent to Process the Consumer's Sensitive Data Consisting of Genetic Data for the Purpose of Uniquely Identifying a Natural Person.

(7) Consent to Process the Consumer's Sensitive Data Consisting of Biometric Data for the Purpose of Uniquely Identifying a Natural Person.

(8) Consent to Process the Consumer's Sensitive Data Consisting of Precise Geolocation Data.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

KnownChildSensitiveDataConsents

Int(2)

Consent to Process Sensitive Data from a Known Child

0 Not Applicable. The Controller does not Process Sensitive Data of a known Child.

1 No Consent

2 Consent

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

CPA

Companies are obligated to provide consumers the choice to opt-out of the sale or targeted advertising use of their personal data. Consumers can express their preferences through a Universal Opt-Out Mechanism (UOOM).

 
Field name GPP Field Type Description Auto-display consent screen Do not Auto-display consent screen
SaleOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of the Sale of the Consumer's Personal Information

0 Not Applicable. The Business does not sell personal data.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1 - Notice shown as soon as the consent screen auto-triggers successfully.

This field will be set as 2- Notice was not provided unless the user clicks on the opt-out link.

SharingNotice Int(2)

Notice of the Sharing of Personal Data with Third Parties

0 Not Applicable. The Controller does not share Personal Data with Third Parties.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
TargetedAdvertisingOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of Processing of the Consumer's Personal Data for Targeted Advertising

0 Not Applicable.The Controller does not Process Personal Data for Targeted Advertising.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
SaleOptOut Int(2)

Opt-Out of the Sale of the Consumer's Personal Information

Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly.

This field will be set as 0 - No notice provided till the consent screen is triggered by the end-user.

Once the screen is triggered successfully, based on the user's opt-out value, this field is updated accordingly.

TargetedAdvertisingOptOut Int(2)

Opt-Out of Processing the Consumer's Personal Data for Targeted Advertising

0 Not Applicable. TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly. This field will be set as 0 - till the consent screen is triggered.
SensitiveDataProcessing N-Bitfield(2,7)

Two bits for each Data Activity:

0 Not Applicable. The Controller does not Process the specific category of Sensitive Data.

1 No Consent

2 Consent

(1) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.

(2) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Religious Beliefs.

(3) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing a Mental or Physical Health Condition or Diagnosis.

(4) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Sex Life or Sexual Orientation.

(5) Consent to Process the Consumer's Sensitive Data Consisting of Personal Data Revealing Citizenship or Citizenship Status.

(6) Consent to Process the Consumer's Sensitive Data Consisting of Genetic Data that May Be Processed for the Purpose of Uniquely Identifying an Individual.

(7) Consent to Process the Consumer's Sensitive Data Consisting of Biometric Data that May Be Processed for the Purpose of Uniquely Identifying an Individual.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

KnownChildSensitiveDataConsents

Int(2)

Consent to Process Sensitive Data from a Known Child

0 Not Applicable. The Controller does not Process Sensitive Data of a known Child.

1 No Consent

2 Consent

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

UCPA

The UCPA does not prescribe specific opt-out methods. In contrast to the CCPA, which mandates an opt-out link, the UCPA grants flexibility for organizations to establish their preferred methods for enabling consumers to opt out of data sales or targeted advertising.

 
Field name GPP Field Type Description Auto-display consent screen Do no Auto-display consent screen
SaleOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of the Sale of the Consumer's Personal Information

0 Not Applicable. The Business does not sell personal data.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1 - Notice shown as soon as the consent screen auto-triggers successfully.

This field will be set as 2- Notice was not provided unless the user clicks on the opt-out link.

 

SharingNotice Int(2)

Notice of the Sharing of Personal Data with Third Parties

0 Not Applicable. The Controller does not share Personal Data with Third Parties.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
TargetedAdvertisingOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of Processing of the Consumer's Personal Data for Targeted Advertising

0 Not Applicable.The Controller does not Process Personal Data for Targeted Advertising.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.

SensitiveDataProcessingOptOutNotice

Int(2)

Notice of the Opportunity to Opt Out of the Processing of the Consumer's Sensitive Data

0 Not Applicable. The Controller does not Process Sensitive Data.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
SaleOptOut Int(2)

Opt-Out of the Sale of the Consumer's Personal Information

0 Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly.

This field will be set as 0 - No notice provided till the consent screen is triggered by the end-user.

Once the screen is triggered successfully, based on the user's opt-out value, this field is updated accordingly.

TargetedAdvertisingOptOut Int(2)

Opt-Out of Processing the Consumer's Personal Data for Targeted Advertising

0 Not Applicable. TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
Once the consent screen auto-triggers, based on the opt-out value updated by the user, this field is updated accordingly. This field will be set as 0 - till the consent screen is triggered.
SensitiveDataProcessing N-Bitfield(2,8)

Two bits for each Data Activity:

0 Not Applicable. The Controller does not Process the specific category of Sensitive Data.

1 Opted Out

2 Did Not Opt Out

(1) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.

(2) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Religious Beliefs.

(3) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Sexual Orientation.

(4) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Citizenship or Immigration Status.

(5) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Medical History, Mental or Physical Health Condition, or Medical Treatment or Diagnosis by a Health Care Professional.

(6) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Genetic Data for the Purpose of Identifying a Specific Individual.

(7) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Biometric Data for the Purpose of Identifying a Specific Individual.

(8) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Specific Geolocation Data.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

KnownChildSensitiveDataConsents

Int(2)

Consent to Process Sensitive Data from a Known Child

0 Not Applicable. The Controller does not Process Sensitive Data of a known Child.

1 No Consent

2 Consent

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

CTDPA

As per the law, data controllers must provide "clear and conspicuous" opt-out links on their websites.

 
Field name GPP Field Type Description Auto-display consent screen Do not Auto- display consent screen
SaleOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of the Sale of the Consumer's Personal Information

0 Not Applicable. The Business does not sell personal data.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1 - Notice shown as soon as the consent screen auto-triggers successfully.

This field will be set as 2- Notice was not provided unless the user clicks on the opt-out link.

SharingNotice Int(2)

Notice of the Sharing of Personal Data with Third Parties

0 Not Applicable. The Controller does not share Personal Data with Third Parties.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
TargetedAdvertisingOptOutNotice Int(2)

Notice of the Opportunity to Opt Out of Processing of the Consumer's Personal Data for Targeted Advertising

0 Not Applicable.The Controller does not Process Personal Data for Targeted Advertising.

1 Yes, notice was provided

2 No, notice was not provided

This field will be set as 1. This field will be set as 2 till the user clicks on the opt-out link.
SaleOptOut Int(2)

Opt-Out of the Sale of the Consumer's Personal Information

0 Not Applicable. SaleOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
This field will be set as 2 - Did Not opt-out as soon as the consent screen auto-triggers successfully. Based on the opt-out value updated by the user, this field is updated accordingly.

This field will be set as 0 - No notice provided till the consent screen is triggered by the end-user.

Once the screen is triggered successfully, based on the user's opt-out value, this field is updated accordingly.

TargetedAdvertisingOptOut Int(2)

Opt-Out of Processing the Consumer's Personal Data for Targeted Advertising

0 Not Applicable. TargetedAdvertisingOptOutNotice value was not applicable or no notice was provided

1 Opted Out

2 Did Not Opt Out
This field will be set as 2. This field will be set as - till the consent screen is triggered..
SensitiveDataProcessing N-Bitfield(2,8)

Two bits for each Data Activity:

0 Not Applicable. The Controller does not Process the specific category of Sensitive Data.

1 Opted Out

2 Did Not Opt Out

(1) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Racial or Ethnic Origin.

(2) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Religious Beliefs.

(3) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Sexual Orientation.

(4) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Citizenship or Immigration Status.

(5) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Personal Data Revealing Medical History, Mental or Physical Health Condition, or Medical Treatment or Diagnosis by a Health Care Professional.

(6) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Genetic Data for the Purpose of Identifying a Specific Individual.

(7) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Biometric Data for the Purpose of Identifying a Specific Individual.

(8) Opt-Out of the Processing of the Consumer's Sensitive Data Consisting of Specific Geolocation Data.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

KnownChildSensitiveDataConsents

N-Bitfield(2,3)

Two bits for each Data Activity:

0 Not Applicable. The Controller does not Process Sensitive Data of a known Child.

1 No Consent

2 Consent

(1) Consent to Process Sensitive Data from a Known Child.

(2) Consent to Sell the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age.

(3) Consent to Process the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age for Purposes of Targeted Advertising.

This field is set as opted-out by default.

It will update immediately based on the end-user's preference.

This field is set as opted-out by default.

It will update based on the end-user's preference.

On This Page

Last Updated on: 29 May, 2024