Technicalities of MSPA

In this topic, we will aim to understand certain technicalities of the MSPA and the rules that publishers need to follow to implement the MSPA properly.

What is a Covered Transaction

In the MSPA framework, a First Party (a publisher) is responsible for deciding if a consumer's personal information, whether handled directly or by others downstream, falls under MSPA's rules as a Covered Transaction.

Action Required

If a Publisher opts for a Covered Transaction, it must designate the Are Your Transaction Covered Under MSPA Framework? field as Yes. If a Publisher wishes to exempt a specific transaction from MSPA applicability, it should set the MSPA Transaction Signal to No


To indicate your transactions are covered, you are required to be an MSPA signatory. You can check your signatory status and sign the MSPA here.

Implication for consent string

In the GPP string sections allocated for residents of various states (and U.S. National Consumers), as discussed in section 3.3, there is a field called MspaCoveredTransaction. Selecting Yes to the above question sets a value of 1 for this field (indicating it is a Covered Transaction) or 2 in case No is selected (indicating it is not a Covered Transaction).

What is a Regulatory Path

Apart from choosing the mode for the covered transaction, the MSPA also mandates the publisher to identify the “Applicable Jurisdiction” governing the processing of a specific consumer's personal information. 

The publisher is granted flexibility in this regard. It can ascertain the state residency of the consumer, determine the Applicable State Privacy Law, and adhere to the specific requirements of that state. 

National Approach

If the publisher can't decide or doesn't want to provide different privacy choices to users, it can choose to handle the consumer's personal information using the National Approach.

The national approach identifies the highest common denominator in privacy requirements among the five new state laws. In the national approach, MSPA collects the opt-outs required in all the states in the US together. GPP will incorporate signaling for the national approach.

Adopting a national standard approach reduces the complexity of implementing five distinct legal frameworks simultaneously to some extent.


According to IAB, only MSPA signatories can use the National section to encode and signal user opt-out preferences. You can check your signatory status and sign the MSPA here.

National + State Approach

If the Publisher establishes that a consumer is not a resident of any Applicable Jurisdiction, it retains the freedom to abstain from processing digital ad transactions for that consumer as Covered Transactions.

In that case, the publisher can opt for a national + state approach. In this approach, consent will be collected based on the national approach in all other states of the U.S. apart from California, Virginia, Colorado, Utah, and Connecticut. In the five states, their specific data privacy laws will apply.

This approach allows publishers to collect only necessary consents be compliant with both the national and state laws. It enables them to reach a wider audience without worrying about being non-compliant.

Difference Between Opt-Out Mode and Service Provider Mode


InMobi CMP supports only opt-out mode.

If a publisher chooses to apply the MSPA for a specific Covered Transaction, it must use a technical Signal developed by the IAB Tech Lab and opt for one of two operational modes: 

  • Opt-Out Option Mode 
  • Service Provider Mode

The mode selection depends on the publisher's intentions regarding the Personal Information processed under that Covered Transaction. 

Opt-Out Option Mode

If the publisher intends to "Sell" or "Share" personal information or partake in "Targeted Advertising," it will opt for Opt-Out Option Mode, necessitating the provision of specified Opt-Out rights to Consumers. 

Service Provider Mode

If the publisher aims to exclusively engage in Covered Transactions with Signatories acting as "Service Providers" (i.e., refraining from Selling or Sharing Personal Information or participating in Targeted Advertising), it will choose to operate in Service Provider Mode.

On This Page

Last Updated on: 29 May, 2024