There was an unexpected error authorizing you. Please try again.

IAB Tech Lab Launches Second Public Comment Period for Data Deletion Request Framework

The IAB Tech Lab has announced the commencement of the second public comment period for the Data Deletion Request Framework specification. Scheduled to conclude on April 22nd, 2024, feedback can be submitted to

The Data Deletion Request Framework is critical for digital advertising as the ‘right to delete’ emerges as a key of privacy right. Recent legislative advancements, such as the passing of SB362, “The Delete Act,” in California, underscore the urgency and significance of a data deletion protocol.

Industry Insights

The Global Privacy Working Group carried out an extensive review process following the first public comment period. Through Q1, the working group diligently addressed the feedback from industry stakeholders. The initial round of feedback emphasized simplification and alignment with prevailing industry standards. The result is a revised specification poised to meet the dynamic needs of the digital advertising ecosystem.

Core Updates

There are three core updates to the specification as a result of the first public comment period – here are details on each:

  1. Introduction of JSON Web Tokens (JWTs) to Deletion Request Data: The specification is updated to utilize JSON Web Tokens (JWT) for secure data transmission, ensuring the authenticity of deletion requests. Requesters sign JWTs with private keys, while recipients verify them using public keys hosted on the requester’s domain. It leverages registered public claims from the JWT standard for consistency and introduces custom private claims for deletion requests. There are three distinct JWTs delineated:
    1. Identity JWT (idJWT): Generated by the 1st party, containing the ID to be deleted and authentication information.
    2. Request JWT (rqJWT): Includes the idJWT and additional request transaction details, generated for each vendor requiring communication.
    3. Acknowledgement JWT (acJWT): Generated by a recipient, including rqJWT and acknowledgment status, confirming the success or failure of the communication.

This model ensures authentication of deletion requests and provides proof of transaction success or failure for both requesters and recipients. The specification includes definitions, updated request data tables, and revised JSON payload examples to provide comprehensive guidance on JWT implementation and propagation.

  1. JSON Web Key Sets (JWKS) for Cryptographic Signatures: The specification has been updated to leverage the JSON Web Key Sets standard to ensure deletion requests are legitimate and unmodified. The JWKS standard is an established way to store and manage cryptographic keys as a set of JSON objects. JWKS supports asymmetric signature with a public key and private key pair, supporting the discoverability design of the dsrdelete.json file and the signature requirements of the deletion framework. Using the JWKS standard, participants will cryptographically sign requests and responses with private keys. The corresponding public keys will be published in their JWKS files so that other participants can use them to verify signatures. 
  2. Result Codes for Acknowledgments: When sharing details about the outcome of a deletion request, along with the HTTP status code, recipients will also include a result code in the acJWT response payload raResultCode claim. In addition to the result code, responses may also contain a string with additional details about the error in the acJWT raResultString claim. To support this, result codes have been defined with accompanying descriptions and are included as a table in the specification.

Looking Ahead

The Data Deletion Request Framework specification’s second public comment period is driven by the collective work of the Global Privacy Working Group. With updates aimed at simplification, standardization, and enhanced functionality, the Data Deletion Request Framework is poised to facilitate a more seamless data deletion process across the digital advertising ecosystem. 
To review and comment on the specification, please visit Data Deletion Request Framework.

Jared Moscow
Director of Product, Privacy & Addressability
IAB Tech Lab