IAB Australia publishes data deletion framework explainer for adtech
IAB Australia releases guidance on standardized privacy protocol as nation awaits second tranche of reforms expected to introduce consumer deletion rights.
IAB Australia published an explainer document on November 6, 2025, detailing the Data Deletion Request Framework developed by IAB Tech Lab. The explainer arrives as Australia's Privacy Review enters full implementation, with the second tranche of reforms under consultation. According to the newsletter announcement from IAB Australia, the framework sits alongside the Global Privacy Platform, Accountability Platform and Privacy Taxonomy to provide practical building blocks for privacy compliance and responsible data handling.
IAB Tech Lab released the first version of the Data Deletion Request Framework in June 2024, with recent updates published for public comment through December 1, 2025. The framework addresses consumer-initiated data erasure requests across the digital advertising supply chain through a standardized technical protocol. According to the explainer, the framework was designed to bring specifications up-to-date with evolving legislation globally while improving long-term flexibility.
Australia currently lacks a general right to delete or erase personal data on demand. The Privacy Act 1988 establishes the national framework for handling personal information through 13 Australian Privacy Principles. APP 11 requires organizations to take reasonable steps to destroy or de-identify personal information when no longer needed for any permitted purpose. However, the obligation rests on organizations to determine when data becomes unnecessary, rather than consumers requesting deletion.
The framework replaces fragmented manual processes with a consistent, cryptographically secured technical protocol. Traditionally, the adtech ecosystem relied upon ad hoc email-based processes to handle data deletion requests, creating delays, inconsistencies and compliance risks. The Data Deletion Request Framework focuses on communication rather than deletion execution, enabling requests to propagate securely through interconnected advertising technologies.
Each participating organization must publish a dsrdelete.json configuration file at the root of their domain. This file contains relevant configuration parameters, including the public cryptographic key used for digital signature verification and the API endpoint where data deletion requests and acknowledgements should be sent. The IAB Tech Lab maintains a centralized directory of these files, crawled from participating domains and accessible via an API or tools portal.
Deletion requests operate through a structured sequence using JSON Web Tokens for secure data transmission. Three distinct JWTs exist: Identity JWT generated by the first party containing the ID to be deleted and authentication information; Request JWT including the Identity JWT and additional transaction details; and Acknowledgement JWT generated by recipients confirming success or failure of communication.
The complete deletion request workflow operates through discovery, request preparation, cryptographic signing, transmission, validation, authentication verification, processing, acknowledgment and confirmation tracking. The first-party publisher discovers all vendors' and recipients' dsrdelete.json files containing API endpoints and supported identifiers. Publishers create an Identity JWT containing the consumer identifier and generate a Request JWT with transaction metadata, digitally signed with the publisher's private key.
Recent updates to the framework, released for public comment through December 1, 2025, enhance clarity around token formats, strengthen key management and security guidance, and expand implementation options for extensibility. According to the explainer, these updates were designed to improve long-term flexibility as privacy legislation continues to evolve globally.
The EU's GDPR Article 17, which came into force in May 2018, allows individuals to request erasure when data is no longer necessary, consent is withdrawn, data was unlawfully processed, or specific legal grounds are met. In the United States, California and Virginia both provide comprehensive deletion rights, with other states progressively adopting similar provisions. Across Asia-Pacific, Japan, South Korea and China all provide explicit right to data deletion provisions.
The framework is part of IAB Tech Lab's broader privacy compliance portfolio. IAB Tech Lab's Privacy Taxonomy provides a common language for defining, classifying and communicating personal data across the industry. IAB Tech Lab's Accountability Platform establishes a standardized framework for validating user preference signals across the digital advertising ecosystem.
The UK's Information Commissioner's Office endorsed the framework in July 2025, formally recognizing its potential to improve third-party handling of deletion requests in online tracking scenarios. This endorsement provides regulatory validation for the framework's approach to consumer data rights.
Jonas Jaanimagi, Technology Lead at IAB Australia, wrote the explainer. According to the document, Australian companies handling data from regions like the EU or US relevant states should implement the framework to meet international deletion requests efficiently and avoid potential ramifications.
Australia's Privacy Act does not yet mandate a general right to data deletion. However, ongoing reforms may introduce this in future tranches, making review of framework requirements advisable for compliance readiness. Privacy law expert Peter Leonard revealed at the IAB Australia Data & Privacy Summit on August 6, 2025, that the Productivity Commission had released its interim report on "harnessing data and digital technology" at 10:30 PM the previous evening, fundamentally challenging existing privacy reform proposals.
The framework operates as a non-proprietary, interoperable standard, ensuring that smaller vendors and publishers can implement it without vendor lock-in. The specification is maintained in a public GitHub repository where all updates can be easily reviewed. This approach allows the framework to remain accessible to organizations of all sizes while maintaining technical rigor.
Buy ads on PPC Land. PPC Land has standard and native ad formats via major DSPs and ad platforms like Google Ads. Via an auction CPM, you can reach industry professionals.
Implementation requires coordination across the advertising ecosystem. The framework enables companies to efficiently communicate consumer-initiated data erasure requests across internal systems and external supply chain partners, reducing manual effort and enhancing operational accountability. Organizations must establish API endpoints, publish configuration files, and implement cryptographic verification systems to participate.
IAB Australia's recent survey revealed that 92% of industry professionals consider data usage critical or very important for commercial success in digital advertising and business growth. First-party data has emerged as the cornerstone of digital advertising strategies, with 80% of respondents rating first-party data as critical or very important for targeting and creative decisions.
The framework addresses critical technical challenges while respecting consumer privacy rights. By standardizing deletion request transmission, it reduces compliance burden while ensuring consistent handling of data subject requests. Organizations can track confirmation across all recipients, ensuring complete deletion throughout the supply chain.
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Timeline
- May 2018: EU's GDPR Article 17 comes into force, establishing "right to be forgotten"
- June 2024: IAB Tech Lab releases first version of Data Deletion Request Framework
- July 2025: UK Information Commissioner's Office endorses framework
- August 6, 2025: IAB Australia Data & Privacy Summit discusses privacy reform trajectory
- September 7, 2024: IAB Tech Lab launches Privacy Taxonomy to standardize data management
- September 10, 2025: IAB Australia MeasureUp conference addresses privacy-focused measurement
- November 5, 2024: IAB Tech Lab finalizes Accountability Platform specification
- November 6, 2025: IAB Australia publishes Data Deletion Request Framework explainer
- November 2025: Updated framework specifications released for public comment
- December 1, 2025: Public comment period closes for updated framework specifications
- February 2026: Potential implementation of Australia's second tranche of privacy reforms
Subscribe PPC Land newsletter ✉️ for similar stories like this one
Summary
Who: IAB Australia published the explainer, with Jonas Jaanimagi serving as Technology Lead. IAB Tech Lab developed the underlying framework through its Global Privacy Working Group with input from over 750 global companies including Google, Roku, Ketch, Sourcepoint, Dstillery, Raptive, Mediavine and Index Exchange.
What: The Data Deletion Request Framework is a technical specification that standardizes how deletion requests are transmitted across the digital advertising supply chain. It uses cryptographic signatures, JSON Web Tokens, and API endpoints to securely communicate consumer-initiated data erasure requests throughout interconnected advertising technologies. The framework replaces manual email-based processes with automated, verifiable deletion request handling.
When: IAB Australia published the explainer on November 6, 2025. IAB Tech Lab released the first framework version in June 2024, with updated specifications released for public comment in November 2025 through December 1, 2025. Implementation readiness becomes increasingly important as Australia advances toward second tranche privacy reforms expected in 2026.
Where: The framework operates globally across the digital advertising ecosystem, with particular relevance for Australian organizations as the nation's Privacy Review progresses. Australia's Privacy Act currently does not mandate general deletion rights, but ongoing reforms may introduce these requirements. The framework already applies to Australian companies handling data from EU, US and Asia-Pacific regions with existing deletion rights provisions.
Why: The framework matters because it provides the advertising industry with an efficient, consistent and reliable process for handling consumer data deletion rights. As privacy regulations tighten globally, organizations require standardized methods to ensure personal data deletion requests propagate throughout complex supply chains. The framework builds trust with consumers by ensuring deletion requests are actually executed as required by law, while reducing compliance burden on organizations through automation and standardization. For Australian marketers, understanding the framework prepares organizations for anticipated legislative changes while meeting existing international obligations.