IAB Tech Lab releases PAIR 1.1 protocol to simplify encrypted data matching

The Interactive Advertising Bureau Technology Laboratory released version 1.1 of its Publisher Advertiser Identity Reconciliation (PAIR) protocol, with the specification last updated on July 16, 2025. This updated specification marks a significant milestone in refining the cryptographic standard that enables secure first-party data matching between advertisers and publishers without exposing personal information.

According to the announcement, PAIR 1.1 introduces clearer technical definitions, simplified encoding requirements, and a new Open PAIR prebid module designed to accelerate industry adoption. The protocol represents a major advancement in privacy-enhancing technologies for digital advertising amid growing regulatory pressure and the decline of third-party cookies.

Summary

Who: The Interactive Advertising Bureau Technology Laboratory (IAB Tech Lab), led by the Rearc Addressability and Privacy Enhancing Technologies Working Group, with contributors from Google, Magnite, Optable, PubMatic, and other industry stakeholders.

What: Release of PAIR (Publisher Advertiser Identity Reconciliation) protocol version 1.1, featuring clarified technical definitions, standardized Base64 encoding requirements handled by Data Clean Rooms, and a new Open PAIR prebid module supporting multiple DCR vendors.

When: July 16, 2025, with the specification last updated on that date and immediately available for implementation, with the Open PAIR prebid module accessible through Prebid.js repositories.

Where: Global digital advertising industry, with implementation across Data Clean Rooms, publishers, Supply Side Platforms, Demand Side Platforms, and programmatic advertising infrastructure.

Why: To address implementation confusion from the original 1.0 specification, reduce technical burden on publishers, improve auction latency, increase audience match rates, and accelerate industry adoption of privacy-preserving first-party data matching amid growing regulatory pressure and the decline of third-party cookies.

Standardized definitions address industry confusion

PAIR 1.1 addresses terminology ambiguity that emerged following the initial protocol release in September 2024. The update provides definitive definitions for key terms, particularly "Publisher Identifiers," which the specification now clearly describes as Base64-encoded KsKp encrypted values transmitted through OpenRTB bid requests.

"We wanted to make it clear and have a clear stable definitive definition for Publisher Identifiers," according to the IAB Tech Lab announcement. This clarification eliminates confusion that arose during early implementation phases when different parties interpreted technical specifications differently.

The protocol specifies that Publisher Identifiers are double-encrypted values created through the PAIR process. These identifiers enable secure audience matching while maintaining the cryptographic protection that prevents unauthorized access to underlying personal data.

Data Clean Rooms must handle encoding to reduce publisher workload

The 1.1 version introduces a significant change in encoding responsibilities. Previously, publishers were expected to handle Base64 encoding of Publisher Identifiers before transmission, creating additional technical burden and potential latency issues.

Under the new specification, Data Clean Rooms must Base64 encode Publisher Identifier values before sharing them with publishers and Demand Side Platforms. This change addresses feedback indicating that encoding requirements were "loosely defined" in the original 1.0 protocol, which caused implementation confusion and additional technical work.

The modification eliminates URL-safe encoding requirements for publishers, who previously needed to manage binary data encryption. According to the announcement, this change will "reduce workload for publishers, reduce latency in checking for audience matches during auctions, and increase audience match rates."

DSPs benefit from the encoding change by eliminating the need to decode incoming values during the bid response process. The standardized encoding ensures that Publisher Identifier values can be matched directly without additional processing steps that could impact auction timing.

Open PAIR prebid module enables multi-DCR support

IAB Tech Lab developed a new Open PAIR prebid module to replace earlier proprietary implementations. The module represents a significant upgrade from the original PAIR prebid module, incorporating feedback from industry stakeholders and the PAIR protocol development team.

Key enhancements in the Open PAIR module include support for multiple Data Clean Room vendors, standardized field definitions, and improved flexibility for publishers. The module defines atype=3 and source=pair-protocol.com as standard values, replacing proprietary specifications that limited interoperability.

The module allows publishers to define "inserter" and "matcher" values, providing additional context to bidders about data origin and publisher ownership. Publishers using the module can include it in prebid builds using the command gulp build --modules=openPairIdSystem.

IAB Tech Lab encourages migration from earlier modules, particularly the Google-developed version that was available during the protocol's initial development phase. The organization emphasizes that Data Clean Rooms, publishers, and DSPs should transition to the Open PAIR module to ensure compatibility with the standardized specification.

Privacy-enhancing cryptography maintains data protection

The PAIR protocol utilizes commutative encryption techniques that enable matching of encrypted user identifiers without revealing underlying personal information. The system generates unique encryption keys for publishers (Kp), advertisers (Ka), and a secret key (Ks) maintained by publishers.

Through the commutative property of the encryption schema, the order of key application does not affect the final encrypted output. This mathematical principle allows Data Clean Rooms to match encrypted identifiers from different parties without decrypting the personal data.

According to the PAIR 1.1 specification, encryption keys follow mandatory rotation schedules to limit exposure from potential compromises. The secret key Ks rotates every 30 days, while advertiser and publisher keys rotate every 180 days. These rotation requirements ensure that even if keys are compromised, the window of vulnerable data remains limited.

The protocol includes additional privacy safeguards including minimum dataset size requirements, aggregate-only match rate reporting, and restrictions on cross-party learning. Data Clean Rooms must implement k-anonymity processing and differential privacy measures to prevent individual user identification.

Technical implementation spans multiple scenarios

PAIR 1.1 supports three implementation approaches: single Data Clean Room with separate tenants, single Data Clean Room utilizing Trusted Execution Environments, and interoperable dual Data Clean Room configurations. Each approach addresses different organizational preferences for data custody and technical infrastructure.

The single DCR approach places both advertiser and publisher data in the same facility with separate access controls. TEE implementations add hardware-based isolation for additional security assurance. Dual DCR configurations enable each party to maintain their preferred data custody arrangements while still achieving secure matching capabilities.

For programmatic activation, publishers include PAIR identifiers in OpenRTB bid requests using the Extended Identifier (eids) object. The specification defines required fields including source, matcher, inserter, and uid values that enable DSPs to recognize and process PAIR audiences appropriately.

DSPs access matched Publisher Identifier lists from advertiser Data Clean Rooms to identify audience overlaps during auction processes. The system enables targeting of matched audiences while maintaining the cryptographic protection that prevents reverse engineering of individual user identities.

Industry adoption accelerates amid regulatory pressure

The PAIR 1.1 release occurs as digital advertising faces increasing privacy regulations and the continued erosion of traditional identifiers. With 14 U.S. state privacy laws enforceable in 2025 and additional regulations expected, the advertising industry requires privacy-preserving alternatives to third-party cookies.

IAB Tech Lab's broader 2025 roadmap includes PAIR protocol certification programs to verify adherence to privacy principles. The organization plans to deliver 31 new specifications or updates throughout 2025, demonstrating continued investment in privacy-enhancing technologies.

The protocol complements other IAB Tech Lab initiatives including the ID-Less Solutions Guidance and Attribution Data Matching Protocol (ADMaP). These standards collectively address different aspects of privacy-preserving advertising measurement and targeting.

Industry executives have expressed support for the standardized approach. Shreya Mathur, Senior Product Manager at Google, noted that "the increased performance and privacy offered by IAB Tech Lab PAIR will raise the confidence of advertisers and publishers in using their first-party data sets."

Implementation requirements address security concerns

PAIR 1.1 establishes comprehensive requirements for all participating entities. Publishers must maintain legally-required consent for submitted personal information and ensure prompt data refreshing when individuals exercise privacy rights. The specification requires publishers to use ads.txt files to define domain ownership scope for identifier generation.

Data Clean Rooms bear significant responsibility for protocol security and privacy preservation. Requirements include mandatory attestation that participants have obtained proper consent, implementation of cross-party learning limitations, and enforcement of minimum dataset sizes to prevent individual identification.

DSPs must verify that domains participating in PAIR matches share the same owner domain as defined in ads.txt specifications. The platforms cannot accept raw personal information in PAIR contexts and are prohibited from using PAIR identifiers to build audience profiles beyond the specific advertiser-publisher relationship.

The specification addresses Data Clean Room limitations highlighted by the Federal Trade Commission, which warned that these systems do not automatically prevent impermissible data disclosure. PAIR's cryptographic approach and strict operational requirements aim to address these regulatory concerns through technical safeguards.

Terminology explained

Commutative Encryption: This cryptographic technique allows multiple encryption keys to be applied to data in any order while producing identical results. The mathematical property ensures that encrypting data with Publisher Key A followed by Advertiser Key B yields the same output as applying Key B then Key A. This enables secure matching of encrypted identifiers without revealing the underlying personal information, forming the foundation of PAIR's privacy-preserving capabilities.

Data Clean Rooms (DCRs): These secure computing environments allow multiple parties to analyze shared datasets without exposing raw personal information to each participant. DCRs implement strict access controls, encryption protocols, and analytical restrictions that prevent data leakage while enabling collaborative insights. In PAIR implementations, DCRs perform the cryptographic operations necessary for secure audience matching and maintain the encryption keys that protect user privacy throughout the process.

Publisher Identifiers (Base64-encoded KsKp): These represent the final encrypted output of the PAIR matching process, combining the publisher's secret key (Ks) with the publisher encryption key (Kp) and encoding the result in Base64 format for transmission. These identifiers enable programmatic targeting while maintaining cryptographic protection against reverse engineering. The double encryption ensures that no single party can decrypt the values to reveal underlying user information.

Trusted Execution Environments (TEEs): Hardware-based security systems that create isolated computing spaces within processors, preventing even system administrators from accessing data during processing. TEEs use cryptographic attestation to prove their integrity and implement sealed data processing where only specific, verified code can decrypt and analyze sensitive information. PAIR implementations can leverage TEEs to provide additional assurance that personal data remains protected during audience matching operations.

Programmatic Real-Time Bidding (RTB): The automated auction system where advertising inventory is bought and sold in milliseconds through algorithmic decision-making. Publishers make ad space available through Supply Side Platforms, while advertisers bid through Demand Side Platforms using audience data and contextual signals. PAIR identifiers integrate into this process through OpenRTB protocols, enabling privacy-preserving audience targeting within the existing programmatic infrastructure.

Extended Identifier (eids) Object: The standardized data structure within OpenRTB specifications that carries alternative identity signals beyond traditional cookies. The eids object includes fields for source identification, matching algorithms, and encrypted identifier values, allowing different identity solutions to operate within the same programmatic ecosystem. PAIR utilizes specific eids configurations to transmit encrypted Publisher Identifiers while maintaining interoperability with existing advertising technology platforms.

K-Anonymity Processing: A privacy technique that ensures individual users cannot be uniquely identified within datasets by requiring minimum group sizes for any data analysis. When k=5, for example, any individual must be indistinguishable from at least four others based on available attributes. PAIR implementations use k-anonymity to prevent difference attacks where bad actors might submit carefully crafted datasets to isolate specific users through elimination processes.

Differential Privacy with Budgets: An advanced privacy mechanism that adds mathematically calibrated noise to query results to prevent individual identification while preserving analytical utility. Privacy budgets track cumulative information exposure across multiple queries, automatically limiting access when accumulated privacy loss exceeds safe thresholds. PAIR systems can implement differential privacy to protect against sophisticated attacks that attempt to infer individual characteristics through repeated analytical queries.

Commutative Cipher Key Rotation: The scheduled replacement of encryption keys used in the PAIR protocol to limit the time window during which compromised keys could expose user data. Secret keys (Ks) rotate every 30 days while advertiser and publisher keys rotate every 180 days, with overlapping periods to maintain system continuity. This rotation strategy balances security protection against operational complexity, ensuring that even successful key compromises have limited impact duration.

Cross-Party Learning Limitations: Technical and policy restrictions designed to prevent participants from gaining unauthorized insights about users not in their original datasets. These safeguards include algorithmic constraints on data analysis, restrictions on result granularity, and requirements for aggregate-only reporting. PAIR implementations must demonstrate that advertisers cannot learn about publisher audiences beyond the specific matched overlap, and vice versa, maintaining the privacy boundaries essential for industry trust.

Timeline

• September 2024: IAB Tech Lab launches PAIR protocol for first-party data matching
• October 2024: IAB Tech Lab unveils ADMaP privacy-first attribution protocol
• November 2024: IAB Tech Lab releases framework for privacy-first digital advertising without IDs
• January 2025: IAB Tech Lab unveils technical standards roadmap for digital advertising in 2025 and PAIR 1.0 specification finalized
• July 16, 2025: IAB Tech Lab releases PAIR 1.1 protocol with encoding clarifications and Open PAIR prebid module