IAB CCPA Compliance Framework V1 Finalized

Today, the IAB Tech Lab released version 1.0 of the technical specifications for the IAB CCPA Compliance Framework. Crafted by the IAB Privacy and Compliance Unit, the framework to be used by publishers and technology companies engaged in Real-time Bidding (RTB) transactions in the digital advertising industry.

The IAB is actively encouraging digital property owners and ad platforms to begin their technical implementation efforts and comply with the California Consumer Privacy Act (CCPA) which goes into effect starting January 1, 2020.   

What is the IAB CCPA Compliance Framework?

The IAB CCPA Compliance Framework was created to provide an industry framework that publishers, advertisers and ad tech platforms can use as part of their CCPA compliance efforts.

According to the IAB Tech Lab, the framework was built to:

• Help publishers who “sell” personal information communicate with tech companies that they sell it to. Publishers that do not “sell” personal information can still leverage the Framework due to the service provider relationships that are created and facilitated by it.
• Create “service provider” relationships between publishers and technology companies so that limitations on the use of data and mechanisms for accountability can be imposed when the consumer opts-out of a “sale”. 
• Allow Ad Tech Vendors to receive assurances that participating publishers will provide California consumers with explicit notice and the opportunity to opt-out of the sale of their personal information.
• Provide publishers with assurances that participating ad tech companies and vendors will use data pursuant to limited CCPA permitted “business purposes” when California consumers exercise their right to opt-out of the sale of their personal information.

The framework includes technical specifications for a U.S. Privacy String format, a User Signal JavaScript API, and OpenRTB parameters, which essentially allows communication between consumers, publishers, advertisers, and ad tech companies. 

Public Period Commenting

The IAB CCPA Compliance Framework Draft was in public comment until November 5th. The finalized specifications have been updated, and the IAB Tech Lab working group has developed a roadmap for continued iterations.

Based on the feedback, the Tech Lab was encouraged to add an additional signal within the string format. As a result, the main difference in the final v1 specifications is the inclusion of a signal within the U.S. Privacy String to indicate if a participating publisher would like to flag if a given transaction should be subject to the terms set forth in the Limited Service Provider Agreement. 

Finalized Technical Specs

In this post, we’ll dive into some of the IAB CCPA Technical Specifications provided by the IAB Tech Lab that Framework Participants must follow:

• IAB Tech Lab U.S. Privacy String (CCPA Opt-Out Storage Format)
• IAB Tech Lab U.S. Privacy User Signal API (CCPA Compliance Mechanism)
• IAB Tech Lab U.S. Privacy OpenRTB Extension (For CCPA Compliance)

1. U.S. Privacy String

The U.S. Privacy String determines the CCPA Opt-Out Storage Format. It contains information about disclosures made and choices selected by the website visitor regarding their consumer rights. The U.S. Privacy String contains:

• General Metadata: Whether or not the U.S. Privacy Regulations apply to the consumer
• Explicit Notice: If an “explicit notice” legal disclosure has been established
• Opt-Out: If the consumer has opted-out of the sale of their personal information

What do I need to do?

If U.S. Privacy Regulations apply, Framework Stakeholders are expected to send the string as a payload with each impression to all third-parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data.

2. U.S. Privacy User Signal API

The U.S. Privacy Signal (USP) is the CCPA Compliance Mechanism. It acts as a lightweight Application Programming Interface (API) that supports the communication of U.S. privacy signals, allowing the component to be loaded onto the webpage or app and communicate and interact with third-parties and vendors.

What do I need to do?

Your website is responsible for storing the string in a first-party cookie named “usprivacy” where the library can read and write to the cookie.

You must also provide a proxy for postMessage events targeted to the __uspapi interface sent from within nested iFrames and you must support the ‘getUSPData’ API command.

3. OpenRTB Extension for U.S. Privacy

The OpenRTB Extension specifies how to pass information pertaining to CCPA with Open Real-Time Bidding (RTB). Digital Properties and their Downstream Framework Participants that use Real-Time Bidding need to know when personal data in the bid request is subject to U.S. Privacy rules. The OpenRTB extension allows bid requests to include the U.S. Privacy Transparency and Choice signals representing the relationship and status between consumers and the Digital Property.

What do I need to do?

The OpenRTB Extension includes a new attribute “us_privacy” within the BidRequest object.

• OpenRTB v2.2+: add the “us_privacy” attribute into the “ext” object within the “Reqs” object
• OpenRTB v2.0-2.1: add the “us_privacy” attribute into the “ext” object within the “User” object

CCPA Opt-Out Builder

CookiePro recently launched a free CCPA Opt-Out Solution that helps website owners, publishers and advertisers comply with CCPA and the IAB CCPA Compliance Framework. The builder easily enables you to create a Do Not Sell notice that allows visitors to exercise their rights and opt out of personalized advertisements.

Opt-Out Builder Features

Supports IAB CCPA Compliance Framework

Dynamic Location Detection

Customizable Look and Feel

Google Ads Integration

Backed by leading Privacy Team

How It Works

Use the CookiePro builder to easily customize and embed a “Do Not Sell My Personal Information” link on your website for visitors to exercise their rights and opt-out of personalized advertisements.