IAB Releases CCPA Compliance Framework Draft

Yesterday, the IAB and IAB Tech Lab released the CCPA Compliance Framework for Publishers and Technology Companies for public comment in response to the upcoming California Consumer Privacy Act (CCPA).

The CCPA Compliance Framework was crafted by the IAB Privacy and Compliance Unit, which includes representatives and experts from legal, public policy, and technology companies. The multi-stakeholder unit created the framework to be used by publishers and technology companies engaged in Real-time Bidding (RTB) transactions in the digital advertising industry.

In this post, we’ll walk through the new framework and the technical specifications.

Who are the IAB CCPA Framework Participants?

The proposed framework is intended to be used by publishers and advertisers (otherwise known as Digital Properties) and downstream framework participants that engage or support RTB (Right To Bid) transactions in the digital advertising industry.

• Signatories: Any company that signs the IAB Limited Service Provider Agreement.
• Publisher Digital Properties: Website or app owners that display ads to California residents
• Advertiser Digital Properties: Brands that operate or publish web pages that display ads to California residents
• Downstream Framework Participants: Agencies, SSPs (Supply-Side Platforms), DSPs (Demand-Side Platforms), ad servers, or publishers that receive personal information about California residents through the Publisher Digital Property or Advertiser Digital Property.

Proposed Framework

The framework creates a contractual relationship between Digital Properties and the Downstream Framework Participants to enforce limitations on the use of data and mechanisms for accountability when a consumer opts-out of the sale of their information.

Requirements

The framework requires participants to:

• Include information about the rights of consumers under CCPA
• Explain in explicit, clear terms what will happen to the collected data and provide visitors with the opportunity to opt-out of the sale of their personal information. (What is The California Explicit Notice?)
• Add a “Do Not Sell My Personal Information” link on their website or app with an explicit notice that sends a signal to downstream framework participants when clicked or preset the signal to opt-out.
• Communicate to downstream framework participants via corresponding signals that disclosures were given

Guidelines

The framework provides the following guidelines:

• How publishers should communicate information about California residents’ rights, including the ability to opt-out of the “sale” of their personal information
• How publishers should communicate to partners across the open internet supply chain that a California resident has opted out of the sale of his or her personal information
• How partner companies must operate after a consumer has opted out of the sale of their personal information

Components

There are two main components of the framework:

• A contract that binds supply chain partners to behaviors to meet the law’s provisions
• Technical specifications to guide companies on how to implement the contract

The Do Not Sell Rule

Companies that collect and sell California resident’s personal information and operate websites must provide a clear and conspicuous link on their website, titled “Do Not Sell My Personal Information“. This link or button must allow the consumer or person authorized by the consumer, to opt-out of the sale of their personal information.

Depending on how this is implemented and how many consumers choose to opt-out, “do not sell” could be disruptive to publisher ad revenues and data companies.

Now What?

IAB and IAB Tech Lab are asking publishers and participants in the digital advertising industry to provide feedback on the draft by November 5, 2019. Shortly after, a final draft is intended to be released before CCPA goes into effect. Those who wish to comment on the Framework should send their remarks to [email protected].

The CookiePro team will continue to monitor this framework and provide updates to keep you informed.

---

CCPA Opt-Out Solution

CookiePro recently launched a free CCPA Opt-Out Solution that helps website owners, publishers and advertisers comply with CCPA and the IAB CCPA Compliance Framework. The builder easily enables you to create a Do Not Sell notice that allows visitors to exercise their rights and opt out of personalized advertisements.

CCPA Do Not Sell WordPress Plugin

If you have a WordPress website, the CookiePro CCPA Do Not Sell Plugin offers an easy-to-use interface where you can customize and embed a floating action button or link on your website to give visitors the ability to exercise their rights and opt-out of personalized advertisements.

When a visitor clicks on the Do Not Sell button, a modal pops up with key information such as links to your privacy policy and consumer request form, as well as contact information (email address + phone number). Using CookiePro CCPA Consumer Rights Management, businesses can set up both an online intake form for consumer requests and a toll-free number for phone requests.

CookiePro by OneTrust

CookiePro supports the new IAB Europe Transparency and Consent Framework version 2.0 (IAB TCF v2.0), Google AdSense and Ad Manager, Salesforce DMP, mParticle, FreeWheel, Adobe Advertising Cloud, Google AMP, OTT, Connected TV, social integrations like Facebook Pixel and Facebook Lookalike audiences, DAA AdChoices and dozens of other consent triggers and standard across mobile and web.

Resources:

• IAB CCPA Compliance Framework Draft
• IAB CCPA Technical Specifications
  • IAB Tech Lab U.S. Privacy String (CCPA Opt-Out Storage Format)
  • IAB Tech Lab U.S. Privacy User Signal API (CCPA Compliance Mechanism)
  • IAB Tech Lab U.S. Privacy OpenRTB Extension (For CCPA Compliance)
• California Explicit Notice