IAB Releases CCPA Compliance Framework Draft
Yesterday, the IAB and IAB Tech Lab released the CCPA Compliance Framework for Publishers and Technology Companies for public comment in response to the upcoming California Consumer Privacy Act (CCPA).
The CCPA Compliance Framework was crafted by the IAB Privacy and Compliance Unit, which includes representatives and experts from legal, public policy, and technology companies. The multi-stakeholder unit created the framework to be used by publishers and technology companies engaged in RTB (Right to Bid) transactions in the digital advertising industry.
In this post, we’ll walk through the new framework and the technical specifications.
Who are the IAB CCPA Framework Participants?
The proposed framework is intended to be used by publishers and advertisers (otherwise known as Digital Properties) and downstream framework participants that engage or support RTB (Right To Bid) transactions in the digital advertising industry.
- Signatories: Any company that signs the IAB Limited Service Provider Agreement.
- Publisher Digital Properties: Website or app owners that display ads to California residents
- Advertiser Digital Properties: Brands that operate or publish web pages that display ads to California residents
- Downstream Framework Participants: Agencies, SSPs (Supply-Side Platforms), DSPs (Demand-Side Platforms), ad servers, or publishers that receive personal information about California residents through the Publisher Digital Property or Advertiser Digital Property.
The framework creates a contractual relationship between Digital Properties and the Downstream Framework Participants to enforce limitations on the use of data and mechanisms for accountability when a consumer opts-out of the sale of their information.
The framework requires participants to:
- Include information about the rights of consumers under CCPA
- Explain in explicit, clear terms what will happen to the collected data and provide visitors with the opportunity to opt-out of the sale of their personal information. (What is The California Explicit Notice?)
- Add a “Do Not Sell My Personal Information” link on their website or app with an explicit notice that sends a signal to downstream framework participants when clicked or preset the signal to opt-out.
- Communicate to downstream framework participants via corresponding signals that disclosures were given
The framework provides the following guidelines:
- How publishers should communicate information about California residents’ rights, including the ability to opt-out of the “sale” of their personal information
- How publishers should communicate to partners across the open internet supply chain that a California resident has opted out of the sale of his or her personal information
- How partner companies must operate after a consumer has opted out of the sale of their personal information
There are two main components of the framework:
- A contract that binds supply chain partners to behaviors to meet the law’s provisions
- Technical specifications to guide companies on how to implement the contract
The Do Not Sell Rule
Companies that collect and sell California resident’s personal information and operate websites must provide a clear and conspicuous link on their website, titled “Do Not Sell My Personal Information“. This link or button must allow the consumer or person authorized by the consumer, to opt-out of the sale of their personal information.
Depending on how this is implemented and how many consumers choose to opt-out, “do not sell” could be disruptive to publisher ad revenues and data companies.
IAB and IAB Tech Lab are asking publishers and participants in the digital advertising industry to provide feedback on the draft by November 5, 2019. Shortly after, a final draft is intended to be released before CCPA goes into effect. Those who wish to comment on the Framework should send their remarks to [email protected].
The CookiePro team will continue to monitor this framework and provide updates to keep you informed.
CCPA Do Not Sell WordPress Plugin
If you have a WordPress website, the CookiePro CCPA Do Not Sell Plugin offers an easy-to-use interface where you can customize and embed a floating action button or link on your website to give visitors the ability to exercise their rights and opt-out of personalized advertisements.
CookiePro by OneTrust
CookiePro supports the new IAB Europe Transparency and Consent Framework version 2.0 (IAB TCF v2.0), Google AdSense and Ad Manager, Salesforce DMP, mParticle, FreeWheel, Adobe Advertising Cloud, Google AMP, OTT, Connected TV, social integrations like Facebook Pixel and Facebook Lookalike audiences, DAA AdChoices and dozens of other consent triggers and standard across mobile and web.