IAB CCPA Compliance Framework Technical Specifications Draft

We summarized the proposed IAB CCPA Compliance Framework in our post yesterday, so today we’re diving into some of the IAB CCPA Technical Specifications provided by the IAB Tech Lab that Framework Participants must follow:

• IAB Tech Lab U.S. Privacy String (CCPA Opt-Out Storage Format)
• IAB Tech Lab U.S. Privacy User Signal API (CCPA Compliance Mechanism)
• IAB Tech Lab U.S. Privacy OpenRTB Extension (For CCPA Compliance)

1. U.S. Privacy String

The U.S. Privacy String determines the CCPA Opt-Out Storage Format. It contains information about disclosures made and choices selected by the website visitor regarding their consumer rights. The U.S. Privacy String contains:

• General Metadata: Whether or not the U.S. Privacy Regulations apply to the consumer
• Explicit Notice: If an “explicit notice” legal disclosure has been established
• Opt-Out: If the consumer has opted-out of the sale of their personal information

What do I need to do?

If U.S. Privacy Regulations apply, Framework Stakeholders are expected to send the string as a payload with each impression to all third-parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data.

2. U.S. Privacy User Signal API

The U.S. Privacy Signal (USP) is the CCPA Compliance Mechanism. It acts as a lightweight Application Programming Interface (API) that supports the communication of U.S. privacy signals, allowing the component to be loaded onto the webpage or app and communicate and interact with third-parties and vendors.

What do I need to do?

Your website is responsible for storing the string in a first-party cookie named “usprivacy” where the library can read and write to the cookie.

You must also provide a proxy for postMessage events targeted to the __uspapi interface sent from within nested iFrames and you must support the ‘getUSPData’ API command.

3. OpenRTB Extension for U.S. Privacy

The OpenRTB Extension specifies how to pass information pertaining to CCPA with Open Real-Time Bidding (RTB). Digital Properties and their Downstream Framework Participants that use Real-Time Bidding need to know when personal data in the bid request is subject to U.S. Privacy rules. The OpenRTB extension allows bid requests to include the U.S. Privacy Transparency and Choice signals representing the relationship and status between consumers and the Digital Property.

What do I need to do?

The OpenRTB Extension includes a new attribute “us_privacy” within the BidRequest object.

• OpenRTB v2.2+: add the “us_privacy” attribute into the “ext” object within the “Reqs” object
• OpenRTB v2.0-2.1: add the “us_privacy” attribute into the “ext” object within the “User” object

What’s Next?

The IAB Tech Lab is asking Digital Properties and stakeholders in the digital advertising industry to provide comments on the tech spec drafts by November 5, 2019. Shortly after, a final draft is intended to be released before CCPA goes into effect. Those who wish to comment on the Tech Specs should send their remarks to [email protected].

The CookiePro team will continue to monitor this framework and provide updates to keep you informed.

---

CookiePro by OneTrust

CookiePro supports the new IAB Europe Transparency and Consent Framework version 2.0 (IAB TCF v2.0), Google AdSense and Ad Manager, Salesforce DMP, mParticle, FreeWheel, Adobe Advertising Cloud, Google AMP, OTT, Connected TV, social integrations like Facebook Pixel and Facebook Lookalike audiences, DAA AdChoices and dozens of other consent triggers and standard across mobile and web.