skip to main content
CookiePro Blog October 23, 2019

IAB CCPA Compliance Framework Technical Specifications Draft

We summarized the proposed IAB CCPA Compliance Framework in our post yesterday, so today we’re diving into some of the IAB CCPA Technical Specifications provided by the IAB Tech Lab that Framework Participants must follow:

1. U.S. Privacy String

The U.S. Privacy String determines the CCPA Opt-Out Storage Format. It contains information about disclosures made and choices selected by the website visitor regarding their consumer rights. The U.S. Privacy String contains:

  • General Metadata: Whether or not the U.S. Privacy Regulations apply to the consumer
  • Explicit Notice: If an “explicit notice” legal disclosure has been established
  • Opt-Out: If the consumer has opted-out of the sale of their personal information

What do I need to do?

If U.S. Privacy Regulations apply, Framework Stakeholders are expected to send the string as a payload with each impression to all third-parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data.

2. U.S. Privacy User Signal API

The U.S. Privacy Signal (USP) is the CCPA Compliance Mechanism. It acts as a lightweight Application Programming Interface (API) that supports the communication of U.S. privacy signals, allowing the component to be loaded onto the webpage or app and communicate and interact with third-parties and vendors.

What do I need to do?

Your website is responsible for storing the string in a first-party cookie named “usprivacy” where the library can read and write to the cookie.

You must also provide a proxy for postMessage events targeted to the __uspapi interface sent from within nested iFrames and you must support the ‘getUSPData’ API command.

3. OpenRTB Extension for U.S. Privacy

The OpenRTB Extension specifies how to pass information pertaining to CCPA with Open Real-Time Bidding (RTB). Digital Properties and their Downstream Framework Participants that use Real-Time Bidding need to know when personal data in the bid request is subject to U.S. Privacy rules. The OpenRTB extension allows bid requests to include the U.S. Privacy Transparency and Choice signals representing the relationship and status between consumers and the Digital Property.

What do I need to do?

The OpenRTB Extension includes a new attribute “us_privacy” within the BidRequest object.

  • OpenRTB v2.2+: add the “us_privacy” attribute into the “ext” object within the “Reqs” object
  • OpenRTB v2.0-2.1: add the “us_privacy” attribute into the “ext” object within the “User” object

What’s Next?

The IAB Tech Lab is asking Digital Properties and stakeholders in the digital advertising industry to provide comments on the tech spec drafts by November 5, 2019. Shortly after, a final draft is intended to be released before CCPA goes into effect. Those who wish to comment on the Tech Specs should send their remarks to

The CookiePro team will continue to monitor this framework and provide updates to keep you informed.

CookiePro by OneTrust

CookiePro supports the new IAB Europe Transparency and Consent Framework version 2.0 (IAB TCF v2.0), Google AdSense and Ad Manager, Salesforce DMP, mParticle, FreeWheel, Adobe Advertising Cloud, Google AMP, OTT, Connected TV, social integrations like Facebook Pixel and Facebook Lookalike audiences, DAA AdChoices and dozens of other consent triggers and standard across mobile and web.

Recent Posts

What’s the Difference Between IAB TCF...
The Interactive Advertising Bureau (IAB) is gearing up for the […]
+ View Article
IAB TCF v2.0: Top 10 Things to Know
Ready to learn the nitty-gritty facts about this framework? Here’s a list of 10 top things you need to understand about the IAB TCF 2.0.
+ View Article
CookiePro + WordPress: Integration and...
The WordPress plugins from CookiePro offer different solutions to help you comply with global cookie laws. There are two: The CCPA Opt-Out...
+ View Article
Safari Announces Third-Party Cookie Blocking:...
Organizations relying on third-party cookies to facilitate the collection of user consent must make the shift to capturing first-party data...
+ View Article