What is the IAB U.S. Privacy String?

The U.S. Privacy String was established by the IAB (Interactive Advertising Bureau) in response to the California Consumer Privacy Act (CCPA). This U.S. privacy string is a cookie that stores information about disclosures made and choices selected by the website visitor regarding their consumer rights. Publishers and advertisers then use this cookie to pass along the information to their downstream framework participants or technology partners. This ensures the website visitor doesn’t have to opt-out multiple times and also creates a limited-service provider contract when consumers visit the digital property.

The U.S. Privacy String contains:

• General Metadata: Information about whether or not the U.S. Privacy Regulations apply to the consumer.
• Explicit Notice: If an “explicit notice” legal disclosure has been established, the U.S. Privacy String will note this.
• Opt-Out: Details if the consumer has opted-out of the sale of their personal information.

What do I need to do?

If U.S. Privacy Regulations apply, Framework Participants (Publisher & Advertiser Digital Properties) are expected to send the string as a payload with each impression to all third-parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data.

What’s the Format?

The U.S. Privacy String consists of the following components:

• Specification Version: Number that represents the version of the string specification
• Explicit Notice: ENUM that represents if explicit notice has been provided (N = No, Y = Yes, – = Not Applicable)
• Opt-Out Sale: ENUM that represents if the user has opted-out of the sale of their data (N = No, Y = Yes, – = Not Applicable)