Blog

IAB and CCPA: Let’s get technical

October 31, 2019

N/A

Table of contents

What’s going on with IAB and the CCPA?

On October 22, 2019, the IAB and IAB Tech Lab released the CCPA Compliance Framework for Publishers and Technology Companies in response to the upcoming California Consumer Privacy Act (CCPA). This CCPA Compliance Framework is to help digital publishers and their supply chain partners comply with California’s data privacy legislation.

This CCPA Compliance Framework was created by the IAB Privacy and Compliance Unit, which brought together over 350 experts and representatives from different legal, public policy, and technology companies. These representatives created the framework for use by publishers and companies engaged in RTB (Real Time Bidding) transactions in the digital advertising industry.

Why exactly is this happening?

In June 2018, the CCPA was passed without any public hearings. With a goal to give California consumers the transparency and control over how their personal information is collected, used, and sold, but the CCPA is quite complex and lacks clarity.

Because of this, IAB member companies and other stakeholders asked the trade bureau and the Tech Lab to work on a standardized solution to help them comply with the law’s provisions, even as they continue to change and grow.

So, what’s the solution?

The proposed solution (IAB CCPA Compliance Framework) focuses on:

  • The communication of information about California residents’ rights, including the right to opt-out of the sale of their personal information
  • Proper communication to partners across the open internet supply chain about the California resident right to opt-out of sale of his/her personal information
  • How partner companies must operate after a consumer has opted out of the sale of their personal information

The framework produces a binding relationship between Digital Properties and the Downstream Framework Participants to implement restrictions on the use of data and mechanisms for responsibility when a purchaser opts-out of the sale of their information.

Who are the IAB CCPA framework participants?

The IAB CCPA Compliance Framework is for publishers and advertisers (also known as Digital Properties) and downstream framework participants that engage or support RTB (Real Time Bidding) transactions in the digital advertising industry.

These IAB CCPA Framework participants are:

  • Signatories: Any company that signs the IAB Limited Service Provider Agreement.
  • Publisher Digital Properties: Website or app owners that display ads to California residents
  • Advertiser Digital Properties: Brands that operate or publish web pages that display ads to California residents
  • Downstream Framework Participants: Agencies, SSPs (Supply-Side Platforms), DSPs (Demand-Side Platforms), ad servers, or publishers that receive personal information about California residents through the Publisher Digital Property or Advertiser Digital Property.

 

The IAB CCPA framework proposal requirements

The framework requires participants to:

  • Include information about the rights of consumers under CCPA.
  • Explain in explicit, clear terms what will happen to the collected data and provide visitors with the opportunity to opt-out of the sale of their personal information.
  • Add a “Do Not Sell My Personal Information” link on their website or app with an explicit notice that sends a signal to downstream framework participants when clicked or preset the signal to opt-out.
  • Communicate to downstream framework participants via corresponding signals that disclosures were given.

 

The IAB CCPA framework guidelines

The following guidelines are provided by the framework:

  • How publishers should communicate information about California residents’ rights, including the ability to opt-out of the sale of their personal information.
  • How publishers should communicate to partners across the open internet supply chain that a California resident has opted out of the sale of his or her personal information.
  • How partner companies must operate after a consumer has opted-out of the sale of their personal information.

 

The IAB CCPA framework components

There are two main components of the framework:

  • A contract that binds supply chain partners to behaviors to meet the law’s provisions
  • Technical specifications to guide companies on how to implement the contract

 

The IAB technical specifications

According to the IAB tech Lab, here are the specifications that Framework Participants must follow:

 

IAB Tech Lab U.S. Privacy String

The U.S. Privacy String defines the CCPA Opt-Out Storage Format. It comprises information about disclosures made and choices selected by the website visitor regarding their consumer rights. The U.S. Privacy String contains:

  • General Metadata: Whether or not the U.S. Privacy Regulations apply to the consumer
  • Explicit Notice: If an “explicit notice” legal disclosure has been established
  • Opt-Out: If the consumer has opted-out of the sale of their personal information

Framework Stakeholders are expected to send the U.S. Privacy String as a payload with each impression to all third parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data.

IAB Tech Lab U.S. Privacy User Signal API

The U.S. Privacy Signal (USP) is the CCPA Compliance Mechanism. It acts as an Application Programming Interface (API) that supports the communication of U.S. privacy signals. This allows the element to be loaded onto the website or app in order to communicate with third parties and vendors.

Websites are responsible for storing the U.S. Privacy String in a cookie named “usprivacy” where the library can read and write to the cookie.

IAB Tech Lab U.S. Privacy OpenRTB Extension

The OpenRTB Extension specifies how to pass information pertaining to the CCPA with Open Real-Time Bidding. Digital Properties and their Downstream Framework Participants that use Real-Time Bidding need to know when personal data in the bid request is subject to U.S. Privacy rules. The OpenRTB extension allows bid requests to include the U.S. Privacy Transparency and Choice signals representing the relationship and status between consumers and the Digital Property.

The OpenRTB Extension includes a new attribute “us_privacy” within the BidRequest object.

  • OpenRTB v2.2+: add the “us_privacy” attribute into the “ext” object within the “Reqs” object
  • OpenRTB v2.0-2.1: add the “us_privacy” attribute into the “ext” object within the “User” object

 

What’s next?

IAB and the IAB Tech Lab are asking those in the digital advertising supply chain to provide input on their draft framework no later than November 5, 2019, after which they intend to release a finalized version for companies to adopt before the CCPA takes effect on January 1, 2020. Those who wish to comment on the Framework should send their remarks to privacy@iab.com.

You may also like

Webinar

Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more

Webinar

Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more

Webinar

Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more