What’s going on with IAB and the CCPA?
On October 22, 2019, the IAB and IAB Tech Lab released the CCPA Compliance Framework for Publishers and Technology Companies in response to the upcoming California Consumer Privacy Act (CCPA). This CCPA Compliance Framework is to help digital publishers and their supply chain partners comply with California’s data privacy legislation.
This CCPA Compliance Framework was created by the IAB Privacy and Compliance Unit, which brought together over 350 experts and representatives from different legal, public policy, and technology companies. These representatives created the framework for use by publishers and companies engaged in RTB (Real Time Bidding) transactions in the digital advertising industry.
Why exactly is this happening?
In June 2018, the CCPA was passed without any public hearings. With a goal to give California consumers the transparency and control over how their personal information is collected, used, and sold, but the CCPA is quite complex and lacks clarity.
Because of this, IAB member companies and other stakeholders asked the trade bureau and the Tech Lab to work on a standardized solution to help them comply with the law’s provisions, even as they continue to change and grow.
So, what’s the solution?
The proposed solution (IAB CCPA Compliance Framework) focuses on:
- The communication of information about California residents’ rights, including the right to opt-out of the sale of their personal information
- Proper communication to partners across the open internet supply chain about the California resident right to opt-out of sale of his/her personal information
- How partner companies must operate after a consumer has opted out of the sale of their personal information
The framework produces a binding relationship between Digital Properties and the Downstream Framework Participants to implement restrictions on the use of data and mechanisms for responsibility when a purchaser opts-out of the sale of their information.
Who are the IAB CCPA Framework Participants?
The IAB CCPA Compliance Framework is for publishers and advertisers (also known as Digital Properties) and downstream framework participants that engage or support RTB (Real Time Bidding) transactions in the digital advertising industry.
These IAB CCPA Framework participants are:
- Signatories: Any company that signs the IAB Limited Service Provider Agreement.
- Publisher Digital Properties: Website or app owners that display ads to California residents
- Advertiser Digital Properties: Brands that operate or publish web pages that display ads to California residents
- Downstream Framework Participants: Agencies, SSPs (Supply-Side Platforms), DSPs (Demand-Side Platforms), ad servers, or publishers that receive personal information about California residents through the Publisher Digital Property or Advertiser Digital Property.
The IAB CCPA Framework Proposal Requirements
The framework requires participants to:
- Include information about the rights of consumers under CCPA.
- Explain in explicit, clear terms what will happen to the collected data and provide visitors with the opportunity to opt-out of the sale of their personal information.
- Add a “Do Not Sell My Personal Information” link on their website or app with an explicit notice that sends a signal to downstream framework participants when clicked or preset the signal to opt-out.
- Communicate to downstream framework participants via corresponding signals that disclosures were given.
The IAB CCPA Framework Guidelines
The following guidelines are provided by the framework:
- How publishers should communicate information about California residents’ rights, including the ability to opt-out of the sale of their personal information.
- How publishers should communicate to partners across the open internet supply chain that a California resident has opted out of the sale of his or her personal information.
- How partner companies must operate after a consumer has opted-out of the sale of their personal information.
The IAB CCPA Framework Components
There are two main components of the framework:
- A contract that binds supply chain partners to behaviors to meet the law’s provisions
- Technical specifications to guide companies on how to implement the contract
The IAB Technical Specifications
According to the IAB tech Lab, here are the specifications that Framework Participants must follow:
- IAB Tech Lab U.S. Privacy String (CCPA Opt-Out Storage Format)
- IAB Tech Lab U.S. Privacy User Signal API (CCPA Compliance Mechanism)
- IAB Tech Lab U.S. Privacy OpenRTB Extension (For CCPA Compliance)
IAB Tech Lab U.S. Privacy String
The U.S. Privacy String defines the CCPA Opt-Out Storage Format. It comprises information about disclosures made and choices selected by the website visitor regarding their consumer rights. The U.S. Privacy String contains:
- General Metadata: Whether or not the U.S. Privacy Regulations apply to the consumer
- Explicit Notice: If an “explicit notice” legal disclosure has been established
- Opt-Out: If the consumer has opted-out of the sale of their personal information
Framework Stakeholders are expected to send the U.S. Privacy String as a payload with each impression to all third parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data.
IAB Tech Lab U.S. Privacy User Signal API
The U.S. Privacy Signal (USP) is the CCPA Compliance Mechanism. It acts as an Application Programming Interface (API) that supports the communication of U.S. privacy signals. This allows the element to be loaded onto the website or app in order to communicate with third parties and vendors.
Websites are responsible for storing the U.S. Privacy String in a cookie named “usprivacy” where the library can read and write to the cookie.
IAB Tech Lab U.S. Privacy OpenRTB Extension
The OpenRTB Extension specifies how to pass information pertaining to the CCPA with Open Real-Time Bidding. Digital Properties and their Downstream Framework Participants that use Real-Time Bidding need to know when personal data in the bid request is subject to U.S. Privacy rules. The OpenRTB extension allows bid requests to include the U.S. Privacy Transparency and Choice signals representing the relationship and status between consumers and the Digital Property.
The OpenRTB Extension includes a new attribute “us_privacy” within the BidRequest object.
- OpenRTB v2.2+: add the “us_privacy” attribute into the “ext” object within the “Reqs” object
- OpenRTB v2.0-2.1: add the “us_privacy” attribute into the “ext” object within the “User” object
IAB and the IAB Tech Lab are asking those in the digital advertising supply chain to provide input on their draft framework no later than November 5, 2019, after which they intend to release a finalized version for companies to adopt before the CCPA takes effect on January 1, 2020. Those who wish to comment on the Framework should send their remarks to [email protected].