What’s going on with IAB and the CCPA? 

On October 22, 2019, the IAB and IAB Tech Lab released the CCPA Compliance Framework for Publishers and Technology Companies in response to the upcoming California Consumer Privacy Act (CCPA). This CCPA Compliance Framework is to help digital publishers and their supply chain partners comply with California’s data privacy legislation. 

This CCPA Compliance Framework was created by the IAB Privacy and Compliance Unit, which brought together over 350 experts and representatives from different legal, public policy, and technology companies. These representatives created the framework for use by publishers and companies engaged in RTB (Real Time Bidding) transactions in the digital advertising industry. 

Why exactly is this happening? 

In June 2018, the CCPA was passed without any public hearings. With a goal to give California consumers the transparency and control over how their personal information is collected, used, and sold, but the CCPA is quite complex and lacks clarity. 

Because of this, IAB member companies and other stakeholders asked the trade bureau and the Tech Lab to work on a standardized solution to help them comply with the law’s provisions, even as they continue to change and grow. 

So, what’s the solution? 

The proposed solution (IAB CCPA Compliance Framework) focuses on: 

The framework produces a binding relationship between Digital Properties and the Downstream Framework Participants to implement restrictions on the use of data and mechanisms for responsibility when a purchaser opts-out of the sale of their information. 

Who are the IAB CCPA Framework Participants? 

The IAB CCPA Compliance Framework is for publishers and advertisers (also known as Digital Properties) and downstream framework participants that engage or support RTB (Real Time Bidding) transactions in the digital advertising industry. 

These IAB CCPA Framework participants are: 

The IAB CCPA Framework Proposal Requirements 

The framework requires participants to: 

The IAB CCPA Framework Guidelines 

The following guidelines are provided by the framework: 

The IAB CCPA Framework Components 

There are two main components of the framework: 

The IAB Technical Specifications 

According to the IAB tech Lab, here are the specifications that Framework Participants must follow: 

IAB Tech Lab U.S. Privacy String 

The U.S. Privacy String defines the CCPA Opt-Out Storage Format. It comprises information about disclosures made and choices selected by the website visitor regarding their consumer rights. The U.S. Privacy String contains: 

Framework Stakeholders are expected to send the U.S. Privacy String as a payload with each impression to all third parties who use that personal data. The third-party then interprets the signals to determine if they are able to process the user’s personal data. 

IAB Tech Lab U.S. Privacy User Signal API 

The U.S. Privacy Signal (USP) is the CCPA Compliance Mechanism. It acts as an Application Programming Interface (API) that supports the communication of U.S. privacy signals. This allows the element to be loaded onto the website or app in order to communicate with third parties and vendors. 

Websites are responsible for storing the U.S. Privacy String in a cookie named “usprivacy” where the library can read and write to the cookie. 

IAB Tech Lab U.S. Privacy OpenRTB Extension 

The OpenRTB Extension specifies how to pass information pertaining to the CCPA with Open Real-Time Bidding. Digital Properties and their Downstream Framework Participants that use Real-Time Bidding need to know when personal data in the bid request is subject to U.S. Privacy rules. The OpenRTB extension allows bid requests to include the U.S. Privacy Transparency and Choice signals representing the relationship and status between consumers and the Digital Property. 

The OpenRTB Extension includes a new attribute “us_privacy” within the BidRequest object. 

What’s Next?  

IAB and the IAB Tech Lab are asking those in the digital advertising supply chain to provide input on their draft framework no later than November 5, 2019, after which they intend to release a finalized version for companies to adopt before the CCPA takes effect on January 1, 2020. Those who wish to comment on the Framework should send their remarks to [email protected].