Public Comment Period
The IAB CCPA Compliance Framework for Publishers and Technology Companies (Draft Document) is in review. For any questions please contact [email protected]
The California Consumer Privacy Act (CCPA) was enacted to provide California consumers with greater control over how their personal information is collected, used and sold.
IAB organized a multi-stakeholder effort to create a “Framework” for compliance with the CCPA that could be used by publishers and technology companies when engaged in programmatic transactions.
The CCPA is not yet effective nor enforced, and there are provisions of the law that are ambiguous and leave room for interpretation. We recognize that there is no single, agreed upon compliance interpretation of the CCPA. We take no position on any legal conclusion and leave it to industry participants to consult with their own legal counsel.
Rather, the Framework is intended to be used by those publishers who “sell” personal information and those technology companies that they sell it to. It also is intended to create “service provider” relationships between publishers and technology companies so that limitations on the use of data and mechanisms for accountability can be imposed when the consumer opts-out of a “sale.” Additionally, those publishers that do not “sell” personal information in the delivery of a digital ad can still leverage the Framework due to the service provider relationships that are created and facilitated by it.
While the Framework is intended to support the aforementioned use cases, other use cases and paths to compliance exist. The Digital Advertising Alliance, in partnership with IAB and other trade associations, is also working on compliance tools. We believe that, through collaborative industry efforts, a holistic set of compliance solutions can be made available for companies to adopt depending on each company’s business practices and interpretation of the law.
Additionally, the Framework creates flexibility and optionality for market participants. Publishers that choose not to participate in the Framework can still send the same signals to downstream technology companies of their choosing and downstream technology companies that choose not to participate in the Framework can still engage in transactions with Framework participants. We believe that compliance and flexibility can go hand-in-hand.
How Does It Work?
The Framework requires participating publishers that choose to “sell” the personal information of California residents in the programmatic delivery of digital advertising to include information about the rights of consumers under CCPA, explain in clear terms what will happen to data collected from them, and, importantly, to communicate to downstream technology companies they do business with that such disclosures were given.
It also requires publishers to include a “Do Not Sell My Personal Information” link on their site or app. When a user clicks that link, a signal is sent to technology companies they do business with via a technical mechanism that is being developed by the IAB Tech Lab.
Strict rules apply after the consumer clicks the link, which will be effectuated through a Limited Service Provider Agreement. Not only will the “sale” of personal information cease, but the Agreement will cause downstream technology companies to become service providers of the publisher when the consumer opts-out of the “sale.” Doing so imposes strict limitations on data use by publishers and technology companies to only those specific and limited business purposes that are permitted under the CCPA (e.g., auditing, detecting security incidents, short term transient use, etc.).
Two significant benefits accrue from the Limited Service Provider Agreement. First, for participants in the Agreement, it creates a simple and efficient vehicle from which to create service provider relationships in the data supply chain without the need of having to enter into hundreds of separate contracts. Second, and most important, it provides participants with the opportunity to demonstrate accountability by requiring them to submit to audits to ensure that when the consumer opts-out, limited personal information is only being used for purposes permitted by the statute.
This document sets forth the parameters for the IAB CCPA Compliance Framework for Publishers & Technology Companies, which applies to desktop and mobile environments (the “Framework”). Although the authors and IAB have made efforts to ensure the accuracy of the material in this Framework as of the date of publication, it should not be treated as a basis for formulating business and legal decisions without individualized legal advice. In legal matters, no publication can take the place of professional advice given with full knowledge of the specific circumstances of each matter and the actual practices of the company. The authors and IAB make no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.