IAB CCPA Compliance Framework for Publishers & Technology Companies

California Consumer Privacy Act Compliance Framework

The California Consumer Privacy Act (CCPA) was enacted to provide California consumers with greater transparency and control over their personal information. In many ways, the CCPA is a first of its kind law in the United States: an omnibus statute that seeks to create broad privacy and data protection rules that apply to all industries doing business in one jurisdiction, California, rather than focusing on a single sector or specific data collection and use practices. The CCPA was created in response to changing public perceptions. Users, rightfully, want to understand and have the option to exercise control over their own data.

Creating a new industry framework to support CCPA compliance amongst publishers (i.e., those that own, control, and/or operate a digital property) and technology companies engaged in programmatic and direct transactions (the “Framework”) requires careful consideration, implementations in a technologically-complex and important ecosystem, and balancing of different perspectives and business models. We believe that the Framework and the accompanying Limited Service Provider Agreement (the “Agreement”) accomplish this by providing ad tech companies with assurances that participating publishers provide California consumers with explicit notice and the opportunity to opt-out of the “sale” of their personal information. Participating publishers will also have assurances that technology companies and vendors use personal information pursuant to limited CCPA permitted “business purposes” when California consumers exercise the right to opt-out of the sale of their personal information.

How Does It Work?

The Framework requires participating publishers that choose to sell the personal information of California consumers in the delivery of digital advertising to provide “explicit” notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to notify the downstream technology companies with which the publishers do business that such disclosures were given.

It also requires publishers to include a “Do Not Sell My Personal Information” link on their digital properties. When a user clicks that link, a signal is sent to the technology companies with which the publishers do business via a technical mechanism that is based upon specifications developed by the IAB Tech Lab.

Strict rules, which will be effectuated through the Agreement, shall apply after the consumer clicks the link. Not only will the Agreement require the sale of personal information to cease in such instance, but it will cause downstream technology companies to become service providers of the publisher. Doing so imposes strict limitations on data use by publishers and technology companies to only those specific and limited business purposes that are permitted under the CCPA.

Two significant benefits accrue from the Agreement. First, for participants in the Agreement, it creates a simple and efficient vehicle from which to create service provider relationships in the data supply chain without the need of having to enter into hundreds of separate contracts. Second, and most important, it provides participants with the opportunity to demonstrate accountability by requiring them to submit to audits and/or self-certifications to ensure that when the consumer opts out, limited personal information is being used only for purposes permitted by the CCPA.

Download the IAB CCPA Compliance Framework Document (PDF)

Sign the Limited Service Provider Agreement

Download the CCPA Compliance Framework Tech Specs via IAB Tech Lab

For more information, contact [email protected].