Batten the Hatches! Publisher Preparation for the CCPA Tidal Wave

If you’re thinking GDPR was the warmup for CCPA, think again. It’s not even half the battle. Especially not for the publishers who simply decided that cutting off EU traffic was the right play.

But for the lot of you who attract a large international audience, that approach wasn’t even feasible. So maybe for you, complying with GDPR might just get you half the way to CCPA compliance.

At least that was the message coming out of a recent call that AdMonsters Chairman, Rob Beeler, held with the publisher community about their approaches to CCPA. In these early days, it seems like partnering with a CMP who knows exactly what they’re doing or adopting the IAB CCPA Compliance Framework are the best paths forward.

The Quick-and-Dirty Approach: Partnering With A CMP Provider

Consent Management Platforms (CMP) are rapidly becoming the tool of choice for collecting and managing consumer consent and passing that data. We saw their rise in the wake of GDPR and the IAB Tech Lab’s GDRP Transparency and Consent Framework.

For publishers who already partnered with a CMP on GDPR, their vendor should have CCPA scripts that can be implemented to create one-click-opt-out of personalization cookies. The user should also be presented with a message that lets them know that their preferences have been recorded. These publishers (or any publisher for that matter) should also update their privacy policies for California residents.

Rolling out a “Do Not Sell” button may not be enough for some publishers who might also want to create a customized solution that connects to their advertising. But most CMPs should be ready to do this sometime in Q1.

Adopting the IAB Framework

Adopting the IAB Framework for CCPA (not to be confused with the Framework for GDPR), provides publishers and their ad tech partners with a set of tools and standards to help make it easier for them to comply with the CCPA’s requirements around the sale of PI. The Framework is targeted at the relationships between Publishers, SSPs, and DSPs when PI is being sold. However, the Framework is phrased in such a way that it can also be applicable in case there is no “sale.” 

The Framework works in a way that the consumer opt-out results in the at tech partners becoming limited service providers to the publisher. As such,  the provider can still serve ads on behalf of the publisher, but the ads cannot involve the sale of PI.

As a publisher, you’re adding a script that sends a signal to all of your partners making sure they have signed on to the Framework as well. It will then be up to publishers to choose whether they need to turn off any partners who haven’t signed the limited-service partner agreement.

For sure, it will be interesting to see which vendors see themselves in this way. But it’s expected that vendors who see themselves as other than limited-service partners will still support the agreement and pass along the IAB signal as expected.

Some CMP vendors are even taking steps to connect to the IAB Framework.

Some Nitty Gritty Details Around Messaging

With GDPR, it seemed everyone had their own variation of what messaging should look like. Recommendations for compliance include providing users with a persistent banner that remains until a user actually takes an action. There should also be a “Do Not Sell” link at the bottom of the page.

Speaking to legal about messaging should, of course, be your first step.

What About the Programmatic Piece?

Although Google has committed to signing on with the IAB Framework by the close of Q1, currently publishers are either implementing restricted data processing settings in their GPT tags when a user opts out or they’re using a CMP to bypass this step. It may require more dev work on the part of the publisher, but it will be worth it in the long run. Overall, setting specific settings in GPT will guarantee that Google is not tracking.

For direct-sold campaigns, right now there are no signals being passed from Google to determine how to handle agency partners. As long as other vendors are compliant with IAB, there will be script in an iFrame to get the CCPA status and you won’t personally have to worry about whether all vendors are compliant.

As far is Prebid is concerned, there’s a CCPA handler built into version 2.43.

Don’t think that CCPA compliance is a set-it-and-forget-it deal. You’ll have to revisit your approach and make sure that you’re staying on top of the law, especially as several other states are launching their own versions of consumer privacy laws down the pike and there’s always the possibility of a Federal reg hanging ever so delicately over our heads.