Set to go into effect on January 1, 2020, with enforcement delayed until July 1, 2020 (or six months after Attorney General Xavier Becerra releases the official regulations), the California Consumer Privacy Act (CCPA) is a strict personal data law that gives California residents more power over their digital data.
Despite the impending deadlines, many publishers, brands, agencies, and ad tech providers still aren’t clear on what the law asks for or how to comply with it.
While the CCPA gives new data rights to California’s consumers, it places requirements on “businesses” and “service providers” (as defined by the CCPA) to ensure that these rights are protected, including: higher standards for data and IT security, privacy policy and consumer notices, organizational documentation, data governance, and—most concerning to many in ad ops, and the focus of the IAB’s CCPA Compliance Framework—new provisions regarding the sale of consumers’ personal information (PI).
What the CCPA says about selling (and sold) PI
- Companies that collect and sell consumer PI must provide a clear way for consumers to enact their “right to opt-out” of the sale of their PI (1798.120 & 1789.135)
- A third-party who buys PI may not resell that PI unless the consumer was given “explicit notice” and has been provided an opportunity to opt-out (1798.115(d))
- If a consumer opts out of the sale of their personal information, the business receiving this opt-out must identify all parties the information was sold to in the 90 days preceding the receipt of the request and inform these parties not to sell the information.
But here is where things get a little murky for the advertising ecosystem. Sharing data with a service provider is exempt from the definition of “sale” if this data is needed to perform a specified business purpose, and if the service provider does not sell the data onwards.
Service providers are companies you share data with for a particular service and are contractually barred from further retaining, processing, or disclosing the consumer’s PI beyond what’s required for that particular service (see 1798.140(t)&(v)).
What the IAB’s CCPA Compliance Framework Does
In short, the IAB’s and IAB Tech Lab’s CCPA Compliance Framework (here called “the Framework”, although the IAB has provided a similar framework for GDPR) provides a set of tools and standards to help make it easier for publishers and their ad tech partners to comply with the CCPA’s requirements around the sale of PI.
The primary resources the Framework provides:
- A standardized and flexible relationship structure between publishers and downstream technology companies, such as SSPs, DSPs, DPMs, various data agencies, and other ad ops players, including clear guidelines on what happens if the different players within the ad ops value chain are or are not signatories to the Framework.
- A standardized and flexible set of signals that can be sent between these businesses to communicate consumer preferences and journeys (with respect to falling under CCPA and receiving required and explicit notices).
The Framework draft was initially released on October 22, 2019, and comments were welcomed through November 5, 2019, with the first version of the framework being released on November 18, 2019. Future versions are already being worked on, as the IAB and IAB Tech Lab are continuing to work with stakeholders across the advertising industry to adapt the Framework to ensure practical applicability and legal compliance.
The IAB Framework’s Relationship Structure
The Framework speaks of four key players within the ad ops industry: Publishers of Digital Property, SSPs, DSPs, and DMPs. DMPs and DSPs are often named in one breath, under the IAB Framework they fulfill similar roles on the value chain.
The Framework is targeted at the relationships between Publishers, SSPs, and DSPs when PI is being sold. However, the Framework is phrased in such a way that it can also be applicable in case there is no “sale.”
It regulates the result of an opt-out by a consumer with the publisher, which is transmitted to the SSP via the opt-out signal. The seller-buyer relationship between the publisher and the SSP is automatically substituted with a Limited Service Provider relationship (as long as both have agreed to follow the terms of the Framework’s Limited Service Provider Agreement). This relationship also automatically comes into force for all downstream framework participants.
By providing a standard industry agreement to be administered by an IAB entity, the Framework ensures that the CCPA-stipulated contractual basis for such a service provider relationship is always in place. Once an opt-out has been effectuated and Limited-Service Provider relationship has been established, downstream framework participants (SSPs, DSPs, etc.) may still use the received personal information to deliver advertising, however, this may only be done pursuant to the Applicable Business Purposes (as per 1798.140 (d)).
The IAB Framework’s Signals
The IAB provides three standardized technical specifications: the U.S. Privacy String, the U.S. Privacy User Signal API, the U.S. Privacy OpenRTB Extension. All three allow companies to pass along four pieces of crucial information:
- The version of the signal being sent (to ensure compatibility as the Framework and regulations evolve) — 1, 2, 3, etc.
- Has the consumer been given explicit notice as per 1798.115(d) and the opportunity to opt-out as per 1798.120 & 1798.135 — Yes, No, or NA
- Has the consumer opted-out of the sale of his or her data — Yes, No, or NA
- Does the publisher fall under the IAB Limited Service Provider Agreement, and is the transaction a “Covered Opt-Out Transaction” or a “Non-Opt-Out Transaction” as those terms are defined in the Agreement — Yes, No, or NA
With these standards in place, a publisher can send a signal like “1YNY”—version 1, YES the consumer was given explicit notice and the ability to opt-out, NO the consumer did not opt-out, and YES the publisher and the decision are a part of the IAB’s Limited Service Provider Agreement. And if CCPA does not apply to the transaction, a publisher can send the signal “1—“—version 1 but otherwise Not Applicable.
The U.S. Privacy String is recommended to be stored in a 1st-party cookie named “usprivacy”, and is required to be accessible via the U.S. Privacy User Signal API across desktop and mobile devices. Where cookie placement is not possible (e.g. on mobile native or where cookies are disabled), different methods can be adopted.
Within OpenRTB, the IAB advised for a new attribute named “us_privacy” under the current BidRequest object. Through this extension, publishers can pass along the required information and downstream actors can easily check it and include the information into their automated RTB decisions.
Criticism of the Framework
The Framework walks a fine line between the definition of “Selling” and “disclosing for business purposes” under the CCPA. It chooses not to get its hands dirty with the definition of the term selling by stating that “participants in the digital advertising industry have different perspectives concerning the scope of the definition of sale” and can determine autonomously, whether the disclosure of information for ad targeting purposes to a third party, which is not a service provider, constitutes a “sale.”
Even after an opt-out, the Framework allows publishers to disclose information to downstream companies who are automatically turned into limited service providers. The freedoms of these downstream companies are strongly limited due to the opt-out—they may only act in a way that is needed to achieve the “Applicable Business Purposes”, they may not sell the information onwards. These service providers, however, may still use the information to target ads, since “providing advertising or marketing services” is mentioned as a business purpose.
The IAB Framework aims to give technical guidelines on how to comply with the CCPA’s regulatory standard. This is where the gaps between law and technology become apparent.
The Framework is forced to bend to the limitations of reality and specifies that in some cases, an opt-out can only happen at device-level. If a consumer is not logged into his publisher-held account and chooses to opt-out, the publisher might be unable to recognize the user and can only fulfill its opt-out obligations on a device-level. The CCPA does not prescribe a request-verification process in the case of an opt-out of sale, therefore this case could easily occur.
The CCPA only speaks of an opt-out on consumer-level and states that a global opt-out of sale possibility (all data) should be most prominently presented. There is no mention of a device-level opt-out in the text of the law.
The Framework states that the Digital Property publisher may request additional information from the consumer to try to identify him/her in order to effectuate a consumer-level opt-out, but steers clear from specifying which data-points should be requested. Request verification processes are described in depth in the CCPA Draft Regulations (Article 4).
Getting Your House in Order
The IAB’s CCPA Compliance Framework provides a much-needed industry-standard to pass along crucial information about a consumer’s sold PI and the consumer’s journey with respect to what the CCPA requires.
Its weaknesses and strengths come from the same source—it is not meant to provide a definitive answer on CCPA language and interpretation, and it is not meant to solve all CCPA compliance issues. The Framework is aimed at delivering a specific twist on CCPA compliance for adtech companies, who can follow and incorporate the Framework into their systems as they see fit.
Using the Framework will certainly ease the complexity of dealing with the rest of the ad ops ecosystem, but definitely make sure you’re compliant on all the other extensive areas the CCPA covers and consider working together with a company that can provide an infrastructure to automate all other compliance aspects not covered by the Framework.