What you need to know about the IAB CCPA Compliance Framework v1

The first version of the technical specifications for the IAB CCPA Compliance Framework has been published. Previously, the Framework Draft was in public comment until November 5th. Changes have been incorporated and now the IAB Tech Lab working group will continue to iterate and release a final version before the end of the year.

So what do you need to know?

First of all, for the uninitiated, let’s start with explaining what the Framework itself actually is.

What’s the IAB CCPA Compliance Framework?

It’s a consensus-driven industry standard for the entire digital ad ecosystem — that is, for publishers, ad tech companies, and advertisers who operate their own digital properties. It allows participants to pass consumer opt-out signals throughout the system in a standardized way. 

What does v1 of the Framework include?

There’s a reference implementation companies can use now to start with the technical piece; the remaining piece will be policy-oriented. Since proposed guidelines from the California Attorney General were only sent out in October and are in public comment until December 6, the timing is tight for everyone to be prepared when the law takes effect on January 1, 2020.

The technical mechanism the IAB uses to pass consumer preferences to all these different players is called the U.S. Privacy String. Different elements of the U.S. Privacy String indicate whether a “Do not sell” notice has been shown, whether there’s an opt-out, and whether it’s within the limited service provider scope or not. 

What is a Limited Service Provider and how would the signal work?

If a consumer makes a Do Not Sell request, their personal information cannot be passed onto third parties. However, while CCPA defines the concept of “sale” very broadly, it does not consider the transfer of information to another entity a sale, if that entity is deemed a “service provider.”

Under CCPA, a service provider must meet a range of requirements, including receiving a consumer’s personal information from a business for a business purpose – which must also be governed by a contract that prohibits the “service provider” from using that personal information for any purpose other than performing the services outlined in the contract. Businesses must additionally compel “service providers” to adhere to the practices indicated in the contract. 

The IAB’s CCPA Compliance Framework v1 includes a Limited Service Provider Agreement (LSPA) signal that the publisher can flag if it applies. This allows the Privacy String to send a signal downstream if a consumer opts out of the sale of their personal information and if applicable, the digital advertising parties will opt-out the user and become “service providers”. As service providers, they will only serve advertising to that user that doesn’t involve sharing their personal info – unless it was previously collected from other sources.

What’s next? 

In the coming weeks, the technical specifications will be iterated to include a consumer data deletion request feature so the consumer’s request can be communicated throughout the ecosystem. The Limited Service Provider Agreement will also be finalized. 

For more information, sign up for our newsletter below.