What you need to know about the IAB CCPA Compliance Framework v1

November 19, 2019
Golden Gate Bridge

The first version of the technical specifications for the IAB CCPA Compliance Framework has been published. Previously, the Framework Draft was in public comment until November 5th. Changes have been incorporated and now the IAB Tech Lab working group will continue to iterate and release a final version before the end of the year.

So what do you need to know?

First of all, for the uninitiated, let’s start with explaining what the Framework itself actually is.

What’s the IAB CCPA Compliance Framework?

It’s a consensus-driven industry standard for the entire digital ad ecosystem — that is, for publishers, ad tech companies, and advertisers who operate their own digital properties. It allows participants to pass consumer opt-out signals throughout the system in a standardized way. 

What does v1 of the Framework include?

There’s a reference implementation companies can use now to start with the technical piece; the remaining piece will be policy-oriented. Since proposed guidelines from the California Attorney General were only sent out in October and are in public comment until December 6, the timing is tight for everyone to be prepared when the law takes effect on January 1, 2020.

The technical mechanism the IAB uses to pass consumer preferences to all these different players is called the U.S. Privacy String. Different elements of the U.S. Privacy String indicate whether a “Do not sell” notice has been shown, whether there’s an opt-out, and whether it’s within the limited service provider scope or not. 

What is a Limited Service Provider and how would the signal work?

If a consumer makes a Do Not Sell request, their personal information cannot be passed onto third parties. However, while CCPA defines the concept of “sale” very broadly, it does not consider the transfer of information to another entity a sale, if that entity is deemed a “service provider.”

Under CCPA, a service provider must meet a range of requirements, including receiving a consumer’s personal information from a business for a business purpose – which must also be governed by a contract that prohibits the “service provider” from using that personal information for any purpose other than performing the services outlined in the contract. Businesses must additionally compel “service providers” to adhere to the practices indicated in the contract. 

The IAB’s CCPA Compliance Framework v1 includes a Limited Service Provider Agreement (LSPA) signal that the publisher can flag if it applies. This allows the Privacy String to send a signal downstream if a consumer opts out of the sale of their personal information and if applicable, the digital advertising parties will opt-out the user and become “service providers”. As service providers, they will only serve advertising to that user that doesn’t involve sharing their personal info – unless it was previously collected from other sources.

What’s next? 

In the coming weeks, the technical specifications will be iterated to include a consumer data deletion request feature so the consumer’s request can be communicated throughout the ecosystem. The Limited Service Provider Agreement will also be finalized. 

For more information, sign up for our newsletter below.

Latest Blog Posts

Unlimited Data Export for Easier Privacy Audits and CMP Disclosures

July 12, 2024

Keeping track of all your tracking technology partners to...

What is Global Privacy Control? Frequently Asked Questions

July 9, 2024

How does Global Privacy Control work? How is it...

Comprehensive Privacy Laws Take Effect in Texas and Oregon

July 9, 2024

Now in effect: privacy laws in Texas, Oregon, and...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]