The IAB Tech Lab publicly unveiled a technical spec on Friday so that publishers and their partners can handle data deletion requests under the California Consumer Privacy Act (CCPA).
Documentation for the spec, which is part of an overall framework for CCPA compliance, was committed to GitHub last week.
Under CCPA, companies and third-party partners must abide by consumer requests to delete any personal information that they have about them in their records.
But publishers need an automated, standard way to manage and route those requests. Otherwise, it’s a “potentially error-prone and costly” process, said Alex Cone, senior director of product management at IAB Tech Lab focused on privacy.
Today, most publishers respond to data deletion requests using “one-off approaches,” Cone said. “If you’re a publisher and you work with a handful of vendors, each one likely has its own process for handling these requests,” he said. “And conversely, a vendor working with a lot of publishers – an ad server and an SSP, for example – is probably getting a bunch of different people asking them to do things.”
The deletion spec, which works across the web and apps, is fairly easy to implement, Cone said. All a publisher has to do is embed a snippet of code, and a consumer’s request to delete is automatically disseminated to all of the publisher’s partners who have also adopted the spec.
“We’ve done our best to streamline the technology,” Cone said. “This is about giving publishers a standard, simple code interface for calling out to the vendors they work with.”
It’s not a magic button, though. Companies need to map their data sources for this to work. You can’t fulfill a consumer’s data deletion request if you don’t know what data to delete.
CCPA enforcement begins on July 1, but the California attorney general’s implementation regulations, which businesses need to operationalize the law, still aren’t finalized, and it’s unclear if they will be by the enforcement date.
Compliance without the guidelines
The near-final proposed regs were submitted for approval on Tuesday to the California Office of Administrative Law, which has up to 90 days to review them.
So companies have to get into compliance before the specs are finalized, which is where the Tech Lab comes in. The IAB compliance framework has two components: a policy piece and technical specs to facilitate it.
A standardized contract codifies the relationship between publishers and their partners and what the latter can and can’t do with user data in the OpenRTB ecosystem. A privacy string, similar to the Transparency and Consent Framework in Europe, propagates consent signals and handles the opt-out process.
So far, more than 250 companies – a mixture of publishers and ad tech firms – have adopted the IAB’s limited service provider agreement.
The next item on the agenda for the IAB Tech Lab’s CCPA/US Privacy Technical Working Group is a set of technical efficiency tools for companies that have already adopted the framework.
“We’re keeping our ear to the ground along with our policy friends as the law develops so we can respond collectively and in an agile way,” Cone said.