Home Privacy The IAB/IAB Tech Lab Publish A Compliance Framework For CCPA And Public Comments Are Open

The IAB/IAB Tech Lab Publish A Compliance Framework For CCPA And Public Comments Are Open

SHARE:

The California Consumer Privacy Act wants to make opting out of data collection as easy as clicking a button. But for publishers, advertisers and ad tech companies, it’s not so simple.

On Tuesday, the Interactive Advertising Bureau and the IAB Tech Lab released the first draft of a compliance framework to help companies handle the practicalities of the law. The framework will be in a public comment period through Nov. 5.

The industry is still struggling to interpret parts of the CCPA despite the recently published initial draft of the California attorney general’s implementation regs. Although the regs clarify parts of the statute, there are still a bunch of open questions, including exactly what the CCPA-mandated “Do Not Sell My Personal Information” button should look like.

It’s also unclear exactly what back-end mechanisms will exist to enable companies to actually honor their CCPA obligations. When someone opts out, it has to mean something.

And with the CCPA effective date bearing down – it’s less than 70 days until Jan. 1, 2020 – businesses don’t have time to wait for all the ambiguities to be resolved before taking action to comply, said Michael Hahn, an SVP and general counsel at the IAB.

Master contract

The IAB/IAB Tech Lab’s compliance framework draft consists of two components: a standardized contract for use between publishers and their partners, and a series of technical specs so companies can follow through on the contract.

The master contract specifically defines the relationship between a publisher and other companies involved in real-time bidding, clarifying everyone’s responsibility when a consumer opts out of the sale of personal information.

This is extra important because the CCPA distinguishes between third parties and service providers – and ad tech vendors can be defined as either. “Under the CCPA, you can be different things at different points in time based on the relationship and the particular circumstances under which you’re receiving data,” Hahn explained.

Unlike a third party, which has greater latitude in the use of properly collected data as long as someone hasn’t opted out, a service provider, according to CCPA, is only allowed to use data for very specific, limited business purposes, such as auditing or fraud detection.

In the IAB’s view, when a consumer doesn’t opt out, an ad tech company is a third party that purchases information from publishers. But when a consumer hits that “Do Not Sell” button, the downstream ad tech company is contractually bound to act as a service provider, which means putting service provider-like constraints on the use of the data.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“The concept behind this is that there needs to be real meaning when a consumer opts out,” Hahn said. “That can be done by changing to a service provider relationship, which provides a means of real accountability.”

The tech specs

But a contract isn’t enforceable unless publishers and tech companies can see whether someone has opted out of the sale of data or not.

And so the compliance framework proposal also includes a set of three technical specifications from the IAB Tech Lab designed to help companies implement their service provider contracts.

The first is a “US privacy string” that’s similar in spirit to the Transparency and Consent Framework developed by the IAB Tech Lab and IAB Europe last year to share consent information with third-party vendors under the EU’s General Data Protection Regulation. In this case, the string contains information about whether a consumer was given the proper disclosures and the opportunity to opt out.

The second spec is a privacy user signal API that would be used by sites and apps to transmit info, aka functional cookies, through the US privacy string, while the third spec outlines an extension that would allow companies to pass CCPA-related information within OpenRTB transactions, such as whether the data collection process was kosher.

The contract and the specs aim to “strike a balance” between honoring consumer preferences and helping companies comply with the CCPA in “a way that doesn’t disrupt the value exchange, their products or their services,” said Dave Grimaldi, EVP for public policy at the IAB.

“I think we’ve done that here,” Grimaldi said. “But the comment period will hopefully shed meaningful light on tweaks we can make and gaps we need to fill so we can make this thing better.”

Must Read

Pacvue Enters The Next Chapter Of Retail Media With New CEO Rahul Choraria

Pacvue has promoted COO Rahul Choraria to chief executive.

Comic: What Else? (Google, Jedi Blue, Project Bernanke)

Project Cheat Sheet: A Rundown On All Of Google’s Secret Internal Projects, As Revealed By The DOJ

What do Hercule Poirot, Ben Bernanke, Star Wars and C.S. Lewis have in common? If you’re an ad tech nerd, you’ll know the answer immediately.

shopping cart

The Wonderful Brand Discusses Testing OOH And Online Snack Competition

Wonderful hadn’t done an out-of-home (OOH) marketing push in more than 15 years. That is, until a week ago, when it began a campaign across six major markets to promote its new no-shell pistachio packs.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Google filed a motion to exclude the testimony of any government witnesses who aren’t economists or antitrust experts during the upcoming ad tech antitrust trial starting on September 9.

Google Is Fighting To Keep Ad Tech Execs Off the Stand In Its Upcoming Antitrust Trial

Google doesn’t want AppNexus founder Brian O’Kelley – you know, the godfather of programmatic – to testify during its ad tech antitrust trial starting on September 9.

How HUMAN Uncovered A Scam Serving 2.5 Billion Ads Per Day To Piracy Sites

Publishers trafficking in pirated movies, TV shows and games sold programmatic ads alongside this stolen content, while using domain cloaking to obscure the “cashout sites” where the ads actually ran.

In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Thanks To The DOJ, We Now Know What Google Really Thought About Header Bidding

Starting last week and into this week, hundreds of court-filed documents have been unsealed in the lead-up to the Google ad tech antitrust trial – and it’s a bonanza.