IAB releases CCPA Compliance Framework

The IAB has released version 1.0 of the IAB CCPA Compliance Framework for publishers and technology companies involved in the programmatic ecosystem. This follows the recent publication of version 1.0 of the Framework’s technical specifications last month.

The IAB CCPA Compliance Framework seeks to be comprehensive though not a substitute for individual company due diligence or legal advice. Similar to the group’s GDPR Compliance Framework, the initiative is the result of a months-long process involving input from multiple stakeholders, lawyers and other experts. It’s “intended to be used by those publishers who ‘sell’ personal information and those technology companies that they sell it to.”

The Agreement. There are two component elements to the IAB Compliance Framework:

• Technical specifications (previously released)
• A “Limited Service Provider Agreement” (.pdf) that binds supply chain partners to conduct that fulfills CCPA’s rules and requirements.

Any company “that engages in (e.g., submits bid requests/responses) or supports (e.g., measurement and fraud, analytics, and reporting) an RTB or Direct Transaction in the digital advertising industry is eligible to become a Signatory [to the Limited Service Provider Agreement]. Membership in IAB is not a predicate to participation or Signatory status.”

Providing compliance confidence. In a blog post, Michael Hahn SVP and General Counsel of IAB, said, “We believe that the Framework and Agreement [support CCPA compliance] by providing ad tech companies with assurances that participating publishers provide California consumers with explicit notice and the opportunity to opt-out of the sale of their personal information. Participating publishers will also have assurances that ad tech companies and vendors use personal information pursuant to limited CCPA permitted ‘business purposes’ when California consumers exercise the right to opt-out of the sale of their personal information.”

All companies covered by CCPA must “[p]rovide a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.”

Sending opt-out signals downstream. If a user opts-out – and there are early indications opt-out rates will be high – publishers must send a signal to downstream technology companies of that opt-out request. The IAB Agreement “will [then] require the sale of personal information to cease in such instance [and] cause downstream technology companies to become service providers of the publisher.” That designation imposes specific rules on data usage, unless otherwise permitted by CCPA.

There are also a growing number of third party software solutions in the market that seek to help publishers comply and are compatible with the IAB Framework.

Why we should care. The IAB says there are “two significant benefits” from use of the Framework: 1) “It creates a simple and efficient vehicle from which to create service provider relationships in the data supply chain without the need of having to enter into hundreds of separate contracts” and 2) “It provides participants with the opportunity to demonstrate accountability.”

The IAB’s Hahn added that the IAB Framework “represents a tremendous opportunity for the digital advertising industry to demonstrate that it recognizes the importance of privacy and data protection, and the clear message it is receiving from the market and consumers in particular.” However, the industry really has no choice.

---