IAB Launches Compliance Framework for CCPA

Advertising Law

As the effective date for the California Consumer Protection Act (CCPA) inches closer, the Interactive Advertising Bureau (IAB) and its affiliated standard-setting body, the IAB Technology Laboratory, have released for public comment a draft compliance framework (the Framework) for publishers and technology companies.

These industry groups recruited stakeholders to work with the IAB Privacy and Compliance Unit to create a compliance mechanism for companies engaging in or supporting real-time bidding transactions in the digital advertising industry. The Framework consists of two components: a limited service provider agreement (the Agreement) that governs these transactions and creates “service provider” relationships between publishers and technology companies, and a technical guide detailing the mechanics of implementing the Agreement.

Under Section 1798.115(d) of the CCPA, a third party cannot “sell” personal information previously sold to it without providing the consumer with “explicit notice” and the opportunity to opt out pursuant to Section 1798.120 of the CCPA. The Framework provides that publishers that sell the personal information of California residents in the delivery of digital advertising must (i) include information about the rights of consumers under the CCPA, (ii) explain in clear terms what will happen to the data collected from them and then (iii) communicate with downstream technology companies that the required disclosures were provided. 

Under the Framework, publishers that sell personal information will be contractually bound to send real-time bid requests and accompanying personal information only to the contracting downstream companies that purchase it, such as agencies, advertising services, supply-side platforms and demand-side platforms. These downstream companies will be similarly bound to share this information only with other contracting parties. When a consumer opts out, the sale of personal information related to the delivery of a personalized advertisement ceases. These downstream companies will then become limited service providers that may perform business purposes permitted under the CCPA—such as auditing, detecting security incidents or performing services on behalf of the publisher—that include delivering, measuring or reporting on personalized advertisements.

Publishers must include a “Do Not Sell My Personal Information” link on their apps or sites, or otherwise indicate that they do not sell personal information via preset opt-outs for all consumers who visit the apps or sites. When clicked, the link sends a signal to the downstream companies via a technical mechanism developed by the IAB Technology Laboratory. Publishers must also display a “California Explicit Notice” or a “DAA California Privacy Notice” link adjacent to the “Do Not Sell My Personal Information” link.

The IAB plans to distribute the Agreement to the advertising industry later this quarter. Comments on the Framework will be accepted until November 5, leaving the IAB time to finalize it before the CCPA takes effect on January 1, 2020.

For more details on the Framework, click here.

Why it matters: The CCPA, as drafted, imposes compliance obligations on companies engaging in real-time bidding transactions in the digital advertising industry, especially web publishers that have a direct relationship with California consumers. The IAB notes that the Framework is a “simple and efficient” vehicle to create a service provider relationship in the data supply chain and a means for participants to demonstrate accountability for consumer opt-outs. The IAB has not taken a position regarding legality, suggesting that industry participants consult with their own legal counsel as no single, agreed-upon compliance interpretation of the CCPA exists. We will continue to monitor developments with this Framework as well as the implementing regulations as they become finalized.