The Interactive Advertising Bureau (IAB) has released for public comment the IAB California Consumer Privacy Act Compliance (CCPA) Framework for Publishers and Technology Companies. According to the IAB, the draft framework is intended to help publishers, ad agencies and other companies involved in the digital advertising ecosystem comply with the CCPA, which goes into effect on January 1, 2020. Below is the full summary from the framework.
The Framework requires participating publishers that choose to "sell" the personal information of California residents in the programmatic delivery of digital advertising to include information about the rights of consumers under CCPA, explain in clear terms what will happen to data collected from them, and, importantly, to communicate to downstream technology companies they do business with that such disclosures were given.
It also requires publishers to include a "Do Not Sell My Personal Information" link on their site or app. When a user clicks that link, a signal is sent to technology companies they do business with via a technical mechanism that is being developed by the IAB Tech Lab.
Strict rules apply after the consumer clicks the link, which will be effectuated through a Limited Service Provider Agreement. Not only will the "sale" of personal information cease, but the Agreement will cause downstream technology companies to become service providers of the publisher when the consumer opts-out of the "sale." Doing so imposes strict limitations on data use by publishers and technology companies to only those specific and limited business purposes that are permitted under the CCPA (e.g., auditing, detecting security incidents, short term transient use, etc.).
Two significant benefits accrue from the Limited Service Provider Agreement. First, for participants in the Agreement, it creates a simple and efficient vehicle from which to create service provider relationships in the data supply chain without the need of having to enter into hundreds of separate contracts. Second, and most important, it provides participants with the opportunity to demonstrate accountability by requiring them to submit to audits to ensure that when the consumer opts-out, limited personal information is only being used for purposes permitted by the statute.
The IAB will be accepting comments and feedback on the draft from October 22, 2019 through November 5, 2019 at privacy@iab.com.
For more analysis and coverage of the CCPA, follow our blog.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.