IAB Tech Lab Releases V1 Technical Specifications for IAB CCPA Compliance Framework for Publishers & Technology Companies

By Jennifer Derke

Today, the IAB Tech Lab is releasing version 1.0 of the technical specifications for the IAB CCPA Compliance Framework, and is encouraging digital property owners and ad platforms to begin their technical implementation efforts. The Framework supports compliance with the CCPA for the digital advertising ecosystem. The IAB CCPA Industry Compliance Framework Draft was in public comment until November 5th. The finalized specifications have been updated, and the IAB Tech Lab working group has developed a roadmap for continued iteration. 

The IAB CCPA Industry Compliance Framework is comprised of policy and technical components. The intention is to provide a consensus-driven industry framework that publishers, advertisers operating their own web pages, and ad tech platforms can use as part of their CCPA compliance efforts. The Framework will provide ad tech companies with assurances that participating publishers will provide California consumers with explicit notice and the opportunity to opt-out of the sale of their personal information. The Framework will also provide publishers with assurances that participating ad tech companies and vendors will use data pursuant to limited CCPA permitted “business purposes” when California consumers exercise their right to opt-out of the sale of their personal information. We expect these remaining elements of the Framework to be finalized for signature early December.   

The technical component provides standardized technical specifications for a U.S. Privacy String format, a User Signal JavaScript API, and OpenRTB parameters. The tech specs provide a common baseline for those using the Framework to communicate between consumers, publishers, advertisers, and ad tech companies. 

The public comment period, by design, generated helpful discussion and commentary. While the majority of feedback focused on implementation questions (suggesting that many companies are already underway adopting the Framework), we were encouraged to add an additional signal within the string format. As a result, the main difference in the final v1 specifications is the inclusion of a signal within the U.S. Privacy String to indicate if a participating publisher would like to flag if a given transaction should be subject to the terms set forth in the Limited Service Provider Agreement. 

This backwards-compatible adjustment is reflected in the finalized v1 specifications; early adopters should plan to add this to their implementation. The U.S. Privacy string (which is currently limited to serving CCPA compliance) has grown from 3 parameters in public comment draft to 4 parameters in the final version. In addition to metadata about which version of the string is being used, the US Privacy string can now signal if explicit notice been provided as required by 1798.115(d) of the CCPA and the opportunity to opt out of the sale of their data pursuant to 1798.120 and 1798.135 of the CCPA. Thirdly, the string indicates if the user opted out of the sale of personal information pursuant to 1798.120 and 1798.135 of the CCPA. Now, the string includes a fourth element to indicate if a publisher is a signatory to the LSPA; the California “consumer” exercises his or her right to opt-out of the “sale” of “personal information;” and the publisher declares that the transaction is covered by the terms of the LSPA. 

Future versions of the framework may add features for evolving regulatory compliance and additional consumer privacy and data protection functionality. For example, a feature requested during public comment period is the support of communication of a consumer’s right to request deletion of their personal information under CCPA. As of publication of this blog post, IAB Tech Lab CCPA/U.S. Privacy Technical Working Group is actively evaluating potential solution designs to support the communication of this consumer request through the ad tech ecosystem. The final v1 technical specifications do not yet support this feature, but the next version will include this feature. The tech group also intends to continue to iterate on technical specifications based on updated guidance from regulators or from the IAB Privacy Compliance Unit’s Legal Affairs Council, reflected in IAB CCPA Industry Compliance Framework and Limited Service Provider Agreement, to be released later in 2019.

All industry participants can now start implementing the technical specifications. As with many IAB Tech Lab standards, adoption of technical specifications should be based on a company’s due diligence and with consideration of their own legal counsel.

The rollout plan includes: 

  • V1.0 of the tech specs for the IAB CCPA Compliance Framework are released today, November 18, and available for immediate adoption by publishers and tech companies
  • An upcoming minor iteration of the tech specs – including the consumer data deletion request feature and other minor additions – will complement the final release of the Framework and Limited Service Provider Agreement  
  • As needed, we will continue to iterate the tech specs based on new needs and potential adjustments to the CCPA regulations – as the California Attorney General may make some changes after the public comment phase ends on December 6 and once the law takes effect on January 1, 2020  

The digital advertising ecosystem is on a tight timeline to deliver CCPA compliance before January 1st. This is only one part of IAB and IAB Tech Lab’s efforts to prepare industry stakeholders. We will continue delivering resources that IAB member companies have asked for in order to support CCPA compliance. We encourage membership in IAB Tech Lab and the CCPA/ U.S. Privacy Technical Working Group for implementation support and up-to-the-minute updates on the technology roadmap for continued iteration of the privacy frameworks that IAB Tech Lab supports.

Those interested in adopting or learning more can stay tuned at iab.com/ccpa and iabtechlab.com/ccpa. The IAB Privacy and Compliance Unit is focusing on delivering solutions and guidance to respect consumer privacy, choice, and trust  through the contributions of IAB Tech Lab product and engineering leads in conjunction with consultation of the IAB’s legal/policy development. Additionally, the IAB Tech Lab is open to collaboration with other industry groups and strives to extend technical specifications to support the industry’s implementation of data protection and consumer privacy-compliant use of audience data.

More information about this project is available at https://www.iab.com/guidelines/ccpa-framework/ and specifications are available at iabtechlab.com/ccpa.


ABOUT THE AUTHOR

Jennifer Derke
Director of Product, Programmatic/Automation
IAB Tech Lab
jennifer@dev.iabtechlab.com