There was an unexpected error authorizing you. Please try again.

The Industry’s First Standards for Handling User Data Deletion Requests (CCPA)

The California Consumer Privacy Act (CCPA) gives California residents a set of new rights with respect to their personal information. Among these is the right to deletion:

Section 1798.105(c) of the CCPA states “[a] business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information [shall] … direct any service providers to delete the consumer’s personal information from their records.” (emphasis added)

The Tech Lab’s new Data Deletion Request Handling specification solves for how Section 1798.105(c) translates in practice in digital advertising. A publisher who utilizes ad tech vendors to be “service providers” (as defined in the CCPA) can use the new spec to signal that a user exercised her right to deletion. This could easily come in the form of explanatory text and button hosted on a publisher page designed to handle those requests—that’s up to each publisher using the spec. The technical spec also provides those vendors serving as a publisher’s service provider a standard way to listen for those requests emanating from publisher pages.

This is the first technical standard of its kind for the digital advertising industry and has potential application beyond CCPA—e.g., it could be extended to other circumstances where publishers and vendors look to signal user requests for data deletion. Avoiding one-off, proprietary builds per partnership and policy, or just as bad, manual processes to reach out to partners for deletes, can save the industry real money and reduce room for error.

“Handling data deletion requests across the advertising ecosystem has been one of the most challenging operational and technical aspects of privacy regulations in the last few years. IAB Tech Lab’s new Data Deletion Request Handling specification represents a sea change today, for CCPA and beyond, and is a sign for what’s possible for the future when it comes to building privacy-centric relationships with users online,” said Nathan Hagen, Co-Founder, Admiral.

Andrea Giannangelo, Head of Product, iubenda, said: “With support for data deletion, the US Privacy API addresses a major pain point of privacy compliance that, previously, didn’t have a solution. Starting today, companies in the advertising industry that are looking to comply with CCPA finally have an easy way to propagate data deletion requests to their partners. This is a game-changing alternative to manually processing these requests – which was the only available option until now.”

Tech Lab’s CCPA / US Privacy Technical Working Group worked closely with the IAB’s General Counsel, Michael Hahn, to develop a standard that could stand up to the CCPA requirements. Michael also helped guide the effort in a way that would seamlessly support Limited Service Provider Agreement signatories. The spec builds on the US Privacy API released in late 2019 which is designed to handle opt-outs of the “sale” (as defined in the CCPA) of personal information. The new release represents another case study in how policy and tech professionals can come together to deliver the industry real value in the face of the growing set of challenges it faces—privacy and otherwise. Tech Lab looks forward to continued collaboration with policy leaders as we collectively address upcoming, regional privacy legislation and enforcement.

If you would like to get involved in the Tech Lab, its privacy-focused working groups or IAB policy discussions please reach out. Our work is stronger when your voices drive our product.


ABOUT THE AUTHOR

Alex Cone
Senior Director, Product Management
IAB Tech Lab