January 24, 2020.
California Consumer Privacy Act (CCPA) took effect on January 1, 2020. Compliance with the new California privacy law means that businesses must implement new procedures for how they collect and sell personal information.
The IAB CCPA Compliance Framework is an attempt by the IAB to standardize CCPA compliance across the ad tech sector. In this blogpost, we take a closer look at the Framework and how it works.
IAB (Interactive Advertising Bureau) is a business organization for online advertisers, vendors and tech companies that develops industry standards for the ad tech sector, along with providing legal support and conducting research.
The IAB CCPA Compliance Framework is an attempt by IAB to standardize compliance across the ad tech industry with the California Consumer Privacy Act (CCPA).
It is an agreement between businesses who collect personal information on California residents (e.g. through their websites) and the ad tech companies who buy this information.
IAB similarly have an industry framework in place for compliance with the European General Data Protection Regulation (GDPR).
California Consumer Privacy Act (CCPA) is a statewide law in California that came into effect on January 1, 2020 and regulates how businesses all over the world are allowed to collect, handle and sell the personal information of consumers (legally California residents).
CCPA empowers consumers with the right to be informed, the right to request disclosure, the right to deletion and the right to opt out of having personal information sold to third parties.
It is a broad and ambitious law – the first of its kind in the United States.
Personal information is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Compliance with the data law means that businesses (those who fall under the definition of business) must inform consumers at or before the point of collection about the categories of personal information they collect.
Businesses are also required to feature a Do Not Sell My Personal Information link on their website, enabling consumers to opt out of third-party data sales.
Selling is defined broadly in the CCPA and includes renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
In the IAB Compliance Framework, businesses who collect personal information from California residents through “publisher digital properties” (i.e. websites, mobile apps etc.) are called Publishers, while those ad tech companies and data vendors that buy personal information are referred to collectively as Downstream Participants (also including supply-side platforms (SSPs) and demand-side platforms (DSPs) that enable real time bidding for ad agencies).
The IAB CCPA Compliance Framework means that publishers and downstream participants will have a uniform way of complying with the CCPA through a standardized process of communicating a consumer’s choice of exercising their rights (e.g. to opt out of third-party sales) “downstream” from the consumer generating the data, the website collecting it and the ad tech companies buying it.
IAB CCPA Compliance Framework has three main steps to it –
As a legal requirement of the CCPA, publishers (i.e. businesses and their websites) who participate in the IAB CCPA Compliance Framework agree to provide an explicit notice to California residents informing them on their CCPA rights to:
Part of the IAB CCPA Compliance Framework agreement is for publishers to explain in clear terms what will happen to a consumer’s data once collected and sold, and to notify downstream technology companies that such disclosures have been given to the consumer.
Providing such information to the consumer is mandatory for compliance with the CCPA. Information about the rights of Californian consumers and about the categories of personal information that the business collects and sells to third parties must be provided to consumers at or before the point of collection.
The Do Not Sell My Personal Information link is also a cornerstone requirement for CCPA compliance for businesses.
It is the way in which California residents will be able to opt out of having their data sold by the businesses to third party ad tech companies and vendors, who use this data to recreate profiles for behavioral advertisement.
If a consumer exercises their right to opt out of third party selling, a signal is sent downstream from the publisher (website) to the technology company, informing them of the consumer’s choice. This way, the IAB CCPA Compliance Framework creates a service partner relationship (between the publisher and the ad tech companies to whom it sells consumer data) in which a data supply chain of information about the consumer’s choices and actions are communicated “downstream” from the websites, ad tech companies and vendors.
Once the consumer has exercised their CCPA rights to opt out of having their personal information sold to third parties, and the publisher has communicated this downstream, “strict rules” in the IAB CCPA Compliance Framework apply to ad tech companies and data vendors.
The sale of personal information must cease instantly when a consumer opts out and “strict limitations” on the use of the data already bought will be in effect for both the publisher and the tech companies, as specified under the CCPA.
IAB believes this will “provide participants [in the IAB CCPA Compliance Framework] with the opportunity to demonstrate accountability by requiring them to submit to audits and/or self-certifications to ensure that when the consumer opts out, limited personal information is being used only for purposes permitted by the CCPA.”
Any business that through real time bidding or direct transactions engages in the digital advertising industry can participate in the IAB CCPA Compliance Framework.
This means any businesses that through digital means collect personal information on California residents and in one way or another sells this data to other entities like marketing vendors and ad tech companies.
In order to be liable for CCPA compliance, a company must pass one of the three following thresholds:
There are no geographical restrictions to the CCPA, when it comes to a company’s location. This means that if you have a website in, say, Singapore or Italy that have an annual gross revenue exceeding $25 million, you are liable for CCPA compliance.
The same goes for websites around the world that collect the personal information of more than fifty thousand California residents annually.
Any company or organization that falls under the CCPA’s definition of business, and so engages in the digital advertising industry can participate in the IAB CCPA Compliance Framework.
Cookiebot is a consent management platform that provides full compliance for websites with the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR), including other data privacy laws around the world.
Cookiebot’s technology is provides real and thorough compliance in the data privacy industry. We automatically scan your website by simulating real-life users that scroll, click and navigate every possible corner, plugin and subpage of your domain to find all cookies and similar tracking technologies.
Our cookie declaration containing everything that the scanner found on your website includes the required Do Not Sell My Personal Information link.
Cookiebot's CCPA cookie declaration with Do Not Sell My Personal Information link.
For CCPA compliance, knowing exactly what cookies and trackers are present on your website, including third party cookies from ad tech companies, is a vital tool.
This is how you will be able to comply with the CCPA’s requirement of informing your end-users of the categories of personal information you collect, and which third parties you share it with.
Cookiebot also provides the required opt in banners for the consent of minors under the age of 16, as required by the CCPA.
Cookiebot's Cookiebot’s CCPA opt out banner for minors under the age of 16.
Using Cookiebot means easy compliance with both the CCPA, GDPR and other data privacy laws around the world.
Our geotargeting function means that your website will know where in the world the visitor is located and automatically be able to present them with the right compliance solution.