Updated July 9, 2020.
California Consumer Privacy Act (CCPA) took effect on January 1, 2020. Compliance with the new California privacy law means that businesses must implement new procedures for how they collect and sell personal information.
The IAB CCPA Compliance Framework is an attempt by the IAB to standardize CCPA compliance across the ad tech sector.
Cookiebot consent management platform (CMP) supports the IAB CCPA Framework by default.
In this blogpost, we take a closer look at the Framework, how it works and how Cookiebot CMP supports it.
What is IAB CCPA Compliance Framework?
IAB (Interactive Advertising Bureau) is a business organization for online advertisers, vendors and tech companies that develops industry standards for the ad tech sector, along with providing legal support and conducting research.
The IAB CCPA Compliance Framework is an attempt by IAB to standardize compliance across the ad tech industry with the California Consumer Privacy Act (CCPA).
It is an agreement between businesses who collect personal information on California residents (e.g. through their websites) and the ad tech companies who buy this information.
IAB similarly have an industry framework in place for compliance with the European General Data Protection Regulation (GDPR).
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
Cookiebot CMP and IAB CCPA Framework
Cookiebot CMP offers full compliance with the CCPA for websites, just as we enable compliance with the GDPR.
Our technology scans the depths of your domain to find all cookies and trackers, so you can provide full transparency to your consumers. Our solution also enables you to provide the mandatory Do Not Sell button for users to opt out of third-party data sales.
Cookiebot CMP supports the IAB CCPA Framework by default.
If you have users from California, Cookiebot CMP will automatically send signals downstream to third party vendors, informing them about your users’ preferences and exercised rights (such as to opt out of data sales).
Cookiebot CMP does this using U.S Privacy User Signal API (USP API).
If you wish to use the IAB CCPA Framework with Cookiebot CMP, you need to sign IAB’s Limited Service Provider Agreement.
Who can use the IAB CCPA Compliance Framework?
In the IAB Compliance Framework, businesses who collect personal information from California residents through “publisher digital properties” (i.e. websites, mobile apps etc.) are called Publishers, while those ad tech companies and data vendors that buy personal information are referred to collectively as Downstream Participants (also including supply-side platforms (SSPs) and demand-side platforms (DSPs) that enable real time bidding for ad agencies).
The IAB CCPA Compliance Framework means that publishers and downstream participants will have a uniform way of complying with the CCPA through a standardized process of communicating a consumer’s choice of exercising their rights (e.g. to opt out of third-party sales) “downstream” from the consumer generating the data, the website collecting it and the ad tech companies buying it.
How does the IAB CCPA Compliance Framework work?
IAB CCPA Compliance Framework has three main steps to it –
- An agreement that publishers (websites) must tell Californian consumers about their rights at the point of data collection, and that publishers must implement a Do Not Sell My Personal Information link on their digital properties (i.e. websites, mobile apps etc.)
- An agreed-upon way for publishers to communicate to ad tech companies that a California consumer has opted out of third-party data sales.
- An agreed-upon way for tech companies to operate after a Californian resident has opted out of third-party data sales.
Step 1 of the IAB CCPA Compliance Framework
As a legal requirement of the CCPA, publishers (i.e. businesses and their websites) who participate in the IAB CCPA Compliance Framework agree to provide an explicit notice to California residents informing them on their CCPA rights to:
- know what categories of personal information the business collects
- request disclosure of their personal information collected by the business
- have their data deleted
- opt out of having their data sold to third parties
Part of the IAB CCPA Compliance Framework agreement is for publishers to explain in clear terms what will happen to a consumer’s data once collected and sold, and to notify downstream technology companies that such disclosures have been given to the consumer.
Providing such information to the consumer is mandatory for compliance with the CCPA. Information about the rights of Californian consumers and about the categories of personal information that the business collects and sells to third parties must be provided to consumers at or before the point of collection.
The Do Not Sell My Personal Information link is also a cornerstone requirement for CCPA compliance for businesses.
It is the way in which California residents will be able to opt out of having their data sold by the businesses to third party ad tech companies and vendors, who use this data to recreate profiles for behavioral advertisement.
Step 2 of the IAB CCPA Compliance Framework
If a consumer exercises their right to opt out of third party selling, a signal is sent downstream from the publisher (website) to the technology company, informing them of the consumer’s choice. This way, the IAB CCPA Compliance Framework creates a service partner relationship (between the publisher and the ad tech companies to whom it sells consumer data) in which a data supply chain of information about the consumer’s choices and actions are communicated “downstream” from the websites, ad tech companies and vendors.
Step 3 of the IAB CCPA Compliance Framework
Once the consumer has exercised their CCPA rights to opt out of having their personal information sold to third parties, and the publisher has communicated this downstream, “strict rules” in the IAB CCPA Compliance Framework apply to ad tech companies and data vendors.
The sale of personal information must cease instantly when a consumer opts out and “strict limitations” on the use of the data already bought will be in effect for both the publisher and the tech companies, as specified under the CCPA.
IAB believes this will “provide participants [in the IAB CCPA Compliance Framework] with the opportunity to demonstrate accountability by requiring them to submit to audits and/or self-certifications to ensure that when the consumer opts out, limited personal information is being used only for purposes permitted by the CCPA.”
Who can participate in IAB CCPA Compliance Framework?
Any business that through real time bidding or direct transactions engages in the digital advertising industry can participate in the IAB CCPA Compliance Framework.
This means any businesses that through digital means collect personal information on California residents and in one way or another sells this data to other entities like marketing vendors and ad tech companies.
In order to be liable for CCPA compliance, a company must pass one of the three following thresholds:
- have an annual gross revenue exceeding $25 million,
- derive 50% or more of its annual revenues from selling California residents’ personal information,
- buy, receive, sell, or share the personal information of 50.000 or more California residents, households or devices a year.
There are no geographical restrictions to the CCPA, when it comes to a company’s location. This means that if you have a website in, say, Singapore or Italy that have an annual gross revenue exceeding $25 million, you are liable for CCPA compliance.
The same goes for websites around the world that collect the personal information of more than fifty thousand California residents annually.
Any company or organization that falls under the CCPA’s definition of business, and so engages in the digital advertising industry can participate in the IAB CCPA Compliance Framework.
Cookiebot CMP and CCPA compliance
Cookiebot CMP is a consent management platform that provides full compliance for websites with the California Consumer Privacy Act (CCPA) and the European General Data Protection Regulation (GDPR), including other data privacy laws around the world.
Cookiebot CMP technology is provides real and thorough compliance in the data privacy industry. We automatically scan your website by simulating real-life users that scroll, click and navigate every possible corner, plugin and subpage of your domain to find all cookies and similar tracking technologies.
Our cookie declaration containing everything that the scanner found on your website includes the required Do Not Sell My Personal Information link.
For CCPA compliance, knowing exactly what cookies and trackers are present on your website, including third party cookies from ad tech companies, is a vital tool.
This is how you will be able to comply with the CCPA’s requirement of informing your end-users of the categories of personal information you collect, and which third parties you share it with.
Cookiebot CMP also provides the required opt in banners for the consent of minors under the age of 16, as required by the CCPA.
Using Cookiebot CMP means easy compliance with both the CCPA, GDPR and other data privacy laws around the world.
Our geotargeting function means that your website will know where in the world the visitor is located and automatically be able to present them with the right compliance solution.
Cookiebot CMP does not support the IAB CCPA Framework at this time, but we are working to integrate it in our CCPA compliance it in the future.
What is CCPA?
California Consumer Privacy Act (CCPA) is a statewide law in California that came into effect on January 1, 2020 and regulates how businesses all over the world are allowed to collect, handle and sell the personal information of consumers (legally California residents).
CCPA empowers consumers with the right to be informed, the right to request disclosure, the right to deletion and the right to opt out of having personal information sold to third parties.
It is a broad and ambitious law – the first of its kind in the United States.
Personal information is defined in the CCPA as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Direct identifiers such as real name, alias, postal address, social security numbers, driver’s license and passport information.
- Indirect identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names…
- Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data…
- Geolocation data such as location history via devices,
- Internet activity such as browsing history.
Compliance with the data law means that businesses (those who fall under the definition of business) must inform consumers at or before the point of collection about the categories of personal information they collect.
Businesses are also required to feature a Do Not Sell My Personal Information link on their website, enabling consumers to opt out of third-party data sales.
Selling is defined broadly in the CCPA and includes renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
What is the IAB CCPA Compliance Framework?
The IAB CCPA Compliance Framework is a standardization of compliance between businesses who collect California residents’ personal information and the ad tech companies who buy this information. The IAB (Interactive Advertising Bureau) is a business organization for online advertisers, vendors and tech companies that develop industry standards for the ad tech sector, along with providing legal support and conducting research.
How does the IAB CCPA Compliance Framework work?
The IAB CCPA Compliance Framework functions by three steps: 1) websites must tell consumers about their rights and include the Do Not Sell My Personal Information link on their digital properties, 2) websites send a signal downstream to ad tech companies when a user decides to opt out of third party data selling, and 3) the immediate ceasing of the selling of personal information by websites and tech companies.
Who can participate in the IAB CCPA Compliance Framework?
Any business that engages in the digital advertising industry through real time bidding or direct transactions can participate in the IAB CCPA Compliance Framework. This means that if your company collects the personal information of more than fifty thousand California residents or derive 50% or more of your annual revenues from selling the personal information of California residents annually, you are liable under the CCPA and able to participate in the IAB CCPA Compliance Framework.
How does Cookiebot integrate with the IAB CCPA Compliance Framework?
Cookiebot offer full compliance and default integration with the IAB CCPA Compliance Framework. Cookiebot scans your website, detects all cookies and trackers and enables the mandatory Do Not Sell button for users to opt out of third-party data sales. Cookiebot automatically geo-targets users from California and signals downstream to third party vendors about the users’ preferences and choices.