The Interactive Advertising Bureau (IAB) is out with version 1.0 of the CCPA Compliance Framework for Publishers and Technology Companies, along with a Limited Service Provider Agreement. It is the final release version of the organization’s policy agreement and vendor contract for publishers and vendors to comply with the new California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020.
In mid-November, the IAB Tech Lab released its final draft of version 1.0 of the technical specifications for the U.S. Privacy String format, an API, and the OpenRTB parameters.
Both the framework and the technical specifications build on earlier draft versions. In October, the IAB released for comment a draft version of the CCPA framework, as well as the IAB Tech Lab’s draft technical specifications for a privacy string that held a user’s decision about whether to opt out of allowing personal data to be sold or exchanged by online publishers. The string is made available to a site’s partners, such as ad networks.
These new release versions of the framework and technical specifications have some minor revisions that were based on feedback from the draft versions, IAB SVP and General Counsel Michael Hahn told RampUp.
The privacy string and other elements build on the IAB’s previous Transparency and Consent Framework for the European Union’s General Data Protection Regulation (GDPR). That GDPR framework has provided a mechanism to handle many of GDPR’s requirements for how publishers manage user info and deliver ads, so the new CCPA framework could similarly help to stabilize CCPA compliance.
Although the Limited Service Provider Agreement had been referenced in the earlier for-discussion version of the framework, Hahn said, an actual draft was not previously released. It was written, he added, after input from several hundred industry lawyers.
Publishers as Service Providers
Hosted by the IAB, the provider agreement allows publishers and their supply chain partners to become signatories to the CCPA framework by signing up online. Additionally, the framework also allows publishers—many of which have multiple sites—to indicate they are participating in the framework, even when their sites are still in the process of complying, and to register their sites.
As Hahn noted in a blog post accompanying the release of 1.0, the framework and provider agreement are intended to cover both publishers who sell personal information and the tech companies to which they sell the information, thus creating a “service provider” relationship that applies limitations and accountability to the data collected and used.
The service provider relationship provides an agreed-upon connection between vendors and publishers, so that vendors are covered by the Service Provider Agreement and are thus part of the publishers’ privacy compliance under CCPA.
Tying the vendors to the sites is intended to coordinate the tracking of the consumer rights made available through CCPA. In addition to opting out of the exchange or sale of personal information, those rights now also include accessing personal information and requiring the deletion of personal information.
Still Somewhat Works-In-Progress
The CCPA is primarily focused on the sale of data by publishers, and doesn’t require permission for the use of data for ad targeting, as GDPR does. Even if publishers do not actually sell personal information in the delivery of a digital ad, Hahn noted, the framework can still be leveraged as a way of classifying the information so that site visitors could opt out of having their site information used in that fashion.
Additionally, the CCPA at this point doesn’t directly cover non-site collection of users’ information, such as location data, except when visitors to publishers’ sites might have their location extracted.
Both the GDPR and the CCPA are still works-in-progress to some degree. GDPR is governed by regulators in each of the EU countries, so there are still many versions and interpretations underway, even though that law went into effect in May 2018.
CCPA’s final regulations are still to be specified by the California Attorney General. Although the compliance date for the law is January 1, 2020, enforcement will actually begin six months after the Attorney General issues the final regulations, but no later than July 1, 2020. However, businesses are expected to make good faith efforts at compliance beginning the first of the year, even though the particulars are not entirely set.