In a move likely welcomed by publishers seeking a solution to honoring “sale” opt-outs in the interest-based advertising space, the Interactive Advertising Bureau last week released the IAB California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies. The IAB is the trade association for the digital media and marketing industries, and it developed the Framework to help publishers (i.e., websites) and the online advertising supply chain comply with the CCPA—and particularly with the CCPA’s right to consumer opt-outs of “sales” of personal information.

The Framework sets up a system in which a consumer opt-out has the result that the parties in the digital advertising supply chain become limited service providers to the publisher, such that there is no longer a “sale” with respect to those consumers’ personal information. A limited service provider may still serve ads on behalf of the publisher, but those ads cannot involve any “sale” of personal information under the CCPA.

IAB is accepting public comments to the Framework until Tuesday, November 5, 2019. Comments should be emailed to privacy@iab.com. The draft Framework and draft technical specifications for the Framework can be accessed here.

The Framework

Recall that the CCPA gives consumers the right to opt out of “sales” of their personal information, where a “sale” is a disclosure or making available of personal information for monetary or other valuable consideration. Certain types of interest-based advertising may involve a sale because, for example, an advertiser may receive or reap the benefit of information collected on a third-party website in exchange for information collected on its own website—all so that each advertiser can more precisely target its own ads. If there is a sale of personal information, California consumers have the right to opt out of it (or into it, if they are under age 16).

As part of the Framework, the IAB is developing a Yes/No signal that a participating publisher can implement in connection with its CCPA “Do Not Sell My Personal Information” link. If a user clicks that link to opt out of the sale of his or her personal information, the “No” signal and accompanying device and browser identifier will be sent to downstream digital advertising parties so that they can effectuate the opt-out. When this happens, the parties in the advertising supply chain will become service providers to the publisher with respect to the opted-out user and then serve to that user only advertising that does not involve a “sale” of the user’s personal information (e.g., contextual ads or certain retargeted ads). The move to becoming service providers is effectuated via a Limited Service Provider Agreement that establishes contractual privity among its signatories—that is, the various players in the online advertising ecosystem, such as the publisher and demand- and sell-side platforms.

Takeaway

With the IAB’s introduction of the Framework, we are gaining insight into how some digital advertisers see themselves fitting into a post-CCPA world. Here, the IAB provides for a “limited service provider” relationship between publishers/advertisers and downstream digital advertising parties, which would allow such parties to continue serving ads — but which would not allow the downstream parties to aggregate or use personal information across clients or use personal information for its own purposes. Whether this solution sufficiently addresses the concerns of parties in the digital advertising supply chain remains to be seen as comments are submitted and companies sign on. The Digital Advertising Alliance, among others, is also working on compliance tools for the CCPA, and other compliance solutions may take different stances on salient provisions of the CCPA.