On October 22, the Interactive Advertising Bureau (IAB), a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies (Framework) and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act (CCPA) by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt-out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create Service Provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019.

The Framework would apply to certain digital advertising activities likely to involve the “sale” of personal information (including automated buying and selling of ads based on audience segments, (i.e., programmatic advertising) programmatic auctions, (i.e., real-time-bidding transactions), and a brand’s retargeting of consumers on third party websites following their visit to a brand’s site). Publishers can choose whether a particular bid request (and the associated personal information) should be subject to the Framework. If the publisher uses the Framework for a particular bid request, then downstream Framework participants would be prohibited from sending that bid request to non-participating entities.

Responsibilities under the Framework would vary in part based on a participating organization’s role in the programmatic advertising supply chain.

  • Publishers engaging in “sales” would be responsible for providing California consumers with explicit notice and an opportunity to opt-out of the “sale” of personal information. The Framework proposes a mechanism to provide such notice. Publishers would also be responsible for signaling to downstream participants whether to treat a bid request as relating to a California consumer, whether the publisher provided the consumer with explicit notice and an opportunity to opt-out of sales, and whether the consumer has opted out.
  • Downstream participants, including supply side platforms (SSPs) selling ad inventory for publishers, demand side platforms (DSPs) helping advertisers place ads, ad servers, ad agencies, data management platforms (DMPs) holding audience and ad campaign data, and others, would be responsible for receiving signals from publishers (or participants higher in the stream) and modifying how the participant processes information associated with the bid request. If the bid request relates to a consumer that has opted out of sales, then the participant would need to process the information solely in the capacity of a “Service Provider” under the CCPA.

The Framework will be supported by a standard contract designed to create Service Provider relationships between publishers and advertising intermediaries once a consumer has opted out of “sales.” The contract — the IAB Limited Service Provider Agreement (Agreement) — will provide for “springing rights and obligations.”

The Agreement’s “springing rights and obligations” would function as follows. Downstream participants will be able to process personal information for their own commercial purposes until a consumer has opted out of sales. Once a consumer has submitted an opt-out request, rather than entirely preventing the downstream transfer of personal information for advertising purposes, the Agreement would require the downstream participant to process that consumer’s information only for limited business purposes in line with the CCPA (e.g., delivering ads, measuring ad impressions, and reporting on personalized ads) and would prohibit using information to augment existing profiles, to create new profiles, or for other commercial purposes.

The Agreement would also require Framework participants to submit to audits to confirm they have complied with their obligations and satisfied their representations and warranties. The IAB plans to release the Agreement for review in the next quarter.

Stakeholders interested in commenting on the draft Framework can send comments to privacy@iabtechlab.com by November 5, 2019. IAB has indicated it plans to release version 1.0 of the Framework next month so stakeholders can prepare before CCPA goes into effect January 1, 2020.