After having strongly criticized CCPA, The IAB has released a CCPA Compliance Framework for publishers and martech companies. The document, similar to the trade group’s GDPR compliance framework, has received input from multiple stakeholders, lawyers and other experts. It’s “intended to be used by those publishers who ‘sell’ personal information and those technology companies that they sell it to.”

Framework elements. There are two primary parts to the Framework:

  • A master contract that binds supply chain partners to specific behaviors that meet the law’s provisions.
  • A set of technical specifications that guide companies on how to implement the contract mechanically in their operations.

As a practical matter, the document provides guidance for publishers and technology companies participating in behavioral targeting and the programmatic ecosystem. CCPA doesn’t apply to all businesses handling data; there are a number of exceptions. Beyond this, there are some terms in the statute that are the focus of considerable scrutiny and strategizing. Chief among them is the word “sell,” as in “do not sell my information” — one of the core consumer protection features of CCPA.

Parsing the meaning of “sale.” The IAB document says, “This Framework is intended . . . to support those industry participants who choose to ‘sell’ and receive personal information in RTB transactions.” It further explains, “We recognize that participants in the digital advertising industry have different perspectives concerning the scope of the definition of ‘sale.’ For example, certain industry participants believe they can transfer certain personal information of Consumers to those who are not ‘service providers’ (as defined by CCPA) and not have that constitute a ‘sale.’”

As suggested above, some lawyers have seized upon the term “sell” to “shelter” from CCPA compliance. However, the statute itself defines “sale” and “sell” expansively:

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

The term “valuable consideration” is also subject to potential interpretation, but could (and likely does) include any exchange of value, not just monetary payments — hence the “or other” language. The meaning and resolution of these “ambiguities” will probably be clarified by the California Attorney General or, ultimately, by a court.

Do not sell. All companies governed by CCPA must “[p]rovide a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.” Depending on how this is implemented and how many consumers choose to opt-out, “do not sell” could be disruptive to publisher ad revenues and data companies.

To that end, the Framework also offers publishers consumer-facing sample language for use on their websites:

We/Publisher/Advertiser/and our advertising partners collect personal information (such as the cookies stored on your browser, the advertising identifier on your mobile device, or the IP address of your device) when you visit our site (or use our app). We, and our partners, use this information to tailor and deliver ads to you on our site (or app), or to help tailor ads to you when you visit others’ sites (or use others’ apps). To tailor ads that may be more relevant to you, we and/or our partners may share the information we collect with third parties. To learn more about the information we collect and use for advertising purposes, please see our [link]Privacy Policy.

If you’re trying to keep people from opting out, there are probably more effective ways to suggest that consumers who do may get less relevant or interesting ads. But that’s a different discussion.

Those who wish to comment on the Framework should send their remarks to privacy@iab.com by November 5, 2019.

Why we should care. While we still don’t know how big an impact CCPA will have — GDPR has not had the radical effect on the market (so far) that many were predicting — all parties potentially subject to CCPA should take a close look at the IAB Compliance Framework. However, as the IAB itself points, out the documents are not a substitute for legal advice. Nor does adoption of the contractual provisions of the Framework ensure that companies will be deemed compliant by regulators in California. It’s likely the IAB’s Framework will be adopted by most affected companies in the runup to January and June 2020, when enforcement actually begins.

About The Author

Greg Sterling is a Contributing Editor at Search Engine Land. He writes about the connections between digital and offline commerce. He previously held leadership roles at LSA, The Kelsey Group and TechTV. Follow him Twitter or find him on LinkedIn.