After having strongly criticized CCPA, The IAB has released a CCPA Compliance Framework for publishers and martech companies. The document, similar to the trade group’s GDPR compliance framework, has received input from multiple stakeholders, lawyers and other experts. It’s “intended to be used by those publishers who ‘sell’ personal information and those technology companies that they sell it to.”
Framework elements. There are two primary parts to the Framework:
- A master contract that binds supply chain partners to specific behaviors that meet the law’s provisions.
- A set of technical specifications that guide companies on how to implement the contract mechanically in their operations.
As a practical matter, the document provides guidance for publishers and technology companies participating in behavioral targeting and the programmatic ecosystem. CCPA doesn’t apply to all businesses handling data; there are a number of exceptions. Beyond this, there are some terms in the statute that are the focus of considerable scrutiny and strategizing. Chief among them is the word “sell,” as in “do not sell my information” — one of the core consumer protection features of CCPA.
Parsing the meaning of “sale.” The IAB document says, “This Framework is intended . . . to support those industry participants who choose to ‘sell’ and receive personal information in RTB transactions.” It further explains, “We recognize that participants in the digital advertising industry have different perspectives concerning the scope of the definition of ‘sale.’ For example, certain industry participants believe they can transfer certain personal information of Consumers to those who are not ‘service providers’ (as defined by CCPA) and not have that constitute a ‘sale.’”
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
The term “valuable consideration” is also subject to potential interpretation, but could (and likely does) include any exchange of value, not just monetary payments — hence the “or other” language. The meaning and resolution of these “ambiguities” will probably be clarified by the California Attorney General or, ultimately, by a court.
Do not sell. All companies governed by CCPA must “[p]rovide a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.” Depending on how this is implemented and how many consumers choose to opt-out, “do not sell” could be disruptive to publisher ad revenues and data companies.
To that end, the Framework also offers publishers consumer-facing sample language for use on their websites:
If you’re trying to keep people from opting out, there are probably more effective ways to suggest that consumers who do may get less relevant or interesting ads. But that’s a different discussion.
Those who wish to comment on the Framework should send their remarks to firstname.lastname@example.org by November 5, 2019.
Why we should care. While we still don’t know how big an impact CCPA will have — GDPR has not had the radical effect on the market (so far) that many were predicting — all parties potentially subject to CCPA should take a close look at the IAB Compliance Framework. However, as the IAB itself points, out the documents are not a substitute for legal advice. Nor does adoption of the contractual provisions of the Framework ensure that companies will be deemed compliant by regulators in California. It’s likely the IAB’s Framework will be adopted by most affected companies in the run