With the new California Consumer Privacy Act (CCPA) set to go into effect on January 1, the Interactive Advertising Bureau (IAB) and the IAB Tech Lab have released for public comment a draft CCPA Framework for Publishers and Technology Companies.
The new Framework, which builds on the Transparency and Consent Framework that the IAB Tech Lab and IAB Europe created for the European Union’s General Data Protection Regulation (GDPR), consists of a master contract for publishers’ supply chain partners and a set of technical specs.
Privacy String
Unlike GDPR, which specifies that companies targeting EU citizens must receive consent for all uses of all collected user data, CCPA is primarily focused on providing an opt-out to users for the sale of their data. Unless users opt-out, publishers are allowed to sell their data.
To help publishers and providers accomplish this goal, the Framework’s contract binds publishers’ partners, such as ad networks, to CCPA-compliant behaviors.
The tech framework sets up specs for a Privacy String that contains the user’s opt-out decision, as well as an API and OpenRTB Extension to support distribution of the String throughout the ad ecosystem. This tech framework resembles the specs for the GDPR-focused Transparency and Consent Framework.
But there are significant differences between the Frameworks for each law.
GDPR vs. CCPA
First of all, there is a central repository in the IAB’s GDPR Framework for users’ privacy consents, a site called Consensu. It exists, IAB Tech Lab EVP and GM Dennis Buchheim told ClickZ, “because we thought it made sense to have a global storage mechanism” for GDPR.
By contrast, although CCPA covers all collected user data, the IAB Framework is focused on publishers obtaining visitors’ data, and the resulting opt-out is then stored by the publisher in a first-party cookie or in an app’s local device database. The opt-out choice is then made available during an OpenRTB ad call.
Essentially, Buchheim said, CCPA is like the privacy restrictions often surrounding direct mail, where marketers might agree not to sell the user data without user permission, but they can employ the collected data for their own purposes. Unlike GDPR, CCPA is designed around the sale of data, and doesn’t require permission for use of data for ad targeting.
In this way, it resembles the recent Maine privacy law, which is focused only on the sale or sharing of user data by ISPs.
Biggest to-do
Buchheim acknowledged that, since the CCPA Framework is focused on site or app publishers’ relationship with their users, it doesn’t directly cover, say, location data providers. These providers might acquire at least some of their data outside of apps or sites, such as through a visit to a physical store by a customer with a smart phone.
The Framework also doesn’t cover Internet-connected TVs or any of the other data collecting devices that have emerged, like smart cars or refrigerators, although Buchheim said it might be expanded beyond computers and mobile devices at some point.
But the biggest to-do for the CCPA Framework depends on the final requirements of the California law, which is vague in many details. The state’s Attorney General has issued some guidelines, but Buchheim indicated he expects the shape of the law will continue to evolve as it heads toward the implementation date.
The new IAB Framework is accepting comments until November 5.