The enforcement date of January 1, 2020 for the California Consumer Privacy Act (CCPA) will be here before we know it. The CCPA is a state law meant to provide personal data protections to California residents. While the language of the CCPA is not as restrictive as that of the General Data Protection Regulation (GDPR), there is still a need to communicate consumer choice (e.g. Do Not Sell my data) to vendors in the advertising ecosystem.
The IAB Tech Lab, with collaboration from members of working groups, has released a draft version of the CCPA Industry Compliance Framework (the “Framework”). The new Framework provides a standardized implementation for advertising industry participants to know when a consumer opts-out of the sale of his or her personal information. While the draft version of the Framework policy clearly contains a lot of information, of particular note is the statement that sharing some personal information is required and necessary to perform advertising-related functions. The inclusion of this reinforces what many of us believe and stand behind – that advertising must, and will, continue, even in the face of additional regulation.
In addition to the technical solution to transmit CCPA signals, the IAB will release the IAB Limited Service Provider Contract as a contractual guideline to be used in tandem with the Framework by the industry. The terms within the contract extend business purposes and statutory limitations regarding the authorized use of a consumer’s personal data once he or she has opted-out of having their data sold.
You might be thinking this sounds a lot like GDPR.
While there are some similarities when speaking in broad terms of passing a standardized string of information for both GDPR and CCPA, there are also many differences. The biggest differentiator is that CCPA does not require “opt-in” consent to process a consumer’s data. And, unlike the robust details of the Transparency & Consent Framework v2.0, the initial version of the US Privacy String is lightweight, yet extensible, to accommodate for the short development timeline to implement CCPA.
How short of a development cycle should we expect?
Given that we are running up against the end of year holiday season, a time when resources are stretched to the limit and many publishers and vendors avoid making significant product changes, ad industry participants have a very tight turnaround to support the Framework by January 1.
The IAB is “asking publishers, technology intermediaries, ad agencies, brands, data companies, and all other participants in the digital advertising supply chain to provide input on the draft framework by November 5, 2019, after which [they] will release a final version for companies to adopt before the California law takes effect.” – IAB Press Release Oct. 22, 2019.
Many of us understand that CCPA is one of the first state laws put into place to protect consumer data, but CCPA will definitely not be the last. Here at SpotX, we’re dedicated to helping our publishers and partners educate themselves on CCPA and prepare for its implementation.
If you missed the first few blog posts on CCPA, check them out using the links below.
What You Need to Know About California’s New Privacy Measure
Who Does the California Consumer Privacy Act Apply To: Penalties and Impacts on Ad Tech
This article 
was written by Jessica Berman, senior product manager at SpotX