The California Consumer Privacy Act (CCPA) is a landmark consumer privacy bill that will take effect on Jan 1, 2020. The intention of the act is to enhance the privacy and consumer protection rights of California residents.
Why are we here?
All players in the ad tech ecosystem — publishers, technology intermediaries, ad agencies, brands, data companies, and all other participants — need a way to ensure that everyone is playing by the same rules. Moreover, the IAB and other industry analysts suggest that sending personal information via the RTB standard may constitute a “sale” under the CCPA. This means there needs to be a way to know that a user has been provided the required information the CCPA mandates (explicit notice) and has a way to indicate when the user has exercised his or her right to opt out of the sale of personal information.
To address this, the IAB released two complementary methods for communicating CCPA compliance throughout the ad tech supply chain, particularly within RTB:
- A technical specification called the IAB CCPA Framework (Framework) which utilizes a US Privacy String (USP String) similar to the IAB’s GDPR solution (the Transparency and Consent Framework (TCF))
- A standardized legal document called the Limited Service Provider Agreement (LSPA)
What is the US Privacy String?
The Framework, which we introduced in a blog post in October, provides a mechanism to notify downstream vendors that participating publishers have provided explicit notice of “sale” as required by the CCPA, and whether the consumer exercised his or her right to object to the sale by clicking a “Do Not Sell My Personal Information” link. The USP String itself is comprised of four characters:
|String Component||Expected Value||Definition|
|1) Specification Version||Number
(1 char in string)
|The version of this string specification|
|2) Explicit Notice/Opportunity to Opt Out||ENUM
(N = No
|Has explicit notice been provided and the opportunity to opt out of the sale of their data?|
|3) Opt-out Sale||ENUM
(N = No
|Has user opted-out of the sale of his or her personal information?|
(N = No
|Publisher is a signatory to the IAB Limited Service Provider Agreement
The USP String is added to all ad requests, bid requests, and user syncs to ensure the information flows between each member of the ad tech ecosystem and that the sender and recipient are able to properly comply with the CCPA.
What is the Limited Service Provider Agreement?
Coupled with the technical solution is a legal solution called the LSPA. The goal of the LSPA is to ensure that each vendor respects the opt-out of the user and knows what they can and cannot do with the personal information in a request. The LSPA takes advantage of an interesting paradigm within the CCPA: a “sale” of personal information is only a “sale” if the personal information is transferred to a “Third Party,” but is not classified as a “sale” if the same personal information is transferred to a “Service Provider.”
A “Service “Provider” is defined as a “[business]…that processes information on behalf of a business [in this case, publisher] and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract…” (1798.140(v) of the California Civil Code)
The LSPA creates a simple and efficient way to create service provider agreements in the ad tech supply chain rather than having hundreds of separate contracts. The LSPA ensures participants demonstrate accountability through audits and self-certifications which prove personal information is only being used for purposes permitted by the CCPA and the LSPA. It also clearly outlines the approved behavior of every partner in the case that a user opts out of the sale of their data. As soon as the user clicks “Do Not Sell,” the LSPA kicks in and each downstream partner becomes a service provider for that particular transaction.
The IAB mapped the digital advertising activities they had already defined for the ad tech industry in the TCF 2.0 to the LSPA. In this manner, it should be easier for each ad tech vendor to comply since vendors have likely already mapped their internal behaviors to the TCF 2.0 purposes. When a user opts out, downstream participants such as SSPs and DSPs are permitted to select, deliver, and even personalize ads as long as they only use the information they had before the user opted out. Framework participants aren’t permitted to create a personalized ads or content profile since the user has exercised their right to stop having their data sold moving forward. See below for a summary of permitted activities when a user has opted out:
CCPA Business Purposes
|Digital Advertising Activities||Auditing||Security/
|Debugging||Processing or fulfilling orders and transactions||Providing Advertising or Marketing Services|
|Store and/or access information on a device||Y||Y||Y||Y||Y|
|Select basic ads||N||Y||Y||Y||Y|
|Create a personalized ads profile||N||N||N||N||N|
|Select personalized ads||N||Y||Y||Y||Y|
|Create a personalized content profile||N||N||N||N||N|
|Measure ad performance||Y||Y||Y||Y||Y|
|Apply market research to generate audience insights||Y||Y||Y||N||Y|
|Technically deliver ads||N||Y||Y||Y||Y|
Consult the full table for a complete list of permitted activities under the service provider designation for “covered opt out transactions” under Schedule B here
We are hopeful that the industry will adopt a standardized solution like this one and we’ve already heard positive initial reports that publishers and buyers plan to adopt.
We strongly suggest any affected partners join this industry-standard framework, sign the agreement, and implement the technical specification.
We are also evaluating the DAA Ad Choices proposed solution, which could complement the Framework nicely, though we don’t have firm plans yet.
If you’re interested in learning more, read our CCPA blog series or contact our privacy task force.
This article was written by Eric Shiffman, senior product marketing manager at SpotX