On September 17, 2019, numerous stakeholders in the digital advertising industry, including publishers, advertisers/brands, AdTech companies, and law firms (including numerous representatives from BakerHostetler) convened at the Interactive Advertising Bureau’s (IAB) headquarters in New York for a preview of its CCPA Industry Compliance Framework.
Throughout the course of 2019, IAB has solicited input from a broad swath of digital advertising industry stakeholders to develop the industry’s approach to addressing consumer Do Not Sell requests arising out of the multiparty, downstream sharing of consumer behavioral data to effectuate interest-based advertising. IAB’s efforts began by addressing what level of industry cooperation is required in ad buying transactions to cause compliance with the CCPA, and developing policy parameters around a technical solution to pass “signals” relating to the sale of personal information (or restrictions thereof).
The downstream sharing of this behavioral data involved in digital advertising is implicated by Section 1798.115(d) of the CCPA, which requires that a third party cannot onward sell (i.e., sell data that has been sold to it) unless the consumer has received explicit notice and is provided the opportunity to opt-out pursuant to Section 1798.120. In short, the IAB framework addresses the fact that various participants in the interest-based advertising ecosystem must onward sell personal information, but do not have the ability to obtain the explicit notice required by .115(b), which is only afforded to website and mobile application publishers (a website operator with advertising on its site or app).
To address the challenges of the CCPA’s Do Not Sell obligation, the IAB and IAB Tech Lab propose a technical solution which includes the sending of a variety of signals by the publisher to downstream participants in the AdTech/interest-based advertising ecosystem. They also seek to address the lack of a contractual relationship between the publisher and downstream participants (such as the buy-side ad server). To do so, IAB is developing a limited service provider contract, with which downstream participants must enter into with an IAB entity.
IAB will be releasing the CCPA Industry Compliance Framework as follows:
|Projected Due Date||Item|
|Late September/Early October||Technical specification draft ready|
|October||IAB will publish the draft industry compliance framework and technical specifications and open a 14-day industry public comment period|
|October||Close public comments|
|October/November||Final technical specs published/Industry business adoption of specifications begins|
|October and onward||Technical education and support for implementers|
|Mid-November||IAB Limited Service Provider Contract released|
Takeaways from the In-Person Meeting
- IAB’s solution is flexible and does not make its own interpretation of sale. Rather, when a consumer opts-out of sale, the downstream parties are required to use it in a way that falls into a non-sale category.
- IAB will be updating the solution in view of the Attorney General’s regulations, as necessary. Since the solution seems to allow for the assumption that a visitor to a publisher site is a California consumer based on IP address, several asked whether that would be acceptable under the CCPA (i.e., since there are several ways to mask IP address to be outside of California or change it so that someone appears to be located in California). The regulations regarding verifiable consumer requests and identity verification may clarify the IAB’s position in this regard.
- Attendees were interested in how the solution would interact with or reconcile deletion requests by consumers. IAB representatives indicated that they were considering the issue.
In addition to operationalizing Do Not Sell requests, publishers and advertisers will also have to consider how to integrate Do Not Sell requests with opting out of cookies on their sites and apps for cookie providers that are not qualified service providers. The Network Advertising Initiative, another digital advertising industry organization, proposed regulations that where a company only has pseudonymous data (e.g., hashed cookie data which is used widely in AdTech) that it could deem that party non-verifiable and ignore the request. We have had high level conversations with senior executives at major rights management platforms, several of which have started developing a way to automatically integrate a Do Not Sell request to cookie opt-outs. We will continue to monitor the IAB’s solution and the release of draft regulations by the Attorney General and provide updates here.