With 2020 upon us, so is the newest privacy law. Launching on January 1, 2020, the California Consumer Privacy Act (CCPA) allows consumers to opt out from companies being able to use their personal information to serve digital ads. While this new law has some similarities to the legislation recently implemented in the EU (GDPR), there are certainly some nuances that both sides of the advertising ecosystem will need to take into consideration.
At Index Exchange, we’re implementing the IAB’s CCPA Framework for OpenRTB (see the specifications here), and encourage the media owners we work with, as well as others in the ad tech ecosystem, to do the same. We view ourselves as a service provider under the CCPA, processing personal information on instruction of—and for the benefit of—media owners.
In order to help media owners and buyers navigate these potentially unfamiliar waters, we’ve pulled together the following FAQ:
What you need to know about CCPA
What is the CCPA law?
The CCPA is a new privacy law allowing consumers in California to opt out of companies being able to use their personal information, including for the purpose of serving digital ads.
It applies to any company handling personal information of California residents. The law uses the term “sell” in regards to personal information, but that term is defined very broadly to include:
In order to be compliant with the law, businesses that collect and sell the personal information of California residents must put up a banner on their website with a “Do Not Sell My Personal Information” link that allows a consumer to opt out of the sale of their personal information to other parties.
Businesses can instead choose not to provide a personalized ad experience for consumers in California. They also have to give consumers the right to access or delete any personal information the business may have about them.
When does the CCPA go into effect?
The law goes into effect on January 1, 2020. In practice, the California Attorney General’s office has indicated that they won’t enforce it until July 1, 2020.
What is the IAB’s US Privacy Framework?
The IAB’s US Privacy Framework is an attempt by the ad tech industry to create a standardized way to comply with the legal requirements under CCPA and any other future US privacy laws. This framework tells us how to collect and pass on the signal that a consumer has opted out in a standardized way.
Media owners can choose not to use the framework and do it in a non-standard way, too. Either way, the signal must get passed along to exchanges, who will pass it on to DSPs.
What is a limited service provider?
The IAB’s US Privacy Framework also includes a Limited Service Provider Agreement. It is a way for downstream parties, like ad exchanges, to standardize their relationship with media owners, identifying themselves as service providers.
By signing this contract, all downstream parties become limited service providers that can only use personal information for specific business purposes like frequency capping, ad measurement, ad delivery, fraud prevention, and other purposes that don’t involve personalizing advertising.
What happens if a consumer opts out?
- At minimum, consumers are opted-out for the website and device/browser pair where they selected the opt-out. For example, if you opt out on XYZ.com on desktop, you have not opted out on the XYZ mobile app. This example won’t always be the case as some media owners may choose to sync the consumer’s choice across all of their channels.
- An opt-out does not mean the consumer won’t be served any ads, it only means that personal information is no longer used for ad personalization.
- Media owners can still serve the following types of ads when a consumer has opted out:
- Non-personalized ads
- Ads based on a media owner’s first-party data, for example data CNN itself has collected about you
- Ads based on third-party data acquired prior to CCPA
What does CCPA mean for me?
For IX Library users:
- We’re implementing the IAB’s CCPA Compliance Framework (review the technical specifications here) for our Library product, and will be ready to receive, handle, and pass forward the consumers’ opt-in or opt-out preference via the us_privacy string.
- You don’t need to make any code updates to your implementation of the IX Library. So long as you’re collecting and sharing the us_privacy string as per IAB specifications, the IX Library will automatically pick up the signal. Please contact your Index account representative to have your IX Library configured to read the signal.
- It is the media owner’s responsibility to accurately collect and pass on the consumer’s consent signals. You can enlist the help of a consent management platform (CMP) to manage consent preferences but it isn’t mandatory.
- The IX Library will also share the us_privacy string from the US Privacy API with all certified adapters configured in your library, from which point on adapters supporting CCPA will be able to pass the signal onward to their respective platforms.
- For media owners who sign the IAB’s Limited Service Provider Agreement, no further contract addendums are required between us.
For Prebid Adapter users:
- We’ve updated our integration with Prebid’s Library to include handling of the us_privacy string.
- If using the Prebid Library, you’ll need to update your integrations and deploy it on your site.
- Information about CCPA updates to Prebid’s adapter can be found here, where Index Exchange is listed as an adapter supporting CCPA.
For DSPs, agencies, and marketers:
- We’re implementing the IAB’s CCPA Compliance Framework for our Library product, and will be ready to receive, handle, and pass forward consumers’ opt-in or opt-out preference via the us_privacy string.
- We’ll pass the us_privacy field in the Regulations Object—please see our Knowledge Base for all the details
Should you have any further questions, please don’t hesitate to connect with your account lead directly or use our contact form.
Back to blog