IAB releases CCPA compliance framework ahead of Jan. 1 rollout

The California Consumer Privacy Act (CCPA) has been looming on the horizon for over a year now, but we've all been in-the-dark when it comes to implementation.

CCPA officially takes effect on January 1st, and marketers are scrambling to make sense of the madness. To help soothe the transition, the Interactive Advertising Bureau (IAB) recently released its CCPA Framework — which will help marketers clear the CCPA fog when it comes to ad targeting and publisher data.

Let's take a look.

A CCPA refresher

The California Consumer Privacy Act (CCPA) was created on June 28, 2018, and goes into effect on January 1st, 2020. Broadly, CCPA means to protect consumers' data in California, but it has implications for every business in the United States. Since it impacts any brand that is "doing business with California residents," it's safe to assume that it applies to hundreds of brands nationwide — as long as they meet one or more of the following criteria:

• Have $25 million or more in annual revenue
• Possess the "personal data" (this includes basically any type of consumer data) of more than 50,000 consumers
• Earns over 50% of revenue from selling consumer data

However, other states have announced plans to enact similar laws, and Microsoft has already promised to extend CCPA protections to all customers in the US. 

CCPA vs GDPR

The European Union's General Data Protection Regulation (GDPR) already covers similar grounds, has a similar scope (albeit a more granular one), and loosely defines "personal data" to be an all-encompassing term. Overall, GDPR compliance is stricter, more defined, and provides more rights to consumers, except in two specific ways:

1. CCPA forces marketers to include an opt-out "Do Not Sell My Personal Information" link. Consumers can click this link to altogether opt-out of ALL data collection services.
2. CCPA defines new roles (that GDPR doesn't) in the consumer data ecosystem, namely "Service Providers" and "Third Parties."

This is where things start to get tricky.

How do third-party entities like ad tech vendors know if consumers opted out? The relationships between third-party vendors, brands, and consumers has the potential to be headache-inducing.

Overall, CCPA requires that ad tech vendors have a clearer, more transparent relationship with brands. But that's "on paper." How does that process actually take place, and what kind of tech is required to enable that relationship?

Programmatic advertising and CCPA

To be entirely honest, CCPA isn't a tough sell. GDPR has a far more rigid set of rules, and the bulk of CCPA is already included in GDPR.

Currently, every marketer should be following GDPR guidelines (or at least using tools that automate GDPR compliance.) So, it shouldn't be surprising that this new IAB CCPA Framework is remarkably similar to the Transparency and Consent Framework (TCF) developed by IAB's Europe team for GDPR.

But they're not identical.

The most significant difference is the opt-out link. Vendors need to immediately be aware that the opt-out link has been clicked to control their programmatic spend and utilization. To facilitate this shared ecosystem, IAB has created a methodology and technology for alerting third-party ad tech vendors that consumers have opted out.

According to IAB:

"When a user clicks [the 'Do Not Sell My Personal Information'] link, a signal is sent to the technology companies with which the publishers do business via a technical mechanism that is based upon specifications developed by the IAB Tech Lab."

Once this signal is received by the ad tech company, it ceases the sale of consumer information for that individual, and it causes all downstream tech companies handling that consumer's data to switch their roles over to "service providers" — changing how they're legally able to interact with data under CCPA guidelines.

All of this is facilitated by an agreement signed between the ad tech company and the brand, creating a new, fluid legal relationship that promotes transparency throughout the data lifecycle.

This has benefits for both parties.

Brands can ensure that consumer data is only being utilized in accordance with CCPA for policy and regulatory control. Ad tech providers and third-party programmatic ad companies can simplify their contract workflows by utilizing a single agreement instead of a cluster of smaller contracts for each client.

It's a win-win.

What does this mean for marketers?

In the big scheme of things, this will end up with marketers adding a new plugin and signing a new agreement. The IAB CCPA Framework will likely get granular changes over the coming years. Still, most of the burden of this particular framework falls on the ad tech companies and tech providers.

Google has already announced that it's implementing IAB standards for its CCPA compliance at the beginning of next year, so IAB will likely be the go-to agreement signed with tech vendors.

Expect to see some of these agreements when you sign up for that next tech contract. While Google and other vendors dragged their heels when it came to adopting outside party GDPR frameworks, the relative speed of CCPA's enactment has caused a bit of a stir in the tech community.

So, it's safe to say that most companies will be happy to have a consistent framework to build on.