Blog 5 minutes 12/12/19

Google Support for IAB CCPA Framework

IAB CCPA Framework

Publishers can breathe a sigh of relief, Google has announced support for the IAB CCPA Framework. 

Google has yet to embrace IAB Europe’s TCF v2.0 for sharing consent under the General Data Protection Regulation (GDPR). Although, the tech giant has confirmed it will integrate with the USP string for the IAB Tech Lab CCPA Framework in time for the compliance deadline on January 1, 2020.

In a November announcement, Google said it would allow advertisers and publishers to limit how data is processed and personalized ad serving is disabled on its ad-serving products. Publishers, advertisers and ad tech partners who use Google platforms for CCPA Compliance will benefit from this announcement.

Although Google’s restricted processing calls affect how publishers work with Google’s tools – including Ad Manager, AdMob and AdSense – on a daily basis, it’s not all-encompassing. Publishers must ensure they understand the restrictions based on their company processes and double-check they’re in compliance with the CCPA across all of their vendors.

Option 1: Restrict Everyone from California

One of the options for approaching Google’s restricted processing calls is limiting processing for all California users through network control. This translates to Google only serving non-personalized ads via your ad accounts for users from California.

Using the IP addresses of users, Google will identify those located in California. It will then restrict data processing to those particular users. Publishers don’t have to do anything to enable these changes for their ad tagging. Those who wish to do it for programmatic traffic must make the update through a network control, though.

This option provides for publishers who want to approach the CCPA from a conservative perspective and protect their company in the broadest way possible.

Option 2: Restrict Only Some Users

The alternative option under Google’s restricted processing calls is narrower. Publishers can choose to block processing for users who only click a “do not sell my personal information” link, (required by the CCPA if you are selling data), on a per-page basis.

To enable this functionality, publishers will navigate to their GPT and AdSense/Ad Exchange asynchronous ad tags. There they can set up the appropriate per-page triggers.

This is a more liberal approach to satisfying the CCPA rules. It accommodates the rules while still leaving publishers the freedom to serve ads to as much of their audience as possible.

Google will also trigger these restricted process calls when the IAB CCPA U.S. Privacy (USP) string indicates that a user has opted out. 

Conclusion: Next Steps for IAB CCPA Compliance

Each publisher will need to decide for itself which option best meets the obligations of the CCPA. 

Publishers can leverage the IAB Tech Lab CCPA framework and U.S. Privacy string to communicate with ad tech vendors. Publishers can also make direct calls to these vendors via API or direct tag blocking using Google Tag Manager, or other tag manager integration.

Whether you choose to move forward with restricted data processing for the CCPA by blocking everyone in CA or blocking just some users, Google is making calls effective as of December 12, 2019 at 11 p.m. PT.

The OneTrust PreferenceChoice CMP accounts for both of these options. It’s designed with one simple customer UI for CCPA opt-out-of-sale requests behind “Do Not Sell my Personal Information” links.

OneTrust PreferenceChoice can help your company with every aspect of your preference management tactics, including CCPA compliance and managing Google’s restricted processing calls. 

Reach out today to schedule a 1-on-1 meeting with an expert to learn more.


Onetrust All Rights Reserved