BLOG 5 Minutes 6/11/2020

IAB CCPA Compliance Framework

New Data Deletion Specs Released

The IAB Tech Lab has officially launched its technical spec for California Consumer Privacy Act (CCPA) data deletion requests. The spec is part of the overall IAB CCPA Compliance Framework.   

At a high level, publishers can use this spec to comply with CCPA’s data deletion requirement by allowing users to request the deletion of their data through a button or link hosted on the publisher’s website. When a user requests their data be deleted, the request is signaled to vendors who then perform the deletion.  

This is a win for companies in the advertising industry that are looking to comply with CCPA. They now have an easy way to propagate data deletion requests to their ad tech partners.  

What is the IAB CCPA Compliance Framework? 

Last year, the IAB Privacy and Compliance Unit, which includes representatives and experts from legal, public policy and technology companies, drafted the IAB CCPA Compliance Framework to help digital publishers and their supply chain partners comply with the CCPA. 

The CCPA gives California residents a set of rights focused on their personal information. These include the right to deletion: 

Section 1798.105(c) of the CCPA states “[a] business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information [shall] … direct any service providers to delete the consumer’s personal information from their records.” (emphasis added) 

The IAB CCPA Compliance Framework creates a contractual relationship between digital properties and the downstream framework participants to enforce limitations on the use of data and mechanisms for accountability when a consumer opts-out of the sale of their information. 

Companies that collect and sell California residents’ personal information and operate websites must provide a clear and conspicuous link or button on their website, titled “Do Not Sell My Personal Information.” This link or button must allow the consumer (or person authorized by the consumer) to opt-out of the sale of their personal information. 

Under CCPA, companies and third-party partners must abide by consumer requests to delete any personal information that they have about them in their records. Publishers are challenged with automating a way to manage and route these requests. Before the new spec was created, they were unable to signal the request downstream to partners.  

IAB CCPA Data Deletion Specs  

The Tech Lab’s new Data Deletion Request Handling specification solves for CCPA’s Section 1798.105(c) guideline. A publisher who utilizes ad tech vendors to be “service providers”, which is defined by the CCPA, can use the new spec to signal that a user exercised her right to deletion through a link or button on the publisher’s website.  

The technical spec also provides vendors serving as a publisher’s service provider a standard way to listen for requests that comes from publisher pages. 

On June 1 the California attorney general submitted the final proposed regulations for the CCPA to the California Office of Administrative Law, which has up to 90 days to review them. 

OneTrust PreferenceChoice Supports CCPA Data Deletion Specs 

The OneTrust PreferenceChoice CMP facilitates consumer “Do Not Sell” requests within the platform to execute on consumers’ rights to opt out under the CCPA. These records are then synched to your other technologies via a plugin or API integration to avoid accidental or unauthorized sale of consumer data. 

With the new CCPA data deletion spec now available, the OneTrust PreferenceChoice team is working closely with vendors to incorporate deletion request options for consumers directly into the CMP. 

For more information on the CCPA Right of Deletion, request a 1 on 1 consultation with a member of OneTrust PreferenceChoice.