BLOG 5 Minutes 6/11/2020

IAB CCPA Framework: New Spec Released

The IAB Tech Lab officially launched its technical spec for California Consumer Privacy Act (CCPA) data deletion requests. The spec is part of the overall IAB CCPA Compliance Framework.   

Publishers can use this spec to comply with CCPA’s data deletion requirement by allowing users to request the deletion of their data. This can be done through a button or link hosted on the publisher’s website. When a user requests their data be deleted, the request is signaled to vendors who then performs the deletion.  

This is a win for companies in the advertising industry obligated to comply with CCPA. They now have an easy way to propagate data deletion requests to their ad tech partners.  

What is the IAB CCPA Framework? 

The IAB Privacy and Compliance Unit, which includes representatives and experts from legal, public policy and technology companies, drafted the IAB CCPA Compliance Framework. This framework helps digital publishers and their supply chain partners comply with the CCPA. 

The CCPA provides California residents with a set of privacy rights focused to protect their personal information. These include the right to deletion: 

  • Section 1798.105(c) of the CCPA states “[a] business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information [shall] … direct any service providers to delete the consumer’s personal information from their records.” (emphasis added) 

The IAB CCPA Compliance Framework creates a contractual relationship between digital properties and the downstream framework participants. This enforces limitations on the use of data and mechanisms for accountability when a consumer opts-out of the sale of their information. 

Companies that collect and sell California residents’ personal information and operate websites must provide a clear and conspicuous link or button on their website, titled “Do Not Sell My Personal Information.” This link or button must allow the consumer (or person authorized by the consumer) to opt-out of the sale of their personal information. 

Under CCPA, companies and third-party partners must abide by consumer requests to delete any personal information that they have about them in their records. Publishers are challenged with automating a way to manage and route these requests. Before the new spec was created, they were unable to signal the request downstream to partners.  

IAB CCPA Data Deletion Specs  

The Tech Lab’s new Data Deletion Request Handling specification solves for CCPA’s Section 1798.105(c) guideline. A publisher utilizing ad tech vendors as “service providers”, can use the new spec to signal that a user exercised her right to deletion through a link or button on the publisher’s website.  

The technical spec provides vendors acting as a publisher’s service provider a standard way to collect requests from publisher pages. 

On June 1 the California Attorney General submitted the final proposed regulations for the CCPA to the California Office of Administrative Law.  The California Office of Administrative law has up to 90 days to review them. 

OneTrust PreferenceChoice Supports CCPA Data Deletion Specs 

The OneTrust PreferenceChoice CMP facilitates consumer “Do Not Sell” requests within the platform to fulfil CCPA consumers’ rights. Next these records are  synched to your other technologies via a plugin or API integration to avoid accidental or unauthorized sale of consumer data. 

With the new CCPA data deletion spec now available, the OneTrust PreferenceChoice team is working closely with vendors to incorporate deletion request options for consumers directly into the CMP. 

For more information on the CCPA Right of Deletion, request a 1 on 1 consultation with a member of OneTrust PreferenceChoice. 

Onetrust All Rights Reserved