Given the vast challenges California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), poses for digital marketing, the Interactive Advertising Bureau (IAB) released for public comment a draft of its proposed Compliance Framework for Publishers & Technology Companies (the Framework) on October 22.
“Selling” and CCPA challenges for digital. Those who have been actively preparing for CCPA’s implementation on January 1 know by now that pursuant to section 1798.115(d) of the CCPA, a company that has personal information about a consumer may not onward “sell” (as defined in the CCPA) such information to another party without the consumer (1) having received explicit notice of the sale of the personal information and (2) being given the right to opt out pursuant to section 1798.120. Under the CCPA, even if consumers opt out of having their personal information sold, the information may be shared with third parties acting as “service providers” for limited purposes, but the party disclosing the personal information (that is, the “business”) is very specifically limited in its ability to use any data it received that is deemed “personal information.”
Current information sharing practices. Currently, in the programmatic advertising ecosystem, publishers may pass personal information about visitors to their website to downstream participants (the Downstream Participants) who then may pass such information on to others in the supply chain. These Downstream Participants include providers such as:
- supply-side platforms (SSPs)
- demand-side platforms (DSPs)
- ad exchanges
- ad networks
- ad tech platforms
- data management platforms (DMPs)
Downstream Participants also include the advertiser who ultimately purchases the ad, funds the ecosystem, and, in many cases, expects to have ready and trusted access to information associated with its advertising activity and consumer behavior in response to such advertising.