The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing; its members include both media companies and advertising technology companies. 

In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).¹  The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold.  The proposal was presented ostensibly as a means of complying with the CCPA’s requirement that companies that sell personal information include a “Do Not Sell My Personal Information” link on their website, and honor the preference of consumers that opt out of such sales.²

Numerous questions and concerns have been raised by privacy advocates and businesses with the IAB Do Not Sell Framework.  These include, but are not limited to, the following issues:

1. Websites would be limited to dealing with adTech companies that participate in the framework. The IAB Do Not Sell Framework attempts to effectuate a do not sell request by converting any adTech company that has joined the framework, and that has executed a “Limited Service Provider Agreement” provided by the IAB, into a “service provider” when they receive a do not sell signal from a participating website.  From a website’s perspective, however, if they participate in the IAB Do Not Sell Framework they may be effectively restricting the adTech companies (including the behavioral advertising network providers) with whom they can partner to those that have joined the framework.  Websites may incur significant disruption if they are forced to terminate current adTech partners that decide not to join.
2. The terms of the Limited Service Provider Agreement are unknown. Advertising technology companies that participate in the framework (e.g., third party behavioral advertising networks) would contractually agree to be bound by a “Limited Service Provider Agreement.”  Although the IAB provides a high level description of the provisions that might be included in the Limited Service Provider Agreement, as of November 20, 2019, the agreement itself had not been published.³  As a result, it is not possible to determine whether the agreement comports with the service provider requirements of the CCPA.
3. The effectiveness of the Limited Service Provider Agreement is unknown. In order for a company to be considered a “service provider” under the CCPA the Act states that there must be a “written contract” and implies that the contract must be “with the business.”⁴  Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that the agreement will not be entered into between a website and a technology company directly as “Digital Properties lack privity with many Downstream Framework Participants.”⁵  It may be that the IAB anticipates that adTech companies will agree to a set of industry rules or terms to which a website will be a third party beneficiary.  Assuming that is the case it is unclear whether a court will interpret such a contractual arrangement as a “contract” between the parties sufficient to create a service provider relationship.
4. The Limited Service Provider Agreement will contain no indemnification of websites. Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that it will include “no indemnification provisions.”⁶ It is unclear to what extent websites that may be directly liable under the CCPA will be comfortable with the risk that arises from service providers that are unwilling to provide any indemnification for privacy-related violations.
5. The Limited Service Provider Agreement will impose no liability on adTech companies. Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that it will include “a complete limitation of liability.”⁷ It is unclear to what extent websites that may be directly liable under the CCPA will be comfortable with the risk that arises from service providers that are unwilling to assume any liability for privacy related violations.
6. Device level opt-out may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would trigger a device-level opt-out.⁸  Among other things, the IAB Do Not Sell Framework suggests that websites notify consumers that if they visit the website from a different device (e.g., a work computer instead of a smartphone, or a smartphone instead of a personal computer) their information will again be sold until, or unless, the consumer submits a new opt-out request on the new device.  It is unclear whether a device-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and the requirement that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”⁹
7. Browser level opt-out may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would trigger a browser-level opt-out.¹⁰  Among other things, the IAB Do Not Sell Framework suggests that websites notify consumers that if they visit the website from a different browser (e.g., Chrome instead of Safari) their information will again be sold until, or unless, the consumer submits another opt-out request on the new device.  It is unclear whether a browser-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹¹
8. Non-persistent opt-outs may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would record their preference in a cookie placed on the user’s machine.¹²  If a user clears their browser’s cache that preference selection would, presumably, be erased and, as a result, the user’s personal information would again start to be sold by a business.  It is unclear whether a non-persistent opt-out mechanism fully complies with the CCPA’s requirement that a business “refrain from selling personal information collected . . . about the consumer” after receiving an initial opt-out request and wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹³
9. Offline to online sales. The CCPA arguably requires a company that receives a do not sell request to cease the selling of information both online and offline.  The IAB framework’s focus on the online collection, and transmission, of do not sell requests does not appear to anticipate that many organizations may not collect sufficient information about a consumer to effectuate the request in the offline environment.
10. Misrepresentation and deception litigation risk. Some privacy advocates have asserted that the IAB framework would, if adopted, “result in significant misrepresentations of the law.”¹⁴ It is not precisely clear what misrepresentations they believe would be made through the framework. However, their statements may be a signal that they intend to work with plaintiff attorneys to test whether use of the framework might be the foundation of a deception claim in litigation.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf (last viewed  Dec. 3, 2019).

2. Cal. Civil Code § 1798.135(a)(1) – (5).

3. https://iabtechlab.com/wp-content/uploads/2019/11/US-Privacy-USER-SIGNAL-API-SPEC-v1.0.pdf at 3.

4. Cal. Civil Code 1798.140(v).

5. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf at 9.

6. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf at 11.

7. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf at 11.

8. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf at 8.

9. Cal. Civil Code 1798.135(a)(4), (5).

10. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf at 8.

11. Cal. Civil Code 1798.135(a)(4), (5).

12. https://iabtechlab.com/wp-content/uploads/2019/11/US-Privacy-USER-SIGNAL-API-SPEC-v1.0.pdf at 3.

13. Cal. Civil Code 1798.135(a)(4), (5).

14. See Comment submitted by Californians for Consumer Privacy Comments on IAB's Proposed CCPA Framework dated November 5, 2019 available at  https://www.caprivacy.org/post/californians-for-consumer-privacy-comments-on-iabs-proposed-ccpa-framework (last viewed Dec. 4, 2019).

[View source.]