The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing including media companies and advertising technology companies.  In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).¹  The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold.   The following provides a high level description of the three core components of the framework:

1. Websites and publishers would place Do Not Sell My Personal Information links on their homepages. Websites that engage in third party behavioral advertising (e.g., publishers, retailers, eCommerce, etc.) would post “Do Not Sell My personal Information” links (“DNS link”) on their respective websites.²
2. Preferences would be recorded in a cookie and transmitted downstream. If a consumer clicked on the DNS link, the website would store the consumer’s preference that their information not be sold in a cookie.³ In addition to the preference selection, the consumer’s browser or device ID would also be stored in the cookie.  The website would then transmit a signal that contains the preference selection to the third party behavioral advertising companies with whom they do business with (as well as any other technology company that assists the website in engaging in digital advertising) informing them of the consumer’s election.
3. Advertising technology companies would contractually agree to limit their use of consumer information once they receive a DNS signal. Advertising technology companies that participate in the framework (e.g., third party behavioral advertising networks) would contractually agree to be bound by a “Limited Service Provider Agreement.”  Among other things, the agreement would contain some form of representation that once a DNS signal was received the company would stop using the consumer’s information for their own purposes.  The advertising technology company could, however, continue using the information that they received for a narrow set of purposes that the IAB suggests might be consistent with the operations of a “service provider” under the CCPA.⁴

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

1. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf (last viewed  Dec. 3, 2019).

2. Id. at 2.

3. See IAB Tech Lab, U.S. Privacy User Signal Mechanism “USP API” (CCPA Compliance Mechanism): Final Version 1.0 (Nov. 20 2019) available at https://iabtechlab.com/wp-content/uploads/2019/11/US-Privacy-USER-SIGNAL-API-SPEC-v1.0.pdf (last viewed Dec. 3, 2019)

4. Id. at 3.

[View source.]