The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing; its members include both media companies and advertising technology companies.
In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).1 The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold. The proposal was presented as a means of complying with the CCPA’s requirement that companies that sell personal information include a “Do Not Sell My Personal Information” link on their website, and honor the preference of consumers that opt out of such sales.2
At the time that it published the IAB Do Not Sell Framework, the IAB, and the IAB’s affiliated organization IAB Tech Lab made clear that they were not willing to represent, warrant, or guarantee that companies which adopts the final version of the IAB Do Not Sell Framework will be in compliance with the CCPA’s requirement that a business “refrain from selling personal information” after a consumer expresses their desire to “opt-out” of such sales.3 Indeed, the IAB included the following disclaimers and warnings to companies in the IAB Do Not Sell Framework materials:
“The authors and IAB make no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.”4
“We take no position on legal conclusions, and leave it to industry participants to consult with their own legal counsel.”5
“We recognize that there is no single, agreed upon compliance interpretation of the CCPA. We take no position on any legal conclusion and leave it to industry participants to consult with their own legal counsel.”6
“TECH LAB DOES NOT WARRANT THAT THE PRODUCTS AND SERVICES PROVIDED TO OR USED BY YOU HEREUNDER SHALL CAUSE YOU AND/OR YOUR PRODUCTS OR SERVICES TO BE IN COMPLIANCE WITH ANY APPLICABLE LAWS, REGULATIONS, OR SELF-REGULATORY FRAMEWORKS, AND YOU ARE SOLELY RESPONSIBLE FOR COMPLIANCE WITH THE SAME.”7
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. https://www.iab.com/wp-content/uploads/2019/10/IAB_CCPA_Compliance_Framework_Draft_for_Public_Comment_Oct-2019.pdf (last viewed Dec. 3, 2019).
2. Cal. Civil Code § 1798.135(a)(1) – (5).
3. Cal. Civil Code §1798.135(a)(4), (5).
4. IAB Do Not Sell Framework at 4.
5. IAB Do Not Sell Framework at 6.
6. IAB Do Not Sell Framework at 2.
7. https://iabtechlab.com/wp-content/uploads/2019/11/US-Privacy-USER-SIGNAL-API-SPEC-v1.0.pdf at 2.