The California Consumer Privacy Act wants to make opting out of data collection as easy as clicking a button. But for publishers, advertisers and ad tech companies, it’s not so simple.

On Tuesday, the Interactive Advertising Bureau and the IAB Tech Lab released the first draft of a compliance framework to help companies handle the practicalities of the law. The framework will be in a public comment period through Nov. 5.

The industry is still struggling to interpret parts of the CCPA despite the recently published initial draft of the California attorney general’s implementation regs. Although the regs clarify parts of the statute, there are still a bunch of open questions, including exactly what the CCPA-mandated “Do Not Sell My Personal Information” button should look like.

It’s also unclear exactly what back-end mechanisms will exist to enable companies to actually honor their CCPA obligations. When someone opts out, it has to mean something.

And with the CCPA effective date bearing down – it’s less than 70 days until Jan. 1, 2020 – businesses don’t have time to wait for all the ambiguities to be resolved before taking action to comply, said Michael Hahn, an SVP and general counsel at the IAB.

Master contract

The IAB/IAB Tech Lab’s compliance framework draft consists of two components: a standardized contract for use between publishers and their partners, and a series of technical specs so companies can follow through on the contract.

The master contract specifically defines the relationship between a publisher and other companies involved in real-time bidding, clarifying everyone’s responsibility when a consumer opts out of the sale of personal information.

This is extra important because the CCPA distinguishes between third parties and service providers – and ad tech vendors can be defined as either. “Under the CCPA, you can be different things at different points in time based on the relationship and the particular circumstances under which you’re receiving data,” Hahn explained.

Unlike a third party, which has greater latitude in the use of properly collected data as long as someone hasn’t opted out, a service provider, according to CCPA, is only allowed to use data for very specific, limited business purposes, such as auditing or fraud detection.

In the IAB’s view, when a consumer doesn’t opt out, an ad tech company is a third party that purchases information from publishers. But when a consumer hits that “Do Not Sell” button, the downstream ad tech company is contractually bound to act as a service provider, which means putting service provider-like constraints on the use of the data.

“The concept behind this is that there needs to be real meaning when a consumer opts out,” Hahn said. “That can be done by changing to a service provider relationship, which provides a means of real accountability.”

The tech specs

But a contract isn’t enforceable unless publishers and tech companies can see whether someone has opted out of the sale of data or not.

And so the compliance framework proposal also includes a set of three technical specifications from the IAB Tech Lab designed to help companies implement their service provider contracts.

The first is a “US privacy string” that’s similar in spirit to the Transparency and Consent Framework developed by the IAB Tech Lab and IAB Europe last year to share consent information with third-party vendors under the EU’s General Data Protection Regulation. In this case, the string contains information about whether a consumer was given the proper disclosures and the opportunity to opt out.

The second spec is a privacy user signal API that would be used by sites and apps to transmit info, aka functional cookies, through the US privacy string, while the third spec outlines an extension that would allow companies to pass CCPA-related information within OpenRTB transactions, such as whether the data collection process was kosher.

The contract and the specs aim to “strike a balance” between honoring consumer preferences and helping companies comply with the CCPA in “a way that doesn’t disrupt the value exchange, their products or their services,” said Dave Grimaldi, EVP for public policy at the IAB.

“I think we’ve done that here,” Grimaldi said. “But the comment period will hopefully shed meaningful light on tweaks we can make and gaps we need to fill so we can make this thing better.”