California Consumer Privacy Act (CCPA) Readiness at IX


California Consumer Privacy Act (CCPA) Readiness at IX

With 2020 upon us, so is the newest privacy law. Launching on January 1, 2020, CCPA (the California Consumer Privacy Act) allows web users to opt-out from their personal information being used by companies to serve digital ads. While this new law has some similarities to the legislation recently implemented in the EU (GDPR), there are certainly some nuances that both sides of the ecosystem will need to take into consideration.

At Index Exchange, we’re implementing the IAB’s CCPA Framework for OpenRTB (specifications can be found here), and are encouraging the publishers we work with (as well as others in the ad tech ecosystem) to do the same.  We view ourselves as a Service Provider under the CCPA, processing personal information on instruction of – and for the benefit of – our publisher partners.

In order to help our buyer and publisher partners navigate these potentially unfamiliar waters, we’ve pulled together the following FAQ as well as what our various partners can expect in terms of changes to come:


What is the CCPA law?

The CCPA is a new privacy law allowing web users in California to opt-out of their personal information being used by companies (including to serve digital ads). 

It applies to any company handling personal information of California residents. The law uses the term “sells” personal information, but that term is defined very broadly to include:

“collecting, gathering, accessing, receiving, disclosing, making available, transferring and communicating it from a business to a third party for value consideration.”

In order to be compliant with the law, businesses that collect and “sell” the personal information of California residents must put up a banner on their website with a “Do Not Sell My Personal Information” link that allows a user to opt-out of the “sale” of their personal information to other parties. Businesses can instead choose to not provide a personalized ad experience for California users, and they also have to give consumers the right to access or delete any personal information they have about them.

When does the CCPA go into effect?

The law goes into effect on January 1, 2020. In practice, the California Attorney General’s office has indicated that they will not enforce until July 1, 2020. 

What is the IAB’s US Privacy Framework?

The IAB’s US Privacy Framework is an attempt by the ad tech industry to create a standardized way to comply with the law’s requirements under CCPA and any other future US privacy laws. This framework tells us how to collect and pass on the signal that a customer has opted out, in a standardized way. 

Publishers can choose not to use the framework and do a non-standard way too. Either way, the signal must get passed along to exchanges, who will pass it on to DSPs. 

What is a Limited Service Provider?

The IAB’s US Privacy Framework also includes a Limited Service Provider Agreement. It is a way for downstream parties like ad exchanges to standardize their relationship with the publisher, identifying themselves as service providers to the publisher. 

By signing this contract, all downstream parties become Limited Service Providers that can only use personal information for specific business purposes like frequency capping, ad measurement, ad delivery, fraud prevention and other purposes that do not involve personalizing advertising. 

What happens if a user opts-out?

  • At minimum, users are opted-out for the website and device/browser pair where they selected the opt-out. For example, if I opt out on on desktop, I have *not* opted out on the XYZ mobile app. This example will not always be the case as some publishers may choose to sync the user’s choice across all of their channels.
  • Opt-out does not mean no ads for the user, it only means personal information is no longer used for ad personalization
  • The following types of ads can still be served when a user has opted-out of “sale”:
    • Non-personalized ads
    • Ads based on publisher first party data, e.g. data CNN has collected about you itself 
    • Ads based on third party data previously acquired prior to CCPA.

What does this mean for me?

For Library Partners:

  • We are implementing the IAB’s CCPA Compliance Framework for our Library product, and will be ready to receive, handle, and pass forward the customers’ opt-in or opt-out preference via the us_privacy string.
    • The IAB’s technical specifications for publishers can be found here
    • No code updates to your implementation of the IX Library are needed – so long as you are collecting & sharing the us_privacy string as per IAB specifications, the IX Library will automatically pick up the signal. Please reach out to your IX account representative to have your IX Library configured to read the signal when you are ready.
    • It is the publisher’s responsibility to accurately collect and pass on the customer’s consent signals. You can enlist the help of a CMP to manage user consent preferences but it is not mandatory.
  • The IX Library will also share the us_privacy string from the US Privacy API with all certified adapters configured in your library, from which point on adapters supporting CCPA will be able to pass the signal onward to their respective platforms. 
  • For publishers who sign the IAB’s Limited Service Provider Agreement, no further contract addendums are required between us.

 For Prebid Adapter Partners:

  • We have updated our integration with Prebid’s Library to include handling of the us_privacy string.
  • Publishers using the Prebid Library will need to update their integrations and deploy it on their sites.
  • Information about CCPA updates to Prebid’s adapter can be found here, where Index Exchange is listed as an adapter supporting CCPA.

 For DSP and Agency Partners:

  • We are implementing the IAB’s CCPA Compliance Framework for our Library product, and will be ready to receive, handle, and pass forward the customers’ opt-in or opt-out preference via the us_privacy string.
  • We will pass the us_privacy field in the Regulations Object – please see our Knowledge Base here for details

Should you have any further questions, please don’t hesitate to connect with your account team lead directly.


Leave a Reply

Your email address will not be published.