The IAB (Interactive Advertising Bureau) which has a membership comprising of more than 650 leading media companies, brands and technology firms having a stake in Digital Marketing has come up with a framework for compliance with CCPA and released it for public comments.
The framework is open for public comments till 5th of November. The framework is intended to be used by those publishers who “Sell” personal information and the “Technology Companies that use the sold personal information”.
In the digital marketing world there are “Publishers” who publish advertisements on website and some who use other means such as E Mail marketing to publish advertisements. The product marketing companies place their “Advertisements” in appropriate publishing channels.
Some of the publishers may occasionally use the services of intermediaries who identify target audience to whom a message can be advertised. These intermediaries collect personal data by their own means and then filter them into different categories and make it available to other publishers. There is a “Profiling” activity involved in this process which falls under the different data protection regulations.
The publishers may also be benign publishers who donot use “Targeted Advertising” on their platforms and therefore donot have responsibility for the profiling. In such cases the publishers may be simply be “Advertising Platforms”. In Indian law they will be legally “Intermediaries under Section 79 of ITA 2000”.
The difference between the “Target identifier” , “Publisher” and “Advertising platform” depends on the extent of control they exercise on the collection and processing of personal data.
For example, naavi.org is a platform on which Google Ads is the publisher, Amazon may be the advertiser. The dividing line between the Publisher and the Platform is thin. But since Naavi.org does not decide on what ads are to be presented and Google Ads is the Ad serving company taking that decision, Naavi.org becomes only a platform that lends part of its space to the Google Advertising.
The Google Ad network may sell advertising space from its clients on a Real time bidding (RTB) under which advertising inventory is bought and sold on per impression basis via progammatic instantaneous auction. The algorithm used for such advertising may incorporate profiling of a visitor to a website as well as use of AI. The platform may not have much knowledge of how the ads are chosen except to prohibit certain types of contents.
The IAB framework provides guidelines for the publisher and the advertising company on how to handle the personal data.
The “Framework” envisages that any company that engages in or supports an RTB transaction may sign the “IAB Limited Service Provider Agreement”.
The framework participants includes
a) Owners of publisher digital properties ((e.g., publishers of web pages and retailers with advertising on their sites or apps, that, in each case a California consumer (a “Consumer”) visits)
b) Downstream Framework participants(e.g., Supply side platforms or SSPs, Demand side platforms or DSPs, ad servers, and agencies)
c) Owners of Advertiser Digital properties (e.g., brand entities that also
operate/publish a web page)
d) Downstream Framework participants who receive personal information about a consumer that originates from the advertiser digital property.
The framework applies to RTB transactions involving the “Sale” of Personal Information only when all the participants in a transaction are “Framework Participants”. The digital property can however opt out of the framework. However, when the Digital Property utilizes the Framework, it will be contractually required to send the bid request and accompanying personal information only to other Downstream Framework Participants. Additionally, when a Downstream Framework Participant receives the bid request from the Digital Property, it will be contractually required to confirm that its counter parties are Framework Participants by using the Signatory Identification Solution and pass the bid request and personal information only to Framework Participants.
The guidelines cover the information to be provided to the individuals who allow their personal data to be sold through an Opt-in process, the display of “Donot Sell” button and how to handle the “Donot Sell Requests” of a person who has earlier provided a consent for selling. The framework suggests that the “Service Contracts” between the Publisher and the advertiser has to accommodate the change in consent.
Digital properties who send the signals for RTB to a participant cannot onward sell the personal information without an “Explicit Consent”. The digital property must include a “California Explicit Notice” link near te “Donot Sell” link. A sample “Explicit Notice” is also provided in the guideline.
Under CCPA, When a Consumer opts out, it does not bar the collection of personal information or the delivery of a personalized ad but, rather, bars a “sale” of personal information related to the delivery of a personalized ad. Hence the downstream framework participants become “Limited Service Providers” on behalf of the digital properties.
The guidelines also provide technical frameworks to be used in the specified cases.
In a way, it appears that IAB is trying to set up some industry standards applicable to the participants of the framework.
The reaction of the industry needs to be watched.