IAB CCPA Framework & Do Not Sell

  • Updated

What is the IAB Framework?

According to the IAB:

"The Framework requires participating publishers that choose to sell the personal information of California consumers in the delivery of digital advertising to provide “explicit” notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to notify the downstream technology companies with which the publishers do business that such disclosures were given.

It also requires publishers to include a “Do Not Sell or Share My Personal Information” link on their digital properties. When a user clicks that link, a signal is sent to the technology companies with which the publishers do business via a technical mechanism that is based upon specifications developed by the IAB Tech Lab."

View the full documentation on the IAB CCPA Compliance Framework

 

How does it work?

Osano utilizes the IAB framework to signal to downstream advertisers using an API built according to the IAB specification. The framework is a global JavaScript event that is available on the web page. Third-party advertisers look for the callback when determining the level of behavioral tracking and cookies that they will implement. Osano does not dispatch events; we respond to requests for consent, and it is on the third parties to request the consent through the IAB API implementation.

Screenshot 2023-05-22 at 11.26.57 AM

When the advertisers load, they also have access to the webpage and cookies and all of the major exchanges and ad networks have “receiver capabilities” built into their ad pixels. Osano transmits to these companies using a common, agreed-upon convention. In this case, the Do Not Sell or Share My Personal Information switch in the Osano Cookie Preferences Drawer. 

 

Additional Settings within Osano

As Osano is passing the US privacy string on the behalf of Publishers, the only integer that is known to Osano is "Opt-Out of Sale" selection that is collected via the above toggle. 

According the IAB:

Have both of the following been provided: (i) notice pursuant to 1798.100(b) of the CCPA and (ii) the opportunity to opt out of the "sale" of personal information pursuant to 1798.120 and 1798.135 of the CCPA.

As some publishers may have special considerations relating to serving proper notice on their site, Osano offers the ability to set a default Y value for the second character position to denote that proper notice has been provided to users as defined by the IAB specification.

The following toggle can be found on the Settings page of your configuration, in the Frameworks section:

Screenshot 2023-05-22 at 11.13.14 AM

 

Testing in the browser 

Testing the Osano CMP do-not-sell setting is as easy as copying and pasting the following code into the console of your web browser developer tools:

 __uspapi('getUSPData', 1, (uspData, success) => {
if(success) {
console.log('success', uspData);
} else {
console.log('IAB failure', uspData);
}
});

The following responses can be seen in your console when testing the above:

  • When no consent is given
    • IAB US Privacy String Notice Confirmation is enabled or disabled: {uspString: "1---"}
  • When Do Not Sell or Share My Personal Information is ACTIVE (switch turned ON)
    • IAB US Privacy String Notice Confirmation is disabled: {uspString: "1-Y-"}
    • IAB US Privacy String Notice Confirmation is enabled: {uspString: "1YY-"}
  • When Do Not Sell or Share My Personal Information is INACTIVE (switch turned OFF)
    • IAB US Privacy String Notice Confirmation is disabled: {uspString: "1-N-"}
    • IAB US Privacy String Notice Confirmation is enabled: {uspString: "1YN-"}

See the IAB documentation to decode various responses received from the above call. 

String Definitions Reference

String Component Expected Values Definition
Specification Version

Number

(1 char in string)

The version of this string specification used to encode the string.
Notice/Opportunity to Opt-Out

ENUM

(N = No, Y = Yes, - = Not Applicable)

Have both of the following been provided: (i) notice pursuant to 1798.100(b) of the CCPA and (ii) the opportunity to opt out of the "sale" of personal information pursuant to 1798.120 and 1798.135 of the CCPA.
Opt-Out Sale

ENUM

(N = No, Y = Yes, - = Not Applicable. For use ONLY when CCPA does not apply.)

Has user opted-out of the sale of his or her personal information pursuant to 1798.120 and 1798.135 of the CCPA? If CCPA applies, only Y (yes) or N (no) can be used.
LSPA Covered Transaction

ENUM

(N = No, Y = Yes, - = Not Applicable)

Publisher is a signatory to the IAB Limited-Service Provider Agreement (LSPA), and the publisher declares that the transaction is covered as a “Covered Opt-Out Transaction” or a “Non-Opt-Out Transaction” as those terms are defined in the Agreement.