IAB CCPA Framework & Do Not Sell

This article outlines how Osano utilizes the IAB's CCPA Framework.

IAB Framework and "Do Not Sell"

According to the IAB:

"The Framework requires participating publishers that choose to sell the personal information of California consumers in the delivery of digital advertising to provide “explicit” notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to notify the downstream technology companies with which the publishers do business that such disclosures were given.

It also requires publishers to include a “Do Not Sell or Share My Personal Information” link on their digital properties. When a user clicks that link, a signal is sent to the technology companies with which the publishers do business via a technical mechanism that is based upon specifications developed by the IAB Tech Lab."

View the full documentation on the IAB CCPA Compliance Framework

Osano utilizes the IAB framework to signal to downstream advertisers using an API built according to the IAB specification. The framework is a global JavaScript event that is available on the web page. Third-party advertisers look for the callback when determining the level of behavioral tracking and cookies that they will implement. Osano does not dispatch events, we respond to requests for consent and it is on the third parties to request the consent through the IAB API implementation

When the advertisers load, they also have access to the webpage and cookies and all of the major exchanges and ad networks have “receiver capabilities” built into their ad pixels. Osano transmits to these companies using a common, agreed-upon convention. In this case, the Do Not Sell or Share My Personal Information switch in the Osano Cookie Preferences Drawer. 

Testing the Osano CMP do-not-sell setting is as easy as copying and pasting the following code into the console of your web browser developer tools:

 __uspapi('getUSPData', 1, (uspData, success) => {
if(success) {
console.log('success', uspData);
} else {
console.log('IAB failure', uspData);

The following responses can be seen in your console when testing the above:

  • When no consent is given
    • {uspString: "1Y-Y"} or {uspString: "1N-N"}
  • When Do Not Sell or Share My Personal Information is ACTIVE (switch turned ON)
    • {uspString: "1YYY"} or {uspString: "1NYN"}
  • When Do Not Sell or Share My Personal Information is INACTIVE (switch turned OFF)
    • {uspString: "1YNY"} or {uspString: "1NNN"}

Note: Osano is passing the US privacy string on your behalf and so the only interger that is known to Osano is "Opt-Out of Sale" in the table below. 
The other values will read N or - in the string when passed to downstream advertisers.

Ex. 1NYN or 1-N-

See the IAB documentation to decode various responses received from the above call. 
String Component Expected Values Definition
Specification Version


(1 char in string)

The version of this string specification used to encode the string
Notice/Opportunity to Opt Out


(N = No, Y = Yes, - = Not Applicable)

Have both of the following been provided: (i) notice pursuant to 1798.100(b) of the CCPA and (ii) the opportunity to opt out of the "sale" of personal information pursuant to 1798.120 and 1798.135 of the CCPA
Opt-Out Sale


(N = No, Y = Yes, - = Not Applicable. For use ONLY when CCPA does not apply.)

Has user opted-out of the sale of his or her personal information pursuant to 1798.120 and 1798.135 of the CCPA? If CCPA applies, only Y (yes) or N (no) can be used.
LSPA Covered Transaction


(N = No, Y = Yes, - = Not Applicable)

Publisher is a signatory to the IAB Limited Service Provider Agreement(LSPA) and the publisher declares that the transaction is covered as a “Covered Opt Out Transaction” or a “Non Opt Out Transaction” as those terms are defined in the Agreement.