IAB CCPA Framework & Do Not Sell

This article outlines how Osano utilizes the IAB's CCPA Framework.

IAB Framework and "Do Not Sell"

According to the IAB:

"The Framework requires participating publishers that choose to sell the personal information of California consumers in the delivery of digital advertising to provide “explicit” notice regarding their rights under the CCPA, to explain in clear terms what will happen to their data, and to notify the downstream technology companies with which the publishers do business that such disclosures were given.

It also requires publishers to include a “Do Not Sell or Share My Personal Information” link on their digital properties. When a user clicks that link, a signal is sent to the technology companies with which the publishers do business via a technical mechanism that is based upon specifications developed by the IAB Tech Lab."

View the full documentation on the IAB CCPA Compliance Framework

How it works

Osano utilizes the IAB framework to signal to downstream advertisers using an API built according to the IAB specification. The framework is a global JavaScript event that is available on the web page. Third-party advertisers look for the callback when determining the level of behavioral tracking and cookies that they will implement. Osano does not dispatch events, we respond to requests for consent and it is on the third parties to request the consent through the IAB API implementation

When the advertisers load, they also have access to the webpage and cookies and all of the major exchanges and ad networks have “receiver capabilities” built into their ad pixels. Osano transmits to these companies using a common, agreed-upon convention. In this case, the Do Not Sell or Share My Personal Information switch in the Osano Cookie Preferences Drawer. 

Additional Settings

As Osano is passing the US privacy string on the behalf of Publishers, the only integer that is known to Osano is "Opt-Out of Sale" selection that is collected via the above toggle. 

According the IAB:

Have both of the following been provided: (i) notice pursuant to 1798.100(b) of the CCPA and (ii) the opportunity to opt out of the "sale" of personal information pursuant to 1798.120 and 1798.135 of the CCPA

As some publishers may have special considerations relating to serving proper notice on their site, Osano offers the ability to set a default Y value for the second character position to denote that proper notice has been provided to users as defined by the IAB specification.

The following toggle can be found on the Settings page of your configuration, in the Frameworks section:

Testing

Testing the Osano CMP do-not-sell setting is as easy as copying and pasting the following code into the console of your web browser developer tools:

 __uspapi('getUSPData', 1, (uspData, success) => {
    if(success) {
        console.log('success', uspData);
    } else {
        console.log('IAB failure', uspData);
    }
});

The following responses can be seen in your console when testing the above:

• When no consent is given
  • IAB US Privacy String Notice Confirmation is enabled or disabled: {uspString: "1---"}
• When Do Not Sell or Share My Personal Information is ACTIVE (switch turned ON)
  • IAB US Privacy String Notice Confirmation is disabled: {uspString: "1-Y-"}
  • IAB US Privacy String Notice Confirmation is enabled: {uspString: "1YY-"}

• When Do Not Sell or Share My Personal Information is INACTIVE (switch turned OFF)
  • IAB US Privacy String Notice Confirmation is disabled: {uspString: "1-N-"}
  • IAB US Privacy String Notice Confirmation is enabled: {uspString: "1YN-"}

See the IAB documentation to decode various responses received from the above call. 

String Definitions Reference