California Consumer Privacy Act (CCPA)

Display.io is committed to compliance with the California Consumer Privacy Act (“CCPA”), which came into effect in 2020. We have updated our legal policies (DPA, IO, Terms&Conditions, Privacy Policy) to meet the requirements of the California Consumer Protection Act (CCPA) and in order to meet the consumer’s “opt-out of data selling” right under Section 1798.120 of the CCPA, Display.io has joined the IAB CCPA Compliance Framework for Publishers and Technology Companies and agreed to the Limited services Provider Agreement (LSPA).

If you are willing to implement the IAB CCPA Compliance Framework all the detailed information about actions to be applied is described in the official IAB Tech Specs. Below you can find some information which will may help you on this way.

There are certain requirements that have to be fulfilled by Partners to comply with CCPA. Such requirements include (but are not limited to):

  • privacy policy update such that the policy clearly indicates the consumer data sets collected, and how such data is used or processed,
  • disclosure regarding further sharing, transferring or ‘selling’ of consumer data to third parties,
  • establish or update practices for addressing consumer rights such as consumer’s right to know, access, seek correction or deletion of personal information or elect to opt-out of ‘sale of personal information’ etc.

What Publishers should do for “opt-out of sale” requirements support (IAB CCPA Compliance Framework): 

  1. Include a “Do Not Sell My Personal Information” link on your app.
  2. Create a US Privacy String (IAB Tech Spec – US Privacy String).
    When a sale of data may occur, for example init request/ad request, the string should be created. A string can be created to indicate CCPA applies, or to signal the app owner has determined that CCPA does not apply.
    The US Privacy string consists of the following components.

    String
    Component
    Expected
    Values
    Definition
    Specification Version Number
    (1 char in string)
    The version of this string specification used to encode the string
    Explicit Notice/
    Opportunity to Opt Out
    ENUM
    (N = No, Y = Yes,  = Not Applicable)
    Has explicit notice been provided as required  by 1798.115(d) of the CCPA and the opportunity to opt out of the sale of their data pursuant to 1798.120 and 1798.135 of the CCPA
    Opt-Out
    Sale
    ENUM
    (N = No, Y = Yes,  = Not Applicable. For use ONLY when CCPA does not apply.)
    Has user opted-out of the sale of his or her personal information pursuant to 1798.120 and 1798. If CCPA applies, only Y (yes) or N (no) can be used.
    LSPA Covered Transaction ENUM
    (N = No, Y = Yes,  = Not Applicable)
    Publisher is a signatory to the IAB Limited Service Provider Agreement(LSPA) and the publisher declares that the transaction is covered as a “Covered Opt Out Transaction” or a “Non Opt Out Transaction” as those terms are defined in the Agreement.
     

    US Privacy String Examples: 1YNN, 1NYN, 1-Y-, 1—

  3. Store the encoded string and any related information on NSUserDefaults (iOS) or SharedPreferences (Android). E.g.: Key/Field – IABUSPrivacy_String, String – “1YNN”

For each transaction (such as init request/ad request) Display.io will access the string information, will proceed the request according to the requirements based on the consent, and will send the US Privacy String to downstream partners (for openRTB: within us_privacy parameter). Display.io as well as downstream partners use the US Privacy String information to determine whether they are allowed to process the consumer’s personal data in the transaction.

Disclaimer: This document is only intended to be a general FAQ and must not be read or treated as legal advice. Please consult your lawyers to determine your position and compliance requirements under CCPA.

Note: If you don’t support the IAB CCPA Framework, please provide us with information regarding your technical capabilities to (a) accept and effectuate an end user’s opt-out of data selling requests and data deletion requests; and (b) transfer signals of such requests down the stream.

Still have Questions?

Contact Us