Ad industry, you can get off your tenterhooks: Google is going to adopt the IAB Tech Lab’s technical specs for compliance with the California Consumer Privacy Act (CCPA).
The specs, which create a US privacy string not dissimilar to the Transparency and Consent Framework (TCF) developed by IAB Europe in the run up to GDPR, enable RTB transactions to occur while imposing constraints on the use of data when consumers opt out of the sale of their personal information, which is one of the primary rights enshrined in the CCPA.
The specs will be live within AdSense, AdMob, Google Ad Manager and DV360 in time for the CCPA effective date on Jan. 1. Google is still evaluating whether it makes sense to integrate with the IAB Tech Lab’s specs for its other products.
Cool, but what does all that mean in practice?
The IAB Tech Lab released its CCPA compliance specs in late November after a brief comment period. A few days later, Google said it would allow advertisers and publishers to limit how data is processed and disable personalized ad serving through its ad products, a move calculated to help its publisher, advertiser and ad tech partners comply with the law.
The question that then hung in the air was whether Google intended to embrace the ad industry’s specs, which would bolster adoption – but there was a good reason to be cynical.
Google has yet to implement IAB Europe’s TCF for sharing permissioned consent under GDPR. It delayed joining the framework for well over a year, although it has promised to finally do so by the end of Q1 2020.
This time Google isn’t dragging its heels.
“We’re committed to supporting our advertisers, publishers and partners as they work to comply with CCPA,” a Google spokesperson said.
Google will not, however, use the standard contracts that are included as part of the IAB’s overall CCPA compliance framework, since it already has product-specific contracts of its own in place with all of its partners.
The IAB CCPA compliance framework is comprised of two parts: a limited service provider agreement that delineates when partners can and can’t use consumer data as part of a bid request, and technical specs to actually execute the contract.
Brass tacks
Here’s how the US privacy string will work in the Google context:
If a consumer doesn’t opt out of the sale of their personal information, then Google’s products will function the same as usual, no change.
But if a consumer does opt out, Google will take action starting on Jan. 1 to honor the request.
When the IAB Tech Lab’s privacy string indicates that a user has opted out, Google will trigger restricted data processing for AdSense, AdMob and Ad Manager, which means Google won’t pass the bid request on to any third parties via real-time bidding.
Over on the buy side, when DV360 receives an opt-out through the privacy string as part of a bid request from third-party exchanges, Google will not place a bid.
It’s unclear, though, whether Google will implement the specs as part of its consent management platform, Funding Choices. Google said it’s still assessing whether the IAB’s CCPA framework makes sense for Funding Choices, and that it will have more info to share on that front in Q1 2020.
