How to delete consumer data under CCPA guidelines
The IAB Tech Lab today released its standard to help publishers and brands facing their biggest legal challenge in decades: complying with the sweeping California Consumer Privacy Act (CCPA), whose enforcement begins July 1.
The IAB solution works by plugging code directly into a publisher’s website and the vendors with whom they work. When consumers click a button to have their data deleted, a command to delete personal information is sent to all of a publisher’s partners—eliminating the need to manually remove data.
“We want to give our members in the industry at large the technical pipes for signaling to their partners easily,” says says Alex Cone, senior director of product management at the IAB Tech Lab. “Our spec gives publishers the ability to communicate that with a couple of lines of code.”
CCPA grants California consumers enhanced data privacy rights and control over their personal information, including the right to know, the right to delete and the right to opt-out of the sale of personal information that businesses collect—as well as additional protections for minors.
Under CCPA, when a consumer requests that personal data be deleted, companies have 45 days to comply. Penalties can be severe. Those who violate the law are subject to an injunction by the court and a civil penalty of $2,500 for each violation. If a violation is intentional, the penalty escalates to $7,500 for each infraction/violation. Businesses have 30 days to remedy any violations found.
Other states have similar laws, or intend to, but CCPA has widespread impact because of its size—the Golden State has 40 million residents—and because so many digital and tech companies are located there.
“So many brands are building direct-to-consumer relationships,” says Dennis Buchheim, president of the IAB Tech Lab. “That makes them a publisher. If brands are using vendors in any sort of ad tech and are operating in California, then CCPA also applies to them.”
Although most associate the term “publisher” with news providers, the term also applies to brands. And the COVID-19 pandemic has prompted many companies to move their businesses completely online.
The IAB Tech Lab plays a lead role in developing industry solutions, including the size of a display ad or the backend tech of a video player. These standards are widely adopted by the industry. Although other companies are developing CCPA compliance solutions, the IAB is the first proposed universal standard.
Publishers often have to talk to 15 different vendors, says Cone, each of which has a different process in handling deletion requests. “The end result is an increase in operations cost. You also open yourself up to error.”
Creating a standard saves the industry real money—the Tech Lab’s solution is free for everyone and can be accessed here—while also reducing the likelihood of an error, Cone says.
Some publishers work with consent management platforms, or CMPs, to manage consumer privacy regulation requirements. Cone says many CMP companies helped develop its data deletion solution and as a result, will apply it to their own platforms.
The IAB Tech Lab says its model is flexible enough that it can be applied to other states and countries in the near future.
“There isn’t something like this,” says Buchheim, the Tech Lab’s president. “This is the first effort to create a standard that could be adapted to other laws and jurisdictions.”