- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does the IAB guarantee that its “Do Not Sell” framework complies with the CCPA?
No.
The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing; its members include both media companies and advertising technology companies.
In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).1 The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold. The proposal was presented as a means of complying with the CCPA’s requirement that companies that sell personal information include a “Do Not Sell My Personal Information” link on their website, and honor the preference of consumers that opt out of such sales.2
At the time that it published the IAB Do Not Sell Framework, the IAB and the IAB’s affiliated organization, IAB Tech Lab, made clear that they were not willing to represent, warrant, or guarantee that companies that adopt the final version of the IAB Do Not Sell Framework will be in compliance with the CCPA’s requirement that a business “refrain from selling personal information” after a consumer expresses their desire to “opt-out” of such sales.3 Indeed, the IAB included the following disclaimers and warnings to companies in the IAB Do Not Sell Framework materials:
“The authors and IAB make no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.”4
“We take no position on legal conclusions, and leave it to industry participants to consult with their own legal counsel.”5
“We recognize that there is no single, agreed upon compliance interpretation of the CCPA. We take no position on any legal conclusion and leave it to industry participants to consult with their own legal counsel.”6
“TECH LAB DOES NOT WARRANT THAT THE PRODUCTS AND SERVICES PROVIDED TO OR USED BY YOU HEREUNDER SHALL CAUSE YOU AND/OR YOUR PRODUCTS OR SERVICES TO BE IN COMPLIANCE WITH ANY APPLICABLE LAWS, REGULATIONS, OR SELF-REGULATORY FRAMEWORKS, AND YOU ARE SOLELY RESPONSIBLE FOR COMPLIANCE WITH THE SAME.”7