IAB Benchmark Survey Offers Insight Into Industry’s CCPA Compliance Efforts

November 19, 2020Alerts

The Interactive Advertising Bureau (IAB) Legal Affairs Council recently completed its CCPA Benchmark Survey, which asked privacy attorneys in the industry about key elements of the California Consumer Privacy Act and their compliance efforts, in its first year of implementation.

The survey findings provide insight into how the market views key elements of CCPA compliance.

One key finding: Over two-thirds of respondents believe that a “sale” takes place when disclosing personal information in a “bid request,” in a “direct” deal, in a private marketplace deal, and when carrying out data matching/identity resolution – in each case, absent a “service provider” relationship.

  Here are some key takeaways from the survey:

  • Approximately 90% of respondents take the position that, when a publisher puts an ad tech company’s pixel, SDK (Software Development Kit), or similar technology on the publisher’s digital property, the publisher is the “business” and the ad tech company is the “third party.” Under these circumstances, 72% of respondents believe that the publisher is “selling” personal information to the ad tech company by “making available” personal information to the ad tech company through the publisher’s digital property.
  • 100% of publisher and brand respondents state that they serve as a “business” in some capacity. A portion of these respondents also state that they acted as “service providers” and “third parties” in other capacities.
  • Buy and sell-side intermediaries, along with ad servers and DMPs (Data Management Platforms), generally agree that they play multiple roles. Most view themselves as “service providers” but also act, at times, as “businesses” and “third parties,” with responses depending on the entity type.
  • Respondents view passing IAB Tech Lab’s U.S. Privacy String as a Limited Service Provider Agreement (“LSPA”) signatory, as well as blocking all “sale”-related pixels, SDKs, or similar technologies, as the top two ways to operationalize an opt-out.
  • Approximately 60% of “businesses” make CCPA rights (e.g., access, deletion, opt-out of “sales”) available to consumers regardless of jurisdiction.
  • For the provision of specific pieces of personal information, approximately 42-45% of respondents provided personal information that they internally generated about the consumers (e.g., analytics, digital IDs, segment information) or received from third parties (e.g., identifiers received by identity resolution providers).
  • The most frequent form of verifying the authorized agent was to contact the consumer independently, with the remainder of responses spread between checking the Secretary of State website to confirm such agent is registered, obtaining a copy of the agency agreement, requesting power of attorney proof, or not conducting verification.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the firm's GDPR Compliance & International Privacy Practice. For questions about CCPA compliance, she can be reached at 215.444.7313 or [email protected].