CCPA – Recommended steps for publishers

The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. 

This document should not be taken as a substitute for legal advice, nor is it necessarily an exhaustive list. Having said that, the following are a few steps you can take to prepare your Digital Property (your site):

  1. Review the IAB’s CCPA framework and sign the Limited Service Provider Agreement.
  2. Display a “Do Not Sell My Personal Information” Link clearly and conspicuously on your Digital Property (the websites, mobile sites, applications and other digital properties owned, controlled and/or operated by you) where personal information is collected. This may mean placing the Link on the footer of each page. Sortable's hosted CMP for CCPA (when available) will provide support for displaying a "Do not sell my personal information" link, only where Sortable's code is present on your site. 
  3. Update the privacy policy on your Digital Property to ensure that it indicates:
    1. that the site collects personal information when the user visits the Digital Property;
    2. that the site may sell the personal information to other parties, including in order to deliver ads tailored to the user’s interests;
    3. that the user has the right to opt out of the sale of the user’s personal information by clicking on the Link or the Icon;
    4. the effective scope of the opt out and how to exercise the opt out if applicable;
    5. the user can learn more about interest-based advertising across sites and additional opt-out choices with a link to resource websites identified in CCPA. 
    6. that opting out through the Link may not mean 
      1. the user will stop seeing ads;
      2. the user will be exempt from seeing interest-based ads
    7. that in the event the user opts out of the sale of user’s personal information for purposes of the CCPA, but does not opt out of interest- based advertising more generally, the user may receive ads tailored to his or her interests based upon personal information 
      1. not sold by the Digital Property; 
      2. sold to Downstream Participants at least ninety (90) days before the user should go to one or more industry opt-out links (e.g., opted out; or 
      3. sold by other sources from which the user has not opted out.
  4. Take reasonable steps to ascertain that the user is a consumer covered under CCPA (or else assume all users are covered under CCPA). Sortable's hosted CMP will be triggered based on the user's geographic location.
  5. Communicate applicable opt-out signals to downstream participants. Sortable will pass the U.S. Privacy String (where available) to downstream participants connected to Sortable's platform using Prebid and OpenRTB protocols.
  6. Adhere to deletion and access obligations under CCPA.
  7. Comply in all material respects with CCPA with respect to California consumers it knows to be less than 16 years of age.