CCPA – Recommended steps for publishers

As the California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020, the following are a few steps you can do to prepare your Digital Property (your site):

  1. Review the IAB’s CCPA framework and sign the Limited Service Provider Agreement.
  2. Display a “Do Not Sell My Personal Information” Link clearly and conspicuously on your Digital Property (the websites, mobile sites, applications and other digital properties owned, controlled and/or operated by you) where personal information is collected. This may mean placing the Link on the footer of each page.
  3. Update the privacy policy on your Digital Property to ensure that it indicates:
    1. that the site collects personal information when the user visits the Digital Property;
    2. that the site may sell the personal information to other parties, including in order to deliver ads tailored to the user’s interests;
    3. that the user has the right to opt out of the sale of the user’s personal information by clicking on the Link or the Icon;
    4. the effective scope of the opt out and how to exercise the opt out if applicable;
    5. the user can learn more about interest-based advertising across sites and additional opt-out choices with a link to resource websites identified in CCPA. 
    6. that opting out through the Link may not mean 
      1. the user will stop seeing ads;
      2. the user will be exempt from seeing interest-based ads
    7. that in the event the user opts out of the sale of user’s personal information for purposes of the CCPA, but does not opt out of interest- based advertising more generally, the user may receive ads tailored to his or her interests based upon personal information 
      1. not sold by the Digital Property; 
      2. sold to Downstream Participants at least ninety (90) days before the user should go to one or more industry opt-out links (e.g., opted out; or 
      3. sold by other sources from which the user has not opted out.
  4. Take reasonable steps to ascertain that the user is a consumer covered under CCPA (or else assume all users are covered under CCPA).
  5. Communicate applicable opt out signals to downstream participants.
  6. Adhere to deletion and access obligations under CCPA.
  7. Comply in all materials respects with CCPA with respect to California consumers it knows to be less than 16 years of age.