About IAB’s CCPA Compliance Framework
IAB’s CCPA Compliance Framework is enabled by default when Cookiebot (uc.js) is loaded, contrary to IAB Europe's TCF framework. As such there's no need to set any special attributes to enable it.
If you wish to use the IAB CCPA Framework with Cookiebot, you'll need to sign IAB’s Limited Service Provider Agreement though.
IAB CCPA Compliance Framework has three main components to it:
- An agreement that publishers (websites) must inform Californian consumers about their rights at the point of data collection, as well as offering a means of opting out.
This means: - Inform which categories of personal information is being collected
- Request permission for disclosure to third parties of collected personal information
- Allow deletion of collected information
- Include a "Do Not Sell My Personal Information" link on their digital properties
- An agreed-upon way for publishers to communicate to ad tech companies, that a Californian consumer has opted out of third-party data sales.
- An agreed-upon way for tech companies to operate after a Californian resident has opted out of third-party data sales.
How does it work?
You can "ask" the __uspapi stub for consent information. The stub has three parameters:
__uspapi(Command, Version, Callback)
| Argument Name | Type | Value |
| command | string | 'getUSPData' |
| version | number | US Privacy spec version |
| callback | function | function(uspData: uspdata, success: boolean) |
Here is an example on how to view the content of the uspData object:
__uspapi('getUSPData', 1 , (uspData, success) => {
if (success)
console.log('cmp response: ', JSON.stringify(uspData));
});
uspData is a JSON with the following format:
{
"version": 1,
"uspString": "1YNY"
}
"version" is a number, indicating the US Privacy spec version, currently 1.
"uspString" is a string, built up as follows:
| Character | Value | Explanation |
| 1st | 1 | US Privacy spec version |
| 2nd | Y / N | Explicit notice / Opportunity to opt out |
| 3rd | Y / N | User opted out of sale of personal information |
| 4th | Y / N | Publisher is a signatory to the IAB Limited Service Provider Agreement |
For users where CCPA doesn't apply, the string's value will always be "1---".
The visitor's consent state must be established before querying
We recommend fetching the consent string after the CookiebotOnConsentReady event is dispatched by the Cookiebot script.
__uspapi for a consent string. If a consent string is fetched before the Cookiebot script has established the visitor's consent state it will be assumed that CCPA applies. This ensures ads are not served without prior consent. We recommend fetching the consent string after the CookiebotOnConsentReady event is dispatched by the Cookiebot script.
Here is an example of how this can be done:
window.addEventListener('CookiebotOnConsentReady', (e) => {
__uspapi('getUSPData', 1 , (uspData, success) => {
if (success)
console.log('cmp response: ', JSON.stringify(uspData));
})
}, false);
Comments
0 comments
Please sign in to leave a comment.