IAB Unveils Assessment of State of Compliance for CTV and OTT to Prepare for Looming CPRA Regulation

Report Finds Lack of Consensus Around Applying CCPA Definitions and Obligations

In 2023, the California Consumer Privacy Rights Act (CPRA) will go into effect. To help companies serving the Connected TV (CTV) and over-the-top (OTT) digital advertising supply chain prepare to comply with the legislation, today IAB’s Project CCPA Crosswalk Working Group released “Project Crosswalk: Addressing CCPA Compliance within the CTV/OTT Marketplace.”

Marketing Technology News:  The Basics of NFTs – What Should B2B Marketers Know?

The white paper examines stakeholders within the CTV/OTT marketplace, how participants disclose and process personal information, how they view themselves when applying the California Consumer Privacy Act (CCPA) definitions and corresponding compliance obligations, whether and what friction points exist when addressing CCPA compliance, and potential solutions deserving further exploration. The report will be used as a basis to develop recommendations for how CPRA opt-outs might work under the new law.

“The CTV landscape is incredibly fragmented with different CTV providers using different identifiers and definitions of who is a business, service provider, and third-party,” said Michael Hahn, SVP & General Counsel, IAB and IAB Tech Lab. “This report provides an overview of the landscape. From here, we are starting to scope out solutions to ensure that CTV and OTT companies are compliant when CPRA becomes law.”

The report found that:

  • Approximately 75% of survey respondents state that they “sell” personal information within the CTV/OTT ecosystem, there is a lack of consensus on who should provide the “Do Not Sell My Personal Information” link, and where and how to offer such an option. This is the biggest stand-out challenge when operationalizing CCPA compliance in the CTV/OTT environment.
  • CTV/OTT targeting often happens at the household level via IP address but can also include other proprietary user IDs. Publishers and advertisers will use this data, often in combination with viewing data, to segment and then target users on their devices.
  • Most platforms, device providers, advertisers, and content providers view themselves as a “business” under the CCPA. However, the ad tech intermediaries, such as Demand-Side Platforms (DSPs), Supply-Side Platforms (SSPs), and ad servers, were evenly divided in describing their roles as a “business, “service provider,” or “third-party.” Measurement companies mainly take the position that they are a “service provider” under the CCPA.

Marketing Technology News:  PeopleReady Earns Top Honors for Marketing Excellence with 7 NYX MarCom Awards

The Project CCPA Crosswalk Working Group was created by the IAB Legal Affairs Council and focuses on:

  • Identifying current CCPA practices in the CTV/OTT marketplace
  • Identifying data flows that are relevant to CCPA analysis
  • Developing a common framework for addressing CCPA classifications
  • Determining next steps in order to prepare scalable CPRA/CCPA compliance solutions to address data sales and service provider disclosures

Today, IAB’s CCPA Consent Framework and Limited Service Provider Agreement have been widely adopted and leveraged by hundreds of companies to comply with the CCPA. The IAB Legal Affairs working group is working to develop a recommendation for CPRA.

The “Project Crosswalk: Addressing CCPA Compliance within the CTV/OTT Marketplace” Report, which is sponsored by OneTrust.

Marketing Technology News:  MRP Ushers in the Next Era of Enterprise ABM