CCPA

The California Consumer Privacy Act (CCPA) requires that users are given the option to opt out of having their personal data processed. Publishers can use a consent management provider (CMP) or a proprietary solution to collect and store site visitor’s consent.

How Index Exchange supports CCPA

The Interactive Advertising Bureau’s CCPA compliance framework

IX supports the IAB's CCPA compliance framework in the following ways.

OpenRTB API for DSPs

IX will now pass the us_privacy field in the regs.ext object of the bid request, in accordance with version 1.0 of the IAB's CCPA Compliance Framework. The us_privacy field specifies the following:

  • Whether the U.S. privacy regulations apply to the consumer.
  • Whether the explicit legal notice has been established with the consumer.
  • Whether the consumer has chosen to opt-out of the sale of their personal data.
  • Whether the transaction is covered by the Limited Service Provider Agreement.

For more information about us_privacy, see the Regulations Extension object in List of supported OpenRTB bid request fields.

Prebid

The IX Prebid adapter is now able to consume the us_privacy string for both display and video requests. Publishers may need to update the version of Prebid that they're using to get CCPA support in the IXPrebid adapter:

  • Publishers using version 3.x must update their Prebid code to version 3.3.1 or later.
  • Publishers using version 2.x must update their Prebid code to version 2.44.2 or later.

IX Library

The IX Library is now able to consume the us_privacy string and share it with all certified adapters. For more information on the CCPA and using a consent management provider (CMP), see Supporting privacy regulations in the IX Library. For more information on adapters supporting CCPA, see List of certified adapters.

The Digital Advertising Alliance (DAA) opt-out tool

IX is a participant of the DAa’s CCPA opt-out tool via their WebChoice platform, which allows a web user to opt-out once across all websites. The platform allows our exchange to detect a CCPA opt-out signal each time we participate in an ad opportunity.

How IX reacts in opt-out cases

When IX determines that an ad request is for a user who has not provided consent, we anonymize certain user information in the bid request sent to our DSPs in the following ways:

  • ip (in the device object): The last octet (IPv4) or two last bytes (IPv6) of the user’s IP address are replaced with a zero(s).
  • lat and lon (in the geo object): Latitude and longitude coordinates are reduced to two decimals which translates to accuracy no less than one third of a mile.
  • All unique IDs from the bid request in the device and user objects that indirectly identify a user are removed.
  • deals (in the pmp object): Audience segment targeted deal IDs are no longer added to the bid request.

For more information about the above bid request fields, see the object descriptions in List of supported OpenRTB bid request fields.