FAQs for Privacy Manager for CCPA
Please see below for common questions and answers. Don’t see your question answered here? Please do not hesitate to reach out to us through the Messenger in the lower right-hand corner.
NoteThis is not a substitute for legal opinion, in case you are unsure of whether or not your service will constitute conclusively as a sale, we suggest you consult your lawyer. However, we can tentatively provide the following advice on this matter.
The CCPA broadly defines the term “sale” to mean: “Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for valuable consideration; or (B) sharing orally, in writing, or by electronic or other means, a consumer’s personal information with a third party, whether for valuable consideration or for no consideration, for the third party’s commercial purposes.”
Within this meaning, any arrangement between a business and a third party or other business, that allows the business to receive some value (monetary or not) in exchange for the personal information of consumers is broadly included in the “sale” definition.
Luckily, CCPA goes into more detail to define what is not a sale. Here are a couple of key exclusions:
If a consumer uses or directs your business to intentionally disclose their personal information through deliberate interactions
If your business uses or shares consumer information with a service provider.
Based on this broadly, following depending on your context may be constituted as a sale or no sale:
Types of service | Possible Sale/ Not Sale |
Advertising | Sale |
Analytics | Sale |
Displaying content from external platforms | Sale |
Social features | Sale |
Tag Management | Sale |
To handle payments | Not Sale |
Selling goods and services online | Not sale |
Please go to the Messenger in Console or Help Documentation and fill in the details at the bottom of the Messenger so the Technical Support team can pick this up and inform you when the Vendor has been added. This usually takes about 2 working days.
If there is not a privacy policy that governs the vendor’s treatment of California resident data, we will unfortunately be unable to add the vendor.
Privacy Manager follows the IAB’s CCPA compliance framework when communicating Do Not Sell signals to your configured downstream vendors. The Privacy Manager ‘listens’ for a Do Not Sell request such that:
When a user clicks the Do Not Sell button, the Privacy Manager is triggered
The Privacy Manager then generates the U.S. Privacy String per the IAB’s technical requirements to communicate the user’s consent status under CCPA
The signal is then communicated to vendors which you have configured for the purpose of “Selling” data
These vendors are able to read the U.S. Privacy String to determine whether the consent status allows them to continue selling data or not, and they take the appropriate action downstream to ensure they maintain CCPA compliance
Depending on your implementation, you may elect to generate your own log files tied to your proprietary identifiers based on how you deploy the Privacy Manager. This will allow you to maintain a record of the opt-outs alongside other data you might have tied to proprietary identifiers.
If you do not wish to generate your own log file for this purpose, you may leverage Privacy Manager’s Audit Trail functionality. The Audit Trail is a log of all of the consumer interactions with the Privacy Manager and stores consent status tied to a user-specific “Audit ID.” When making a request, a consumer could provide you with their Audit ID found within the Privacy Manager UI, and you would be able to look up the consent status associated with the user.
Unlike for IAB’s Transparency & Consent Framework (TCF) for GDPR, there is not yet a public vendor list available for those third parties respecting the IAB CCPA framework. We recommend reaching out to your representative from each of your vendors via whom you sell data in order to be certain they are participating and will respect the consent status.
In partnership with your legal counsel, determine how your compliance needs can intersect with your desired user experience on-site. We recognize that some clients may not wish to expose the full Privacy Manager for CCPA UI to their users. In this case, we have provided guidelines on how to implement Alternative User Experiences (CCPA for Web) you may wish to explore.
The setup will be similar to the setup listed in "Alternative CCPA UX: Custom Banner Notice." Rather than including a banner notice, you will trigger the Privacy Manager UI to pop up after the user clicks on the hyperlink.
You may configure the size or appearance of the privacy notice from within LiveRamp Console. Please see "Customize the Look and Feel" for more details. If you wish to customize the size or appearance further, you may explore implementing the Alternative CCPA UX: Custom Banner Notice.
You may insert a hyperlink into the text of your notice by:
In LiveRamp Console, go to Content > Privacy Notice
In the Description text box, place the text of your notice
Select the words you wish to link to your privacy policy
Format the text such that it looks like:
<p>PLACE_LINKED_TEXT_HERE<a href="PLACE_PRIVACYPOLICY_URL_HERE" target="_blank">link</a></p>
Example:
<p>Privacy policy<a href=https://liveramp.com/privacy/ target="_blank">link</a></p>
Please see "How to Integrate with WireWheel for CCPA" for step-by-step instructions.
In our default configuration we only support the Do not Sell (DNS) button, but if you wish to have more granularity you can select the ‘Do not disclose vendors’ check box in the granular controls and disclosure section. This enables the end-user to opt-out per vendor basis.
However, this doesn’t mean the same as ‘Do not sell my personal information’ as we do not create any DNS signal when the vendor is opted-out. The use-case for such an event would be to have more control over which vendors are allowed to load/trigger their pixels on your website. By wrapping all script’s on your page around our APIs to check if the end-user opted-out for the vendor, you can control if their script is allowed to load or not.
When the end-user clicks on the DNS button the signal created will be shared through the U.S.-privacy string with vendors that support that format. The opt-out functions solely through our APIs and does not inform any vendor of the ‘Do not sell’.
if the publisher is part of the IAB, it should use the signatory option. IAB state in their policy that whenever a transaction is happening (transaction is a sale between the publisher and SSP, or SSP and Exchange, Exchange and DSP, basically the transfer of the data between vendors) both parties should be part of the IAB. IF one of the two parties are not part of the IAB, than the transaction is happening outside the framework, and thus, the framework doesn't have to be respected and the option for respecting the transaction is left to the receiving party.
With our APIs you are able to capture Privacy Manager events that are available by default. Whenever a change is made on those events you are able to push these events in real-time into your Analytics environment of your choosing.
The API is ‘addEventListener, please replace the [event] in the code for one of the available events from "Events":
window.__ccpa('addEventListener',[event], 1, function () {
//use client api of tool of choosing to push data to your BI environment
}