| CARVIEW |
Subscribe to Our Newsletter
IAB CCPA Compliance Framework For Publishers & Technology Companies
The CCPA technical specifications have been deprecated as of January 31, 2024.
As data privacy regulation in the US has evolved and more states have signed laws, an updated compliance framework is needed. The Multi-State Privacy Agreement (MSPA), formerly known as the IAB Limited Service Provider Agreement, has been released to help publishers, advertisers, agencies, and ad tech companies meet their compliance obligations with respect to state privacy laws in the US. The MSPA is intended to be used with the US State Signals of the Global Privacy Platform (GPP).
Technical Specifications
To support CCPA compliance for website and app owners and the digital ad tech ecosystem, the IAB Privacy & Compliance Unit, gathering legal, public policy, and tech experts from IAB, IAB Tech Lab, and member companies representing the digital advertising, marketing, and media ecosystem, have developed the IAB CCPA Compliance Framework for Publishers and Technology Companies. As part of the CCPA Compliance Framework, the IAB Tech Lab released the final v1.0 U.S. Privacy Technical Specifications on November 18, 2019. Since the v1.0 release, the IAB Tech Lab added support for data deletion request handling in June 2020 and the spec is now considered v1.1.
The audience for the technical specifications is product and engineering representatives. Teams implementing the tech specs for the IAB CCPA Compliance Framework should also become familiar with the framework policies outlined in the IAB CCPA Compliance Framework for Publishers and Technology Companies.
Access V1.1 Final Technical Specifications
U.S. Privacy Specs and resources can be found here.
There are four technical specifications that are ready for industry adoption:
Note, v1.1 of all IAB Tech Lab U.S. Privacy technical specifications serve only CCPA compliance.
- IAB Tech Lab U.S. Privacy String (deprecated as of January 31, 2024): Supports data format for information about disclosures made and choices selected by a user regarding consumer data privacy.
- IAB Tech Lab U.S. Privacy User Signal API (deprecated as of January 31, 2024): Specifies a lightweight API that may be implemented by digital properties for web and mobile in-app to represent U.S. privacy signals.
- IAB Tech Lab U.S. Privacy Data Deletion Request Handling (deprecated as of January 31, 2024): Provides the means to signal consumer requests for data deletion.
- IAB Tech Lab U.S. Privacy OpenRTB Extension (deprecated as of January 31, 2024): Outlines a mechanism to support communication of U.S. privacy signals within the scope of CCPA compliance.
Implementation Support
For a quick overview of the technical specifications in the IAB CCPA Compliance Framework, you can reference a summary presentation deck available here.
For a CCPA reference implementation, please click here.
For more information on policies of the IAB CCPA Compliance Framework, visit https://www.iab.com/guidelines/ccpa-framework/.
For more information about the IAB Privacy & Compliance Unit’s work on the California Consumer Privacy Act and U.S. privacy regulations, read here: https://iab.com/ccpa.
About the IAB Tech Lab
Questions? Email Support Terms of Use Privacy Policy iab.com Copyright 2025 IAB Technology Laboratory, Inc.