IAB CCPA: Configuring the US Privacy String


OneTrust supports the CCPA's "Do Not Sell" requirement via the IAB CCPA US Privacy String. This contains templated language and settings for CCPA based on recommendations from the OneTrust legal team. In addition to this, customers can leverage this template for a specific subset of website visitors based on whether their IP is in a specific country or even a specific state.

Read the full IAB Technical Specifications here: Technical Specifications for CCPA

Google Ad Manager and Google Adsense Opt-out

Google already offers data protection controls pursuant to the General Data Protection Regulation (GDPR) in Europe which can be integrated with the OneTrust Cookie Compliance solution.

Websites utilizing Google Ad Manager (formerly DoubleClick for Publishers) or AdSense may need to show non-personalized ads for site visitors who have opted out of the 'Sale of Personal Data' to comply with the California Consumer Privacy Act (CCPA). This article explains how to integrate with OneTrust Cookie Compliance solution with restricted data processing mode in Google ad tags. If you want to enable restricted data processing for all users located in California who visit your property, no changes to your ad tagging are needed. You can read more about restricted data processing, including how to enable it in the UI in the Google Ad Manager, AdMob, or AdSense help centers.

Steps to Implement

If you do not want to use Google Ad Manager, substitute the following URL in the scripts below: https://cdn.cookielaw.org/opt-out/iabCcpaIntegrationScript-noGAM.js

  1. Place the script below in the <head> of your website directly below the cookie banner main script.
<script src="https://cdn.cookielaw.org/opt-out/otCCPAiab.js" type="text/javascript" charset="UTF-8" ccpa-opt-out-ids="{Category Id}" ccpa-opt-out-geo="{geo}" ccpa-opt-out-lspa="{true or false}"></script>
  1. Replace the {Category ID} with the Category Group ID or ID’s you wish to correlate to the opt out of the sale of data. You will find these in Categorizations menu under Categories.

If you want to have multiple categories that are disabled to trigger an opt out signal, you can do so by replacing with a comma separated attribute as shown below.

<script src="https://cdn.cookielaw.org/opt-out/otCCPAiab.js" type="text/javascript" charset="UTF-8" ccpa-opt-out-ids="{Category Id 1},{Category Id 2}" ccpa-opt-out-geo="{geo}" ccpa-opt-out-lspa="true"></script>
  1. Replace the {geo} with the location you want IAB CCPA framework to apply. The options are all, us, and ca.
<script src="https://cdn.cookielaw.org/opt-out/otCCPAiab.js" type="text/javascript" charset="UTF-8" ccpa-opt-out-ids="C0004" ccpa-opt-out-geo="ca" ccpa-opt-out-lspa="{true or false}"></script> 

The location should align with your CCPA geolocation rule.

For example, if your geolocation configuration only contains one rule, all is sufficient. If you have distinguished rules for CCPA at a US or CA level, then you should apply either us or ca, respectively.

If you don't specify the {geo} attribute in parallel with the geolocation rule, there will be an issue when setting the correct usprivacy string.

  1. Replace the {true or false} with a true if the publisher has signed the Limited Service Provider Agreement or false if they have not.
<script src=“https://cdn.cookielaw.org/opt-out/otCCPAiab.js" type="text/javascript" charset="UTF-8" ccpa-opt-out-ids="C0004" ccpa-opt-out-geo="ca" ccpa-opt-out-lspa="true"></script>
  1. Save and refresh your website.

  2. You should see a cookie named usprivacy which matches the default status of the category you’ve entered above for CCPA Opt-out.

  3. Disabling the Sale of Personal Data setting should update the usprivacy cookie third character to Y, meaning the user has chosen to opt-out of sale and vice versa.

Cookie Categories to be included in the opt-out of sale should be grouped in the Preference Center template. This can be found in the Preference Center tab under Advanced Configuration. Failure to group these Cookie Categories may result in usprivacy being set to Y without opting out of all of the necessary Cookie Categories.

Deploying Using Google Tag Manager

Google Tag Manager (GTM) strips out all non-standard script attributes, which includes attributes such as ccpa-opt-out-geo. To get around this, you can create the tag as a JavaScript script that will add the tag with custom attributes.

(function () {
    var OTTag = document.createElement('script');

    // Add standard script attributes
    OTTag.setAttribute('src', 'https://cdn.cookielaw.org/opt-out/otCCPAiab.js';);
    OTTag.setAttribute('type', 'text/javascript');
    OTTag.setAttribute('charset', 'UTF-8');

    // Add custom attributes
    OTTag.setAttribute('ccpa-opt-out-ids', 'GROUP IDs');
    OTTag.setAttribute('ccpa-opt-out-geo', 'all');
    OTTag.setAttribute('ccpa-opt-out-lspa', 'true');


Technical Notes

  • API function: __uspapi(Command, Version, Callback)
  • Command: getUSPData
  • Return object: uspData
  • Example uspData Object:
"version": 1, /* number; indicating the U.S. Privacy spec version */
"uspString": "1YNN" /* string; {version}{explicit notice}{opt-out}{lspa} */
  • Stored in first-party cookie: usprivacy

Google Ad Manager Testing

To test that the ad request is properly respecting the opt-out choice, check the ad request call in your browser developer tools and go to Network. Check that in securepubads.g.doubleclick.net the usprivacy string exists.