CCPA Frequently Asked Questions

As our publishers prepare for the new California Privacy law (the CCPA), which goes into effect on January 1, 2020, we’ve outlined key points to keep in mind and how you can make appropriate CCPA disclosures on your digital properties. Please see below for some helpful points from Taboola.

What is the CCPA?

The California Consumer Privacy Act (the “CCPA”) is a privacy law that aims to provide California consumers with greater controls over how their personal information is collected, used, and sold by companies. The CCPA goes into effect on January 1st, 2020, so you should strive to be compliant by the start of the year.

What does this mean for publishers?

While there’s no singular roadmap to being “CCPA compliant,” publishers should start by reviewing what personal information you collect, who you share personal information with, and what notices you provide to your site visitors about your data practices.

Also, if you “sell” any personal information to other companies, you will be required to include a “Do Not Sell My Info” disclosure on your websites. We strongly recommend that you work with your legal counsel to understand if you are engaging in a “sale” under the CCPA.

What is Taboola’s position under the CCPA?

Because Taboola collects data directly from your site visitors’ browsers, Taboola is a separate and independent “business” under the CCPA and Taboola’s collection of data is not a “sale.”  Also, unlike most other ad networks, Taboola’s Platform is visibly marked as “Sponsored by Taboola” and it includes a popup disclosure with opt out options, Taboola’s contact information, and other information relevant to California consumers.

How can publishers make CCPA disclosures on their websites?

Many of Taboola’s publisher partners are implementing the IAB CCPA Compliance Framework on their websites. You can find more information about this program at https://www.iab.com/guidelines/ccpa-framework.

While this isn’t required for Taboola’s services, you may work with other vendors that have different requirements, so we encourage you to contact each of your vendors and work with your legal counsel to understand your disclosure requirements.

What if your site integrates with Taboola via API or SDK? 

Please reach out to your Taboola account manager who will have more information and help you coordinate with Taboola’s privacy team, as needed.

What will Taboola do after receiving a “Do Not Sell My Info” instruction from one of your site visitors?

Because Taboola operates as a “business,” as defined under the CCPA, Taboola is not a signatory of the IAB Framework’s Limited Service Provider Agreement. However, whenever a California consumer exercises a “Do Not Sell” request (whether via the IAB Framework or via Taboola’s Platform), Taboola will honor all signals, and limit its and its service providers’ use of that data solely for its purposes as a business.

With either option, Taboola will independently manage all “Do Not Sell” requests, access requests, and deletion requests that Taboola receives from consumers.

Do we need to make any changes to publishers’ existing contracts? 

Probably not. Your account manager will be in touch if we need to update anything, but your contract should already be governed by “Applicable Privacy Law”, which, for publishers with California visitors, will include the CCPA as of January 1, 2020.

Please feel free to reach out to your Taboola account manager should you have any questions.

** Please note that this is not a comprehensive review of the CCPA, nor is this legal advice. For further information and specific guidance, please reach out to your legal team.