CCPA Technical Specifications FAQ

Implementation Notes for the US Privacy String

The following guidance should be used for the v1.0 U.S. Privacy String. Specification is available at

US Privacy String Rules:

Dashes “-” can only be used to form the string “1---”. The use of dashes in combination with a “N/Y” value does not have any specific meaning within this framework. (E.g. 1--Y or 1-Y- do not have meaning defined by this framework.)

Publishers, if you are a signatory to the IAB Limited Service Provider Agreement, you should always send “1---“. This indicates you are participating in version 1 of the CCPA framework.

Complete, four character strings must be sent.

Real Time Signal Scenarios

The following table describes some of the possible USP String scenarios. The table does not describe the meaning of 1YYY, 1YYN, or other expected scenarios.

“Digital Property” means a digital property owned and operated by a publisher or advertiser and on which a consumer’s personal information is collected.

Note: All use of terms in quotation marks have the definitions set forth in CCPA.



Covered Scenario

No string written

The Digital Property is using the U.S. Privacy string such that it is not utilizing IAB Tech Lab’s technical specifications and operates outside of IAB’s Limited Service Provider Agreement


A Digital Property has determined that a U.S. privacy law applies to the transaction. The Digital Property is using version 1 of the U.S. Privacy string specification.

A Digital Property has determined that CCPA does not apply to the transaction because it does not involve a California “Consumer” as defined by 1798.140(g) of the CCPA and is signaling this using version 1 of the U.S. Privacy string specification.


A Digital Property has determined to use a U.S. privacy string, but does not claim to be a “Business” pursuant to 1798.140(c) of the CCPA. The Digital Property is signaling this using version 1 of the U.S. Privacy string specification.


These variants do not have meaning defined by this framework and should be considered invalid.

* denotes wildcard / any value


Implementation Notes for the USP API

Optionally, Digital Properties could extend existing consumer privacy preferences implementations to support this new USP API. Supporting the new USP command shall not alter in any way any existing consumer preferences.

In many cases, GDPR and Do Not Sell scopes are mutually exclusive. In the edge cases where, e.g., a California resident visits an EU-based publisher site, additional policy guidance is needed. You may need to consult your lawyers.

Optionally, Digital Properties and Vendors can extend their implementations independently to avoid complicated deployment dependencies. For example, publishers can implement without breaking any previously existing scripts.


Questions from Digital Property Owners (Brands/Publishers)

When a consumer comes to a digital property, how does the digital property owner store the string? When does the string get stored?

The U.S. Privacy String is expected to be stored when the consumer has satisfied the business’ defined engagement with the opt out explicit notice. Then the string is stored in cookie or local storage.

Who owns this service?

Digital properties should implement the spec string format and API specifications. There is no centralized provider for API service.

What resources are available for Digital Property Owners to implement these technical specifications?

Members of the IAB Tech Lab CCPA/U.S. Privacy Working Group are welcome to contribute to and benefit from reference implementation available here:

General Tech Specs Questions

Do I have to sign the contract?

More information about the IAB Limited Service Provider Agreement will be available soon at IAB CCPA Compliance Framework for Publishers. If you have not signed the Agreement, the fourth parameter in the USP String should NOT be set to Yes.

How should I handle children directed inventory?

It is suggested to consider any other applicable regulatory compliance needs you may have. The Framework technical specifications do not specify further guidance.

Additionally, you may also read more about the Children’s Online Protection Act (COPPA) and existing children’s data privacy laws.

Will there be a mobile in-app reference implementation?

The Framework DOES support mobile in-app implementations. Given the simplicity of the string we currently don’t plan to provide an in-app reference implementation. Contributions to the working group are welcome!