CCPA stands for California Consumers Protection Act 2018. It is the law that requires businesses to give California residents special rights to restrict their personal information usage. In this article, we will try to understand how it affects AdSense publishers and what publishers should do to comply with it.
What is California Consumers Protection Act?
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. Officially called "Assembly Bill No. 375", it was approved on June 28th, 2018, and became effective on January 1, 2020.
Let's take a look at the text of CCPA. Here are some excerpts that may be interesting for AdSense publishers:
(i) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
1798.120. (b) A business that sells consumers’ personal information to third parties shall provide notice to consumers ... that this information may be sold and that consumers have the right to opt out of the sale of their personal information.
1798.135. (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
- Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
- Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
- Any California-specific description of consumers’ privacy rights.
And some definitions:
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
CCPA In Brief
Based on the foregoing, we can make a brief explanation. If you do business in California and
- have yearly revenue of $25+ million, or
- have data on 50,000+ customers, or
- deal primarily in selling data,
you need to allow California residents to control how their personal information can be collected and transferred to third parties.
Rephrasing for webmasters and AdSense publishers: if your websites have visitors from California and
- have yearly revenue of $25+ million, or
- have 50,000+ unique visitors per year (137+ unique visitors per day),
you need to allow California residents to control how their personal information can be collected and transferred to third parties (in this case Google).
What Should I Do To Be Compliant?
By default, Google AdSense serves personalized ads. This means that Google uses tracking cookies to choose which ads to show to the individual user visiting the page, based on both the content of the web page and the browsing history of this user.
Such tracking is considered the "selling" of personal information in terms of CCPA.
You have two options here:
- You may turn on restricted data processing mode for all visitors from California in the AdSense dashboard, so their ads will not be personalized anymore. With this option, Google will use user IP addresses to determine the location of users and enable restricted data processing mode for any users it can detect have a California IP address.
- You may allow California residents to opt out of the transfer of their “personal information” to Google displaying a “Do Not Sell My Personal Information” link. In this case, you need to implement this feature at an ad request level by yourself.
[UPDATE October 2020] Google now has a CCPA privacy messaging tool integrated into AdSense, read below.
How to Restrict Data Processing For All Users From California
Log in to your AdSense dashboard and navigate to Blocking controls in the navigation sidebar → Content → All sites → California Consumer Privacy Act → Manage CCPA settings → Restricted data processing.
You can choose from two options for your account for users who Google determines are in California:
- Don’t restrict data processing
This is the default option. Google will continue to show personalized ads to eligible users in California.
- Restrict data processing
When you choose "restrict data processing", Google will restrict how it uses certain unique identifiers and other data. Google will only show non-personalized ads to eligible users in California. Non-personalized ads will be based on contextual information only, such as the webpage content.
The image below shows these settings in the AdSense dashboard:
How to Set up a Standard AdSense CCPA Privacy Message
Google now has a standard feature to display a CCPA privacy message with a "Do Not Sell My Personal Information" link on your site. This allows to show personalized ads to the users who agreed to the sale of their personal information even if the "Restrict data processing" setting is enabled.
To enable this message, go to the AdSense dashboard → Ads → Overview → Click the Edit button next to the site → More features → turn on CCPA privacy message. You can also click the Show privacy message to see how your privacy message will look on your site.
After you turn on the CCPA privacy message for the first time, a Funding Choices account we'll be created, where you can customize this message. Please note, that it is strongly recommended to use the default wording that Google provides.
To read more about this feature, consult this page.
How to Restrict Data Processing at Ad Level
If you choose not to restrict data processing across your account, you can restrict data processing for only some users at an ad request level. This may be useful if you choose to display a “Do Not Sell My Personal Information” opt-out link on your own. For those users that opt out, you may decide to serve a different ad inclusion code.
For the AdSense and Ad Exchange asynchronous ad tags, use the following code snippet:
For implementing restricted data processing in other cases, for tags different from AdSense and Ad Exchange (GPT tags, GPT passback tags, Google Mobile Ads, Google Interactive Media Ads) and AdSense for Search, consult the Restricted data processing (CCPA) settings in Google’s publisher ad tags page.
Penalties For Violating the CCPA
Any violation of the CCPA is assessed by the California Attorney General.
The Attorney General must give business 30 days to come into CCPA compliance. If a business does not rectify any problems during that time, each accidental violation can be up to $2,500 and an intentional violation could result in a penalty of $7,500.