The California Consumer Privacy Act (CCPA) went into effect on January 1st, 2020. The act regulates and protects data privacy rights for residents of California in the United States. On July 1st, the CCPA went into enforcement.

The CCPA grants Californian residents control over their personal information collected and used when they interact with businesses online and offline. Or how it also describes it: the CCPA should give them the right to know, the right to delete, and the right to opt-out of the sale of personal information processed by mentioned businesses.

In the following text, I am going to explain what the CCPA means for publishers of AdSense ads. There are different methods to comply with the data privacy regulations and offer website visitors from California safe and secure browsing.

Our post can only serve as a broad overview of the topic. If you have further questions regarding your individual case, please contact a lawyer since we cannot give legal advice.

To whom does the CCPA apply?

You need to comply with the CCPA even if your business is registered outside of California. One of the following needs to be true:

  • you have annual gross revenue that exceeds $25 million,
  • derive 50% or more of your annual revenues from selling California residents’ personal information,
  • buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices a year.

The terms “buy, receive, sell, or share” are interpreted very widely. As a publisher, you should expect that embedding any third-party service on your site, including analytics and ad networks, is covered by these terms.
Large publishers should check their analytics stats to see if they exceed the limit of 50,000 Californian residents per year.

In general, the CCPA is less restrictive than the European GDPR. According to our information, it is enough to present visitors with information about tracking and give them the chance to opt out. At the same time, the GDPR might require you to pause placing ads and other third-party or tracking code until consent is given explicitly.

We will cover how to deal with CCPA and AdSense next. If you use other ad networks or service providers, please reach out to them for instructions.

AdSense and CCPA

When it comes to AdSense, you have two options to comply with the California Consumer Privacy Act. One just needs you to enable a single option in your AdSense account. The other would need you to custom code a solution.

The no-coding option to comply with the CCPA

You can make your AdSense ads comply with the CCPA with only one click in your AdSense account.

Log in to your account and go to Blocking Controls > Content > All Sites > California Consumer Privacy Act and click on Manage CCPA settings.

Enable the Restrict data processing option, as seen below.

Restricted data processing settings in Google AdSense to comply with the CCPA
Restrict Data Processing option in your AdSense account

You can also choose this option on a per-site level. Just go to Blocking Controls > Content > [SITE] > California Consumer Privacy Act to do that.

I recommend this option to every publisher with websites that receive the most traffic from outside of California. I am pretty sure that will be the majority of you.

The simple option above enables non-personalized ads for all Californian visitors. If your site receives significant traffic from California, then it might be worth asking them for consent to show personalized ads, since they might pay better.

Unfortunately, this would mean to a) set up a dialog to ask visitors for consent and b) send the consent signal with the ad tags.

In Advanced Ads, this means you need to manage third-party ad codes using the Plain text and code ad type. You can find information on the code adjustments for Google AdSense and Google Ad Manager ad tags here.

Theoretically, you would only need to show the CCPA consent dialog to visitors from California. Visitors coming from a region that doesn’t need consent to see personalized ads should not be asked since that might decrease your revenue unnecessarily. However, loading different ad tags based on geo-location might need a lot of performance itself. So in most cases, restricting data processing in your AdSense account is the much simpler solution even for larger sites.

Using a CMP to collect consent

As with the European Transparency & Consent Framework, many consent management platforms (CMPs) already integrate with a so-called CCPA Compliance Framework that defines a standard for gathering consent. Using a CMP makes sense if you need or want to implement consent-gathering popups yourself. They also take care of the “Do Not Sell My Personal Information” link, which you might have to show to Californian visitors.

Advanced Ads automatically integrates with the TCF framework and any CMPs implementing it. We are monitoring the adaption of the CCPA framework and decide at a later point if and how we are going to integrate with the CCPA framework as well and delay ads until a visitor gives her proper consent.

Further resources