Passed on June 28th 2019, the California Consumer Privacy Act, also known as CCPA, is a set of privacy and consumer protection regulations that were developed to provide more control and transparency to consumers over how personal information is collected, used and sold. The regulations are comparable to the UK’s regulations on General Data Protection (GDPR) which were enforced in May 2018. The CCPA became effective on January 1, 2020, though enforcement will not begin until July 1, 2020. This gives business six months to comply with final regulations before facing enforcement action. CCPA applies to any publisher with visitors from California, regardless of where your business is based.
What is the California Consumer Privacy Act (CCPA)?
The CCPA is a 33 page legislation which outlines the legal requirements for businesses that collect and use consumer information. CCPA asserts that California residents are entitled to:
- The right to opt-out: California residents can request that companies do not sell or share any personal data that has been collected from them.
- The right to access information: California residents can request to learn about the data that has been collected and sold, the companies that the data has been shared with or sold to and the reasoning for doing so.
- The right to data deletion: California residents can request for their personal data to be deleted by companies that have collected that data.
Regardless of which choice the consumer makes, businesses are required to provide goods and services for the same price and quality. Therefore, publishers cannot simply block the access of users that opt-out, unlike many US publishers have for EEA users subject to GDPR.
In the case of CCPA, ‘sale of personal information’ refers to “transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
How do I know if CCPA applies to me?
CCPA applies to anyone that buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices per year. In terms of publishers, this applies to any Google Ad Manager publisher that receives 50,000 visits from California residents per year. This is because GAM publishers collect personal information from visitors in order to serve targeted ads. ‘Personal information’ with respect to CCPA refers to information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This could encompass anything from search history to geolocation data.
In short, the privacy law applies to you if:
- You receive 50,000 or more unique visitors from California per year on your ad-funded website.
- You conduct 50,000 or more credit transactions per year.
- The combined total number of visitors to your site from California and credit transactions per year equates to 50,000 or more.
For example; If you receive 20,000 website visitors per year from California and conduct 30,000 credit transactions, CCPA will apply to you.
How to check the number of visitors you receive from California using Google Analytics
- Log into Google Analytics.
- Go to the ‘Audience’ tab
- Click on ‘Geo’ then ‘Location.’
- Select ‘United States’ from the list of countries.
- Change the date range to one year. Alternatively, you could work out an average per month if you don’t have a year’s worth of data. 50,000 visitors from California equates to around 137 per day.
- You can assess whether CCPA will apply to you by looking at whether the total number of users for the region of California adds up to 50,000+, or 137 per day depending on how you organised your data.
What can Google Ad Manager publishers do to ensure CCPA compliance?
In light of the enforcement of CCPA, Google has released a ‘Restricted Data Processing‘ setting across its products to help publishers remain compliant. When enabled, restricted data processing limits how Google uses data and serves only non-personalised ads. This means that ads will not be influenced by a user’s past behaviour, and are targeted through the use of contextual information.
By default, Google does not limit how users’ data is processed which means it is the publishers’ responsibility to make sure that Google Ad Manager is following privacy regulations.
Google Ad Manager publishers have two options when it comes to complying with CCPA:
Enable restricted data processing on Google Ad Manager
The first option is to let Google do the hard work by enabling restricted data processing for appropriate users at the account level. By selecting this option, Google will filter out any traffic from California and serve only non-personalised ads. By choosing not to display a “Do Not Sell My Personal Information” link, publishers are effectively leaving revenue on the table for users that would choose not to opt-out of selling their personal data.
Implement a consent mechanism
The second option for Google Ad Manager publishers is to not automatically restrict data processing for all users in California and instead implement a consent mechanism and allow users to opt-out. A consent management solution will ask each visitor to consent to their information being shared with Google and act upon that consent (or lack of). If the user opts out of the sale of their personal information, publishers can then send a restricted data processing signal on a per-request basis. This option will generally capture more revenue if users choose not to opt-out.
If using the GPT tag, you’ll need to insert the following code snippet:
How will CCPA impact publishers that use Google Ad Manager?
Publishers that do not comply with CCPA by enabling users to either opt-out, request deletion or request access to personal information risk facing fines of $2,500 up to $7,500 per incident regardless of whether your business resides in California or not. The main impact that CCPA will have on Google Ad Manager publishers will be the inability to serve personalised ads to visitors from California who have opted out of sharing their information. Alternatively, if you choose to enable restricted data processing to all programmatic traffic, non-personalised ads will be served to all traffic from California. Ads that are not targeted tend to generate less ad revenue than personalised ads.
If a large proportion of your traffic is located in California, we would recommend you implement your own consent management mechanism to reduce the loss in revenue. However, if you only receive a small amount of traffic from California you may find it easier to let Google take control and simply enable restricted data processing at account level.