CCPA (California Consumer Privacy Act)
California privacy law giving consumers rights over their personal data and how it is sold.
What is CCPA?
The California Consumer Privacy Act (CCPA), and its amendment the CPRA (California Privacy Rights Act), is a state-level privacy law that grants California residents specific rights over their personal information. For publishers, the most relevant provisions include the requirement to disclose what personal information is collected, the right for consumers to opt out of the "sale" or "sharing" of their personal information, and the obligation to honor opt-out requests.
In the ad tech context, sharing user data with advertising partners for targeted advertising is generally considered "selling" or "sharing" personal information under CCPA. This means publishers must provide California users with a mechanism to opt out of targeted advertising, typically through a "Do Not Sell or Share My Personal Information" link.
Why It Matters for Publishers
CCPA applies to publishers that meet certain thresholds: annual gross revenue over $25 million, buying or selling personal information of 100,000+ consumers/households, or deriving 50%+ of revenue from selling personal information. Many mid-to-large publishers meet at least one of these criteria.
Unlike GDPR, CCPA operates on an opt-out model rather than opt-in. You can serve targeted ads to California users by default, but must provide and honor opt-out mechanisms. Users who opt out must be served non-personalized ads, which typically earn lower CPMs.
Best Practices
- Add a visible opt-out link: Place a "Do Not Sell or Share My Personal Information" link in your footer and privacy policy. This is legally required and should be easy to find.
- Support the IAB US Privacy Framework: The IAB's US Privacy String (USP String) standardizes how opt-out signals are communicated to ad tech partners. Implement this through your CMP.
- Support Global Privacy Control: California law requires publishers to honor GPC (Global Privacy Control) signals sent by browsers. Ensure your consent management system detects and respects GPC headers.
- Update your privacy policy: CCPA requires specific disclosures about the categories of personal information collected, sold, and shared. Your privacy policy must include these details along with instructions for exercising consumer rights.
- Train your team: Anyone who handles consumer data requests must understand CCPA requirements. Establish a process for responding to consumer requests within the legally mandated 45-day window.