What is CCPA and how can AdSense publishers prepare for it?
The California Consumer Privacy Act, also known as CCPA, is a privacy and consumer protection bill that was passed on June 28th, 2019 in an effort to provide more transparency and control to consumers over how personal information is collected, used and sold. Similar to the UK’s regulations on General Data Protection which were implemented in May 2018, CCPA goes into effect on the 1st January 2020. Though the regulations will not be enforced until July 2020, it is important to ensure compliance well ahead of time.
What is CCPA?
The CCPA consists of 33 pages of legislative text which outlines how businesses are legally able to collect and use consumer information. According to the Internet Advertising Bureau (IAB), the regulations were enacted in order to provide Californian consumers with greater transparency and control over their personal information. As such, companies that do business in California are required to give users the option to explicitly opt-out of the sale of their personal information. To be specific, the law states that ‘sale of personal information’ refers to “transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
With CCPA, Californian consumers will be given the authority to:
- Request that companies who have collected their personal data to delete that data.
- Request to learn about the data that has been collected and sold, the companies that the data has been shared with or sold to and the reasoning for doing so.
- Request that companies do not sell or share any personal data that has been collected from them.
Businesses should provide goods and services for the same price and quality regardless of whether or not a consumer has decided to perform their CCPA rights.
How do I know if CCPA applies to me?
CCPA impacts anyone that buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices per year. The term ‘personal information’ refers to information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In other words, ‘personal information’ can encompass anything from browsing history to geolocation data.
The privacy law will not apply to you if:
- You receive less than 50,000 unique visitors from California per year on your ad-funded website (this equates to around 137 per day).
- You conduct less than 50,000 credit transactions per year.
If your total number of online visitors and credit transactions per year combined hits the 50,000 thresholds, CCPA will apply to you. For example, if you receive 35,000 visits per year from California and conduct 15,000 credit transactions. Businesses that do not comply with CCPA and are required to do so risk receiving fines of $2,500 to $7,500 per incident. This law applies even if your business does not reside in California.
To identify how many visitors you receive from California, you should:
- Log into Google Analytics.
- Go to ‘Audience’ then ‘Geo’ then click ‘Location.’
- Click on ‘United States’ in the list of countries.
- Change the date range to one year, or you could work out an average per month if you don’t have a year’s worth of data.
- Looking at the region of California, if your total number of users adds up to 50,000+, or 137 per day depending on how you organised your data, you can assess whether CCPA will apply to you.
How will CCPA impact AdSense publishers?
The main implication of CCPA for AdSense publishers will be the inability to serve personalised ads to visitors from California who have opted out, or if you have enabled automated restricted data processing. Non-personalised ads will generally generate less ad income than targeted ads.
What can I do to make sure I remain CCPA compliant?
Ultimately, if you receive 50,000 unique visits from California per year, it is your responsibility to ensure that you are CCPA compliant. If you are an AdSense publisher you are likely to have come across this warning on your dashboard:
If you click ‘Take Action’ you will see that you have two options when it comes to fulfilling your CCPA obligations:
The first option is to let Google handle it by enabling restricted data processing. This new feature allows Google to limit data use and serve only non-personalised ads. By choosing this option, AdSense publishers opt-out of implementing their own consent management system which enables visitors from California to choose whether or not they want to withdraw their personal data for sale. When in restricted data processing mode, Google will use IP addresses to determine where a user is located and enable restricted data processing mode for any users with a California IP address. It is the publisher’s responsibility to enable restricted data processing in order to comply with CCPA, should the publisher receive 50,000 visitors from California per year.
The second option for publishers is to not restrict data processing. By selecting this option, publishers are required to implement their own consent management solution, such as Quantcast Choice. A consent mechanism will enable you to ask each visitor to consent to their information being shared with Google and act accordingly. If a user decides to opt-out of the sale of their personal information, publishers can then choose to send a restricted data processing signal on a per-request basis. Restricted data processing went into full effect on AdSense on December 12, 2019.
To sum up
For the majority of AdSense publishers, the best way to ensure CCPA compliance will be to simply enable restricted data processing and let Google worry about the rest. However, if a large proportion of your visitors are from California, enabling restricted data processing will noticeably have a negative impact on your revenue. In which case, it may be worth looking into implementing your own consent mechanism so that you don’t leave money on the table by serving non-personalised ads to visitors that have not chosen to opt-out.
Written by: Dolly Bagnall – Publisher Communication Assistant at OKO Digital.