Helping publishers comply with the California Consumer Privacy Act (CCPA)

Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features to help you manage your account. Per our Personalized advertising policy, we never use sensitive information to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative, and ads.txt in order to support a healthy, sustainable ads ecosystem.

Google welcomes privacy laws that protect consumers. In May 2018, we launched several updates to help publishers comply with the General Data Protection Regulation (GDPR) in the EEA.

Today, we’re building on that feature set by offering restricted data processing, which will operate as set forth below, to help publishers manage their compliance with the California Consumer Privacy Act (CCPA).

About the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a new data privacy law that establishes various rights for California state residents. The law applies to companies that do business in California and meet one of several criteria related to revenue, data processing, and other factors. CCPA requires giving residents the right to opt out of the “sale” of their “personal information” (as the law defines those terms), with the opt-out offered via a prominent “Do Not Sell My Personal Information” link on the “selling” party’s homepage. CCPA does recognize certain exceptions to the definition of “sale,” such that not all transfers of personal information are “sales.” For example, transferring personal information to a “service provider” under the law is not a sale.

Service provider terms

Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.

Restricted data processing for publishers

When a publisher enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms. Google disallows all interest-based audience targeting, including demographic targeting and user list targeting when in restricted data processing mode.

Restricted data processing options:

Publishers must decide for themselves when and how to enable restricted data processing mode, based on their own compliance obligations and legal analysis. Two common scenarios are below.

  1. Some publishers may choose not to display a “Do Not Sell My Personal Information” link on their properties. Such publishers may choose to enable restricted data processing for all of their programmatic traffic for users in California via a network control. If they select this option, Google will use user IP addresses to determine the location of users and enable restricted data processing mode for any users we can detect have a California IP address.
  2. Alternatively, other publishers may choose to display a “Do Not Sell My Personal Information” link. Such publishers may choose to send a restricted data processing signal on a per-request basis once a user has opted out of the sale of their personal information. (See the Android & iOS developer documentation to learn more.)
    If you choose to enable restricted data processing either via the network control or through sending a restricted data processing signal on a per-request basis, those changes will fully take effect in serving by 11PM PT on December 12, 2019.

Restricted data processing for third-party demand

When restricted data processing mode is enabled using either the network control or a restricted data processing signal is passed via the SDK, the following happens for Open Bidding and mediation for mobile apps:

  • Open Bidding is disabled and no callouts are made to Open Bidders
  • 3rd Party Authorized Buyers are disabled and no RTB callouts are made to Authorized Buyers
  • Mediation is not disabled *
* While restricted data processing does not disable your app sending data to mediation partners, Google’s contractual commitments regarding restricted data processing do not apply to data you send to third parties. You should ensure that you’ve taken any measures with respect to such third parties as required to meet your CCPA compliance needs.
Was this helpful?
How can we improve it?