Helping publishers comply with the California Consumer Privacy Act (CCPA)

Take control of the CCPA settings in AdSense

Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we do not sell personal information and we give users transparency and control over their ad experiences via My Account and several other features to help you manage your account. Per our Personalized advertising policy, we don't use sensitive information to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative, and ads.txt in order to support a healthy, sustainable ads ecosystem.

Google welcomes privacy laws that protect consumers. In May 2018, we launched several updates to help publishers comply with the General Data Protection Regulation (GDPR) in the EEA.

We’re building on that feature set by offering restricted data processing, which will operate as set forth below, to help publishers manage their compliance with the California Consumer Privacy Act (CCPA).

About the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a new data privacy law that establishes various rights for California state residents. The law applies to companies that do business in California and meet one of several criteria related to revenue, data processing, and other factors. CCPA requires giving residents the right to opt out of the “sale” of their “personal information” (as the law defines those terms), with the opt-out offered via a prominent “Do Not Sell My Personal Information” link on the “selling” party’s homepage. CCPA does recognize certain exceptions to the definition of “sale,” such that not all transfers of personal information are “sales.” For example, transferring personal information to a “service provider” under the law is not a sale.

Service provider terms

Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.

Select a CCPA data processing setting

By default, data processing in Ad Manager is not restricted and personalized ads will be shown to users on your site or app. To restrict data processing and only show non-personalized ads to eligible users in California, you need to change the CCPA settings. These settings don't control data you may be sharing outside of your account, for example through mediation.

To change the CCPA data processing settings for your entire account, complete the following steps:

  1. Sign in to your AdSense account.
  2. Click Blocking Controls and then Content and then All sites.
  3. Click Manage CCPA settings.
  4. Select the option you want to apply to your AdSense account.
  5. Click Save changes.
If you choose not to restrict data processing across your account, you can restrict processing at an ad request level.

Don’t restrict data processing

This control will become available June 8, 2020.

If you choose “Don’t restrict data processing”, you can select the ad networks that are eligible to receive bid requests for users Google determines are in California.

Complete the following steps to specify eligible ad networks.

  1. Sign in to your AdSense account.
  2. Click Blocking Controls and then Content and then All sites.
  3. Click Manage CCPA settings.
  4. In the “Select ad networks” section, select the list you want to use.
    • Use Google and all active ad networks: Use the list of all available ad networks provided within this feature’s setting. Google and all active ad networks are eligible for bid requests from users Google determines are in California. New active networks are added and eligible for these requests automatically. Users in your AdSense account are notified when new ad networks are added.
    • Use custom list: Customize the list of all available ad networks to create your own custom list. Only selected ad networks are eligible for bid requests from users Google determines are in California. Under this option, users in your AdSense account are notified when new ad networks join the platform. New ad networks are not automatically added to your custom list and can be manually included.
  5. Click Save.

Restrict data processing

When a publisher enables restricted data processing, on the publisher’s instruction Google will further limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms. Google disallows all interest-based audience targeting, including demographic targeting and user list targeting when in restricted data processing mode.

Restricted data processing options:

Publishers must decide for themselves when and how to enable restricted data processing mode, based on their own compliance obligations and legal analysis. Two common scenarios are below.

  1. Some publishers may choose not to display a “Do Not Sell My Personal Information” link on their properties. Such publishers may choose to enable restricted data processing for all of their programmatic traffic for users in California via a network control. If they select this option, Google will use user IP addresses to determine the location of users and enable restricted data processing mode for any users we can detect have a California IP address.
  2. Alternatively, other publishers may choose to display a “Do Not Sell My Personal Information” link. Such publishers may choose to send a restricted data processing signal on a per-request basis once a user has opted out of the sale of their personal information.
    If you choose to enable restricted data processing either via the network control or through sending a restricted data processing signal on a per-request basis, those changes will fully take effect in serving by 11PM PT on December 12, 2019.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue