Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features to help you manage your account. Per our Personalized advertising policy, we never use sensitive information to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative, and ads.txt in order to support a healthy, sustainable ads ecosystem.
Today, we’re building on that feature set by offering restricted data processing, which will operate as set forth below, to help publishers manage their compliance with the California Consumer Privacy Act (CCPA).
About the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a new data privacy law that establishes various rights for California state residents. The law applies to companies that do business in California and meet one of several criteria related to revenue, data processing, and other factors. CCPA requires giving residents the right to opt out of the “sale” of their “personal information” (as the law defines those terms), with the opt-out offered via a prominent “Do Not Sell My Personal Information” link on the “selling” party’s homepage. CCPA does recognize certain exceptions to the definition of “sale,” such that not all transfers of personal information are “sales.” For example, transferring personal information to a “service provider” under the law is not a sale.
Service provider terms
Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms under the CCPA, which will supplement those existing data protection terms (revised to reflect the CCPA), effective January 1, 2020. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.
Restricted data processing for publishers
When a publisher enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms. Google disallows all interest-based audience targeting, including demographic targeting and user list targeting when in restricted data processing mode.
Restricted data processing options:
Publishers must decide for themselves when and how to enable restricted data processing mode, based on their own compliance obligations and legal analysis. Two common scenarios are below.
- Some publishers may choose not to display a “Do Not Sell My Personal Information” link on their properties. Such publishers may choose to enable restricted data processing for all of their programmatic traffic for users in California via a network control. If they select this option, Google will use user IP addresses to determine the location of users and enable restricted data processing mode for any users we can detect have a California IP address.
- Alternatively, other publishers may choose to display a “Do Not Sell My Personal Information” link. Such publishers may choose to send a restricted data processing signal on a per-request basis once a user has opted out of the sale of their personal information.
If you choose to enable restricted data processing either via the network control or through sending a restricted data processing signal on a per-request basis, those changes will fully take effect in serving by 11PM PT on December 12, 2019.