California's Consumer Privacy Act (CCPA) gives California residents specific rights over their personal information. If your AdSense website has California visitors, understanding CCPA is essential for compliance.
CCPA is often called "California's GDPR" but with important differences. This guide explains what CCPA means for AdSense publishers and how to ensure your website meets the requirements.
What You Will Learn:
- What CCPA requires and who it applies to
- Consumer rights under California law
- How CCPA affects AdSense advertising
- Steps to achieve compliance
- Required website disclosures
What Is CCPA?
The California Consumer Privacy Act (CCPA) is a state privacy law that took effect January 1, 2020. It was later amended by the California Privacy Rights Act (CPRA) which took full effect January 1, 2023.
Key CCPA Provisions
- Consumer rights: Know, delete, opt-out, and non-discrimination rights
- Business obligations: Disclosure, response to requests, data protection
- Enforcement: California Attorney General and private right of action
- Penalties: Up to $7,500 per intentional violation
CCPA vs GDPR
| Aspect | CCPA | GDPR |
|---|---|---|
| Consent model | Opt-out | Opt-in |
| Geographic scope | California residents | EU residents |
| Business size threshold | Yes | No |
| Sale of data focus | Central | Less prominent |
| Maximum penalty | $7,500/violation | 4% global revenue |
"CCPA gives consumers more control over the personal information that businesses collect about them."
— California Office of the Attorney General
Who Must Comply?
CCPA applies to for-profit businesses that collect California residents' personal information and meet one of three thresholds.
CCPA Threshold Requirements
Your business must comply if it meets ANY of these:
- Revenue: Annual gross revenue over $25 million
- Data volume: Buy, sell, or share data of 100,000+ consumers/households annually
- Data revenue: 50% or more revenue from selling consumer data
What About Small Publishers?
Many small AdSense publishers may not meet these thresholds. However:
- Thresholds are based on total business, not just website
- Some publishers exceed 100,000 unique visitors annually
- Best practice is compliance regardless of size
- Other state laws may have different thresholds
CPRA Updates
The California Privacy Rights Act (CPRA) modified some requirements:
You might also find helpful: Cookie Consent for AdSense: GDPR and CCPA Compliance Guide 2026 →
- Created California Privacy Protection Agency
- Added "sensitive personal information" category
- Extended data minimization requirements
- Expanded consumer rights
Consumer Rights Under CCPA
CCPA grants California residents several rights regarding their personal information.
Right to Know
Consumers can request information about:
- Categories of personal information collected
- Specific pieces of data collected
- Sources of collection
- Business purposes for collection
- Third parties data is shared with
Right to Delete
Consumers can request deletion of their personal information, with some exceptions:
- Complete transactions
- Security purposes
- Legal compliance
- Internal uses compatible with consumer expectations
Right to Opt-Out
Consumers can opt out of the "sale" of their personal information. Under CCPA, "sale" broadly includes sharing data for valuable consideration, which can include advertising.
Right to Non-Discrimination
Businesses cannot discriminate against consumers who exercise their CCPA rights:
You might also find helpful: Terms of Service Template: Legal Protection for Your Website [2025] →
- No denying goods or services
- No charging different prices
- No providing different quality
Right to Correct (CPRA)
Added by CPRA, consumers can request correction of inaccurate personal information.
CCPA Impact on AdSense
AdSense and behavioral advertising involve collecting and sharing data, which has CCPA implications.
What Data AdSense Collects
Through your website, AdSense may collect:
- IP addresses
- Cookie identifiers
- Device information
- Browsing behavior
- Ad interaction data
Is AdSense Data Sharing a "Sale"?
This is a complex legal question. Under CCPA's broad definition:
- Sharing data for personalized advertising may qualify as "sale"
- Receiving ad revenue based on data could be consideration
- Google provides tools to handle opt-out requests
Google's CCPA Support
Google provides tools for CCPA compliance:
Related reading: DMCA Protection for Blogs: Complete Guide to Stop Content Theft →
- Restricted data processing mode
- US Privacy signal support
- IAB CCPA compliance framework integration
- Publisher controls in AdSense dashboard
Compliance Steps
Follow these steps to achieve CCPA compliance for your AdSense website.
Step 1: Assess Your Status
- Determine if you meet CCPA thresholds
- Identify California traffic percentage
- Map data collection on your site
- Document third-party data sharing
Step 2: Update Privacy Policy
- Add CCPA-specific disclosures
- List consumer rights
- Describe data collection categories
- Explain how to submit requests
Step 3: Implement Opt-Out
- Add "Do Not Sell My Personal Information" link
- Create opt-out process
- Configure AdSense restricted data processing
- Honor Global Privacy Control signals
Step 4: Build Request Handling
- Create process for consumer requests
- Verify requestor identity
- Respond within 45 days
- Document all requests and responses
Step 5: Train and Monitor
- Train anyone handling consumer requests
- Monitor compliance regularly
- Update processes as laws change
- Keep records of compliance efforts
Privacy Policy Updates
Your privacy policy must include specific CCPA disclosures.
Required Privacy Policy Elements
| Element | Description |
|---|---|
| Categories collected | List types of personal information |
| Sources | Where you collect data from |
| Business purposes | Why you collect and use data |
| Third parties | Who you share data with |
| Consumer rights | CCPA rights and how to exercise them |
| Contact info | How to submit requests |
Personal Information Categories
CCPA defines categories you should list if collected:
- Identifiers (name, email, IP address)
- Commercial information (purchase history)
- Internet activity (browsing, search history)
- Geolocation data
- Professional information
- Inferences drawn from above
Sample Disclosure Language
California Privacy Rights
If you are a California resident, you have
specific rights regarding your personal information:
- Right to Know what data we collect
- Right to Delete your personal information
- Right to Opt-Out of sale of personal information
- Right to Non-Discrimination for exercising rights
To exercise these rights, contact us at [email]
or use our "Do Not Sell" link below.Do Not Sell Link
If you "sell" personal information, you must provide a clear opt-out mechanism.
Link Requirements
- Must say "Do Not Sell My Personal Information" or similar
- Must be clearly visible on homepage
- Should also appear in footer of all pages
- Must link to functioning opt-out process
Implementation Options
-
Dedicated page:
Create a page explaining what opting out means and providing a form
You might also find helpful: Affiliate Disclosure & FTC Requirements: How to Stay Compliant →
-
Cookie consent tool:
Many tools include CCPA opt-out functionality
-
Global Privacy Control:
Honor GPC browser signals automatically
AdSense Restricted Data Processing
When users opt out, enable restricted data processing:
- Go to AdSense → Privacy & messaging
- Configure CCPA message or US Privacy settings
- Set up restricted ads for opted-out users
- Test that the configuration works
"Restricted data processing limits the personal information used for ad selection, making ads contextual rather than behavioral."
— Google AdSense Help
For more on privacy compliance with AdSense, see our guide on GDPR compliance for AdSense.
Learn more in CCPA Compliance for Website Owners: What You Need to Know in 2025 →
Frequently Asked Questions
Do I need to comply if I am not based in California?
Yes, if you meet the thresholds and collect personal information from California residents. CCPA applies based on where your users are located, not where your business is located. If you have California traffic and meet the thresholds, you must comply.
Is using AdSense considered "selling" data?
This is legally uncertain. The broad CCPA definition of "sale" includes sharing data for valuable consideration. Since you receive ad revenue partially based on user data, it may qualify. The safest approach is to provide opt-out options and use restricted data processing for users who opt out.
What happens if I do not comply with CCPA?
Non-compliance can result in penalties up to $2,500 per unintentional violation and $7,500 per intentional violation, enforced by the California Attorney General. Consumers also have a private right of action for data breaches involving certain personal information.
Can I just block California users instead?
While technically possible, this is generally not recommended. California represents a significant portion of US internet traffic and ad revenue. The compliance requirements are manageable and blocking users could significantly impact your earnings.
Do other states have similar laws?
Yes, several states have enacted comprehensive privacy laws, including Virginia, Colorado, Connecticut, and Utah, with more expected. Many follow similar structures to CCPA or GDPR. Building CCPA compliance now helps prepare for other state laws.
