CCPA, California’s New Privacy Law

Ever since GDPR (General Data Protection Regulation) revolutionized the conversations of everyone with digital advertising interests in the EU, companies in the US have had to make a decision. Withdraw from the EU, make preparations to be compliant, or follow suit and apply a similar standard in the US. CCPA is California’s approach to privacy and consumer data. With the industry evolving at its rapid rate and the introduction to new systems and processes, there is a need in the industry for regulations that enforce best practices. Privacy and how consumer data is currently being processed within different parties has become one of the biggest concerns, especially since the Cambridge Analytica scandal. In this article, you will learn more about what CCPA is, how it works, who it applies to, and what you may need to do in order to be compliant.

CCPA, California's New Privacy Law


CCPA stands for California Consumer Privacy Act which came into effect on 1st January 2020, with enforcement beginning from 1st July 2020. While GDPR affords the protection of consumer data and privacy with consumers within the European Union and the European Economic Area, CCPA is more specific to the processing of consumer data, enhancing privacy rights and consumer protection in California.


The CCPA bill enables consumers three rights;

  1. Consumers can request a business to disclose what personal information is collected, the business purposes for collecting or selling the information, and state third parties with which the information is shared
  2. Consumers can instruct businesses not to sell your data. By definition, that means a transfer of information for commercial purposes. However, the bigger players argue they do not sell data, just enable targeting for advertisers using the data
  3. Consumers can ask businesses to delete your data unless doing so would create a security threat or interfere with someone else’s free speech. 

Additionally, the bill also prohibits a business from selling the personal information of a consumer under 16 years of age, unless that consumer has purposely opted in or the parent of the individual gives consent. More information about the bill can be found here.

The CCPA applies to all businesses that process, collect, shares, or sells personal data for Californian consumers. This means that if your website or any ad tech vendors or other third party services you’re working with, processes personal data in California, then you may be in need to take necessary steps for compliance with the law.


There are different reasons as to why a website would or might need personal information from a consumer. It could be that the site is used for trading products or services with consumers and may need to store buyers’ emails, billing information or addresses to contact or send a product. Also, a site may use website analytics in order to measure how readers are consuming content, like how many users are clicking through to other articles. Even the ad servers that are being used by websites, may process consumer data in order to target relevant advertising to relevant users.

A website that collects data or uses tools that collect data needs to not only share how a consumer’s data is being processed, but will also need consent from that user in accordance to GDPR and CCPA. This is usually done in the form of a consent notice or popup which you may often see when visiting a website for the first time. 

However, there are some cases where consent would not be necessary. This is usually in the case of when another law requires the use of this data i.e if the law requires a business to have this data for auditing purposes, then asking for consent would be irrelevant as their data will be stored regardless.

Websites, in order to verify with third-party tools which users have opted-in or opted out, will use a Consent Management Platform (CMP). When a consent notice is displayed to a consumer they have a choice to share their data or not, for purposes outlined in the notice. For every opt-in or opt-out, consent flags are registered and sent to third party services to know whether or not they can collect data on that user.


As mentioned, consumers have the right under CCPA to request access to their personal information collected from a business and also request it to be deleted. To submit a request, if a consumer believes business is violating their privacy — or violating the CCPA — they can complain to the California attorney general directly through this link and filling out a form.

From what we see from this new law, there are two main financial implications for publishers, one being legal costs, as publishers may need to hire a lawyer who specializes in CCPA to ensure compliance, and the other are technical costs, as publishers may also need to implement a CMP to manage consent flags from your consumers.


The California law highlights privacy concerns to consumers and puts pressure on the US Congress to act at a national level. Especially as many companies in the US not only have to comply if they operate within the EU but now may also have to comply with a patchwork of individual state requirements, starting with CCPA. Other states may try to push their own bills through and the Senate is considering a number of bills, but the argument remains whether the onus is on everyday Americans having the ability to sue companies who violate the regulations or if there should be tougher state regulations that can be enforced. Currently with California leading the way with the CCPA, the longer they remain out in front, other states may have to follow their lead. 


One thing that can be guaranteed from all of this is that Privacy regulations are here to stay in the US. From this article, you should hopefully know more about CCPA and how this might affect your website.