The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), impose significant obligations on organizations engaged in advertising technology (AdTech). This guide provides a comprehensive overview of how these regulations impact the sale and sharing of personal information for advertising purposes, equipping businesses with the knowledge to navigate compliance effectively.
| Regulation | CCPA/CPRA |
|---|---|
| Max Penalty | USD 7,500 per intentional violation |
| Enforcing Authority | California Privacy Protection Agency (CPPA) |
| Official Source | California Privacy Rights Act |
What Is CCPA/CPRA?
The California Consumer Privacy Act (CCPA), enacted in 2018, was a landmark legislation aimed at enhancing consumer privacy rights in California. It was significantly amended by the California Privacy Rights Act (CPRA), which came into effect on January 1, 2023. Together, these laws provide California residents with rights regarding their personal information, including the right to know what data is collected, the right to delete personal data, and the right to opt-out of the sale of their personal information. The CPRA also introduced the concept of “sensitive personal information,” which requires additional protections.
The CCPA/CPRA is particularly relevant to the AdTech industry, where personal information is often sold or shared for targeted advertising purposes. Organizations must understand how these regulations define “sale” and “sharing” of personal information, as these definitions directly impact compliance obligations. The enforcement of these regulations falls under the jurisdiction of the California Privacy Protection Agency (CPPA), which has the authority to impose penalties for non-compliance.
Who Must Comply
Compliance with the CCPA/CPRA is mandatory for businesses that meet specific criteria. Organizations must comply if they collect personal information from California residents and meet at least one of the following thresholds: they have annual gross revenues exceeding $25 million, they buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices annually, or they derive 50% or more of their annual revenues from selling consumers’ personal information.
It is essential for organizations engaged in AdTech to assess whether they fall within these thresholds. Even if a business operates outside California, it may still be subject to the CCPA/CPRA if it collects personal information from California residents. This extraterritorial reach underscores the importance of understanding the regulatory landscape, especially for companies that operate online.
Core Compliance Requirements
Lawful grounds for processing. Organizations must ensure that every processing activity related to personal information is tied to a recognized legal basis. Under the CCPA/CPRA, the primary grounds for processing personal information include consumer consent, contractual necessity, and legitimate interests. For AdTech companies, obtaining explicit consent from users before collecting or sharing their data is crucial, particularly when sensitive personal information is involved.
Transparency and notice. Data subjects must receive clear, accessible information about what data is collected, how it is used, and with whom it is shared. The CCPA/CPRA mandates that businesses provide a “Notice at Collection” at or before the point of data collection. This notice should detail the categories of personal information collected and the purposes for which the information will be used. For AdTech companies, this means being transparent about data collection practices and ensuring that users are informed about how their data will be utilized for advertising purposes.
Consumer rights. The CCPA/CPRA grants consumers specific rights regarding their personal information. These rights include the right to know, the right to delete, the right to opt-out of the sale of personal information, and the right to non-discrimination for exercising these rights. AdTech companies must implement mechanisms to facilitate these rights, such as providing an easy-to-use opt-out option for consumers who do not wish to have their data sold or shared for advertising purposes.
Data minimization and purpose limitation. Organizations should only collect personal information that is necessary for the specific purposes disclosed to consumers. This principle of data minimization is particularly relevant in the AdTech sector, where companies often collect vast amounts of data. By limiting data collection to what is necessary for advertising purposes, organizations can reduce their compliance burden and enhance consumer trust.
Security measures. The CCPA/CPRA requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. AdTech companies must assess their data security measures and ensure that they are adequate to protect the personal information they collect and process.
Penalties and Enforcement
The enforcement of the CCPA/CPRA is primarily the responsibility of the California Privacy Protection Agency (CPPA). The agency has the authority to investigate complaints and impose penalties for violations of the law. Organizations that fail to comply with the CCPA/CPRA may face significant financial penalties, with a maximum of USD 7,500 per intentional violation. This can result in substantial financial liability for companies that do not take compliance seriously.
In addition to financial penalties, non-compliance can lead to reputational damage and loss of consumer trust. Organizations in the AdTech industry must prioritize compliance to avoid these consequences, as consumers are increasingly aware of their privacy rights and are likely to choose businesses that respect those rights.
Building a Defensible Compliance Program
To effectively navigate the complexities of the CCPA/CPRA, organizations should establish a robust compliance program. This program should include the following steps:
-
Conduct a data inventory to identify what personal information is collected, processed, and shared.
-
Assess the legal basis for each processing activity and ensure compliance with the CCPA/CPRA requirements.
-
Develop and implement a comprehensive privacy policy that outlines data collection practices and consumer rights.
-
Create mechanisms for consumers to exercise their rights, including opt-out options and deletion requests.
-
Train employees on compliance requirements and data protection practices.
-
Implement security measures to protect personal information from unauthorized access and breaches.
-
Monitor compliance regularly and adjust practices as necessary to align with evolving regulations.
-
Engage with legal counsel or privacy experts to ensure ongoing compliance and address any regulatory changes.
Practical Implementation Priorities
Data mapping. Organizations should prioritize mapping their data flows to understand how personal information is collected, used, and shared. This mapping exercise will help identify potential compliance gaps and inform the development of privacy policies and practices.
Consumer opt-out mechanisms. Implementing effective opt-out mechanisms is crucial for compliance. Organizations should ensure that consumers can easily opt-out of the sale of their personal information, and these mechanisms should be prominently displayed on websites and applications.
Privacy policy updates. Regularly updating privacy policies to reflect current practices and compliance with the CCPA/CPRA is essential. Organizations should ensure that their privacy policies are clear, concise, and easily accessible to consumers.
Training and awareness. Employee training on privacy compliance is vital for fostering a culture of privacy within the organization. Employees should be aware of their responsibilities regarding personal information and understand the implications of non-compliance.
Regular audits. Conducting regular audits of data practices and compliance measures will help organizations identify areas for improvement and ensure ongoing adherence to the CCPA/CPRA requirements.
Run a Free Privacy Scan
Before building a compliance program, an automated scan of your public-facing properties identifies the gaps that carry the most immediate regulatory risk — undisclosed trackers, consent mechanism failures, data sharing without adequate notice, and policy misalignments. BD Emerson’s privacy scanner produces a detailed findings report against CCPA/CPRA requirements within minutes.
Run your free scan or speak with a privacy expert to discuss your compliance obligations under CCPA/CPRA and build a prioritized remediation plan.
Regulatory Crosswalk
Organizations subject to this regulation often operate under these overlapping frameworks: GDPR consent for AdTech, ePrivacy, VCDPA. BD Emerson maps controls across frameworks to reduce duplicated compliance effort.