Under CCPA, You Might Be Selling Personal Information (Part 1)

By Nic Villasenor/ Published on March 24, 2020

CCPA went into effect on January 1, 2020. Once you’ve established if CCPA applies to you, you’ll want to create a data map and carefully evaluate the privacy policies for each service you use. When you do so, you may be surprised to find that under CCPA, if you use ad networks such as Facebook and LinkedIn, you are “selling” information.

Part 1 of this blog post discusses how to become CCPA compliant if you use these ad networks for retargeting.

Part 2 of this post is a discussion of the specific language in CCPA that led us and a large number of companies to the conclusion that advertising that utilizes retargeting constitutes a sale under CCPA.

What is retargeting?

It is a form of online targeted advertising based on a consumer's previous Internet actions. Retargeting tags a consumer by including a pixel within a particular webpage or email, which sets a cookie in the user's browser. Once the cookie is set, the advertiser is able to display ads to that user elsewhere on the internet via an ad exchange (source: Wikipedia).

What are common examples of ad networks that use retargeting?

You likely utilize retargeting if you use services such as Facebook Ads, LinkedIn Ads, and Google Ads (if not in data restricted mode); if you use ad exchanges such as the Rubicon Project; or if you use demand-side platforms that connect you with ad exchanges such as Choozle.

So I use retargeted advertising. What are my options?

Because retargeting constitutes a sale under CCPA (we explain why in Part 2), you have a few options. If you choose to continue using retargeting, you must provide consumers with the right to opt out. Specifically, you must:

  1. Add a link to the bottom of your home page that reads: Do Not Sell My Personal Information

  2. Ensure the link directs the website visitor to directions for how to opt out of the cookies associated with the advertisers. We recommend linking to the opt-out portion of your privacy policy. It might read something like this:

We use retargeted advertising, a standard industry practice.

Under CCPA, our use of this practice is considered a sale. You may opt out of the sale here: https://optout.aboutads.info/.

So in this example, we directed website visitors towards a tool created by the Digital Advertising Alliance (DAA). Most of our customers exclusively use advertisers that participate in the DAA.

If you use advertisers that are not part of the DAA, you will need to do a little more work. If you built your website using a platform like Hubspot, you might be able to use some of their built-in functionality to enable people to opt out of specific advertising cookies. If your website is built using Wordpress, you will want to work with your website developer to find a plugin that can help manage cookie consent. Two other options are to use a third party consent management platform or to have your website developer build a consent management platform.

We also have some customers that simply choose to discontinue retargeted advertising. They end their relationship with ad networks such as LinkedIn and Facebook, and switch Google Ads into data restricted processing mode. Only you can decide the right approach for you. The important part is complying with CCPA, and as we’ve laid out, there are a number of ways to make the best decision for your business when it comes to advertising and honoring consumer rights provided by CCPA.

Talk To Our Team

Latest Posts

TrueVault Safe free for COVID-19 projects

Who gets rights under CCPA?

CCPA: What is Personal Information?

Mailing List