CCPA/CPRA for Digital Advertising

About CCPA/CPRA

The CCPA, as amended by CPRA, is California's comprehensive privacy law giving residents control over their personal information. It applies to for-profit businesses that collect California residents' data and meet certain thresholds. CPRA expanded CCPA to include additional protections and created the California Privacy Protection Agency.

Governing Body: California Privacy Protection Agency (CPPA) and California Attorney General

Who Must Comply

• • Businesses with $25M+ annual revenue
• • Businesses handling 100,000+ California consumers' data
• • Businesses earning 50%+ revenue from selling personal information
• • Businesses meeting any one of these thresholds

Key Requirements

• • Provide "Do Not Sell or Share My Personal Information" link
• • Honor consumer requests within 45 days
• • Disclose data collection practices in privacy policy
• • Implement reasonable security measures
• • Limit use of sensitive personal information
• • Provide opt-out of automated decision-making
• • Maintain records of consumer requests for 24 months
• • Train employees handling consumer requests

Digital Advertising-Specific Requirements

• • Implement Global Privacy Control (GPC) signal recognition
• • Honor opt-out of cross-context behavioral advertising
• • Limit data retention to what's necessary
• • Provide opt-out for "sharing" (not just selling)
• • Obtain opt-in consent for minors under 16
• • Establish data processing agreements with partners

Common Violations in Digital Advertising

• • Ignoring Global Privacy Control signals
• • Making opt-out difficult or confusing
• • Continuing to sell data after opt-out
• • Inadequate privacy policy disclosures
• • Not honoring deletion requests fully
• • Lacking proper vendor agreements

Penalties

Up to $2,500 per unintentional violation and $7,500 per intentional violation. Private right of action for data breaches allows $100-$750 per consumer per incident.