Google Ads intros ‘restricted data processing’ capability for CCPA compliance
Google will offer restricted data processing to enable businesses to comply with the California Consumer Privacy Act (CCPA), the company announced Wednesday. With restricted data processing enabled, Google will act as an affected business’ (advertiser, publisher or partner) data processing service provider. Here we’ll look at what this means for advertisers.
Restricted data processing, Google explained, will “restrict how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes.”
What is the CCPA? Similar to the EU’s General Data Regulation Protection (GDPR), the CCPA provides several data privacy protections for California state residents. It is set to go into effect on January 1, 2020. Affected businesses must give California residents the ability to opt-out of the sale of their personal data on their website homepages. CCPA applies to businesses that, in part, meet one of the following criteria: Have annual gross revenue of at least $25 million; buy, receive or sell personal data of at least 50,000 consumers, households or devices; derive at least 50% of their annual revenues from selling personal data.
How restricted data processing works. With restricted data processing applied, features such as adding users to remarketing lists, similar audience seed lists will not be available. Google notes that for App campaigns this means users who download an app from an ad will continue to see ads for the app.
Conversion tracking and measurement will still work with restricted data processing as will services including ad delivery, reporting, measurement, security and fraud detection, debugging and product improvement information.
Third-party ad tracking or serving will not be affected when restricted data processing is enabled. The ads will continue to serve on the Google Display Network and other networks “unless disabled by a publisher.” Google will not respond to bid requests for cross-exchange display remarketing ads when a publisher sends an opt-out signal.
It may be implemented to apply to all users in California or on a per-user basis when users click on a “Do Not Sell My Information” link, for example.
How advertisers can enable it. Customer Match and Store Sales direct upload already operate using restricted data processing, and users don’t need to take action.
In Google Ads, setting the allow_ad_personlization_signals parameter will set the value to false and enable restricted data processing. You only need to set it once to apply it across all products configured through your global site tag (gtag). You can find more details on this help page.
For App campaigns using the Firebase SDK, disable personalized advertising features as explained here.
Google Analytics will act as a service provider for affected businesses that when they have disabled sharing with Google products and services per an addendum to its Data Processing Terms. When data sharing is disabled in Google Analytics, it will only use data collected on behalf of the customer in Google Analytics to provide Google Analytics services. That data will not be able to be used for remarketing lists, for example.
Responsibilities. Advertisers, publishers and partners working with Google are responsible for ensuring they’re using its products in compliance with CCPA, the company says. Partners “must decide for themselves when and how to enable” restricted data processing.
Restricted data processing, Google states, does not apply to “the sending or disclosure of data to third parties” that advertisers, publishers or partners work with.
Additionally, if you share data between Google products, the data will be subject to the terms of the recipient product.