The California Consumer Privacy Act becomes enforceable on January 1, 2020. The California Attorney General can begin enforcement actions six months after final regulations are published, which means enforcement could begin as early as July 2020. Organizations that waited until 2018 to begin GDPR preparation had a painful sprint to enforcement day. Organizations that wait until Q4 2019 to begin CCPA preparation will face the same sprint in a slightly smaller window — and with a year of GDPR operational lessons to reference if they choose to use them.
The instinct in the adtech industry is to read CCPA as GDPR Lite — a similar regulatory framework with a shorter compliance checklist, applying to a single US state rather than 28 EU countries. That framing is partially accurate and partially misleading. CCPA shares GDPR’s fundamental concern — giving consumers meaningful rights over how their personal information is used — but the operational implementation is different in ways that matter specifically for programmatic advertising.
The distinction that matters most for adtech: GDPR requires an affirmative opt-in for most data processing. CCPA requires an opt-out mechanism, specifically the right to tell businesses “do not sell my personal information.” These are structurally different compliance models, and the difference shapes every aspect of how adtech organizations need to respond.
CCPA vs GDPR: Where the Differences Actually Matter
The opt-in versus opt-out distinction is the most important structural difference between GDPR and CCPA for programmatic operations. Under GDPR, a business needs a lawful basis for processing personal data before processing begins — for behavioral advertising, this generally means consent. Under CCPA, a business can continue to collect and use consumer data unless the consumer exercises their right to opt out of the sale of their personal information.
This means CCPA does not require pre-consent for data processing the way GDPR does. A programmatic operation can continue to collect behavioral data, build audience segments, and run targeted advertising without first obtaining an opt-in consent signal — unless and until a California consumer exercises their “Do Not Sell” right. This is a less burdensome default position than GDPR, but it creates a specific operational requirement that is technically non-trivial.
The “Do Not Sell My Personal Information” mechanism must be a prominent, specific opt-out process. CCPA requires that covered businesses provide a “Do Not Sell My Personal Information” link on their homepage. When a California consumer clicks that link and opts out, the business must stop selling their personal information to third parties for 12 months without the consumer reinitiating an opt-out. “Sale” under CCPA is defined broadly enough to encompass many standard adtech data sharing practices — including the data that flows from a publisher to an SSP, exchange, and DSP in a standard programmatic impression.
What “Do Not Sell My Personal Information” Means for a DSP Operationally
The operational question for programmatic operations is: what does a “Do Not Sell” signal look like in a bid request, and how does a DSP honor it?
Under GDPR, the IAB Europe’s Transparency and Consent Framework provided a technical mechanism for propagating consent signals through the programmatic supply chain. The US version is the IAB CCPA Compliance Framework, which is in early development as of this writing. The framework will define a US Privacy Signal — a string that conveys opt-out status — that publishers and CMPs can include in bid requests, enabling downstream DSPs to suppress targeting data processing for opted-out users.
The IAB’s CCPA Compliance Framework is the technical standard the industry is coalescing around for CCPA signal propagation. The framework borrows architectural lessons from the TCF but is adapted for CCPA’s opt-out model rather than GDPR’s opt-in consent model. DSPs that implemented TCF parsing for GDPR have a technical foundation to build CCPA signal parsing on, but the specific implementation is different.
For a DSP, an opted-out California user means: no behavioral data can be appended to bid requests for that user, no data about that user can be shared with third-party data partners, and no audience segment data based on that user’s behavior can be sold or shared. The impression can still be filled — contextual targeting and non-personal demographic targeting are not prohibited — but the behavioral personalization layer must be suppressed for opted-out users.
Which AdTech Practices Are Most Exposed Under CCPA
Not all adtech data practices carry the same CCPA risk. Understanding which practices are most exposed to “Do Not Sell” restrictions helps prioritize compliance work.
Data broker relationships are the highest exposure category. A DSP or DMP that purchases third-party data about California consumers from a data broker, uses it to build audience segments, and then sells those segments to buyers — this chain includes multiple “sales” of personal information under CCPA’s broad definition. Every data purchase and data sale in the chain needs to be evaluated against CCPA’s “sale” definition.
Publisher-to-exchange data flows are exposed in ways that publishers may not have anticipated. When a publisher passes user cookie or device ID data to an SSP in a programmatic bid request, CCPA may classify this as a “sale” of personal information, triggering disclosure and opt-out requirements for the publisher. Publishers who have not thought of themselves as data sellers may need to reconsider that characterization.
Retargeting and CRM onboarding are lower risk if the consumer relationship is direct and disclosure has been made, but the consent documentation requirements need to be evaluated. First-party data from a direct customer relationship is less exposed than third-party data purchases, but CCPA still requires disclosure of data categories collected and purposes of use.
Lookalike audience modeling, which takes seed audiences and expands them to similar users through probabilistic modeling, involves processing data about users who have no direct relationship with the advertiser. The California consumers in a lookalike expansion audience have a right to know their data is being used and to opt out. This is a practice that deserves careful legal review under CCPA.
What GDPR Taught Us That Applies to CCPA
The GDPR operational experience, now seven months in, offers real lessons for CCPA preparation.
Start early and don’t wait for final regulations. GDPR enforcement began with significant uncertainty about how regulators would interpret specific provisions, and that uncertainty did not resolve before May 25, 2018. CCPA is in the same position: regulations are still being drafted by the California AG’s office, and amendment legislation is moving through the California legislature. Waiting for regulatory certainty before beginning compliance work guarantees insufficient preparation time.
Data inventory is the foundation for everything. Organizations that had mapped their data flows — what personal data they hold, where it came from, how it’s processed, what third parties it’s shared with — were far better positioned for GDPR compliance than those who started that mapping exercise in early 2018. CCPA requires the same foundation. Begin the data flow mapping now.
Technical infrastructure takes longer than estimated. The TCF implementation experience demonstrated that even well-designed technical standards take months to propagate across a diverse supply chain. The IAB’s CCPA framework is still in development. The DSP-side implementations will follow after the standard is finalized. Organizations that need to implement consumer opt-out signals across their publisher, SSP, and DSP relationships should expect significant lead time.
Vendor review matters. Every data vendor, data partner, and adtech provider in your stack will need to demonstrate CCPA compliance capability. The vendor assessment process — reviewing contracts, conducting due diligence on data practices, ensuring data processing agreements reflect CCPA obligations — took months under GDPR for organizations with significant vendor ecosystems. CCPA vendor review should begin now.
The California Attorney General’s CCPA information page is the authoritative source for current law text and regulatory guidance as it develops. Watching this page for regulation updates is necessary operational practice for compliance teams.
The Lessons That Don’t Transfer Directly
GDPR was a consent architecture project. CCPA is an opt-out architecture project. The user-facing consent management platforms built for GDPR are not directly reusable for CCPA — the interaction design, the legal disclosures, and the backend consent storage all need adjustment for an opt-out rather than opt-in model.
GDPR’s Data Protection Officer (DPO) requirement — a mandatory privacy governance role for some organizations — has no direct CCPA analog. CCPA creates different roles and rights (access, deletion, portability, non-discrimination) that map partially but not completely to GDPR’s data subject rights.
GDPR’s enforcement structure — through national Data Protection Authorities with coordination mechanisms — is different from CCPA’s California AG enforcement model. The GDPR enforcement experience, where DPAs investigated specific complaints and industries, may not accurately predict how the California AG will prioritize enforcement. CCPA also includes a private right of action for data breaches, which is distinct from GDPR’s framework and creates litigation risk beyond regulatory enforcement.
The overarching lesson that transfers is strategic: consumer privacy expectations are shifting, regulatory frameworks are moving to reflect those expectations, and adtech organizations that build privacy-respecting data practices proactively will be better positioned than those that build the minimum compliance necessary to avoid immediate enforcement. CCPA is not the last US privacy regulation. It is the first major one.
Frequently Asked Questions
What is the basic difference between CCPA and GDPR compliance for programmatic advertisers? GDPR requires an affirmative opt-in consent for most behavioral data processing — you need user permission before processing begins. CCPA requires an opt-out mechanism — you can process data by default, but California consumers must be given a clear “Do Not Sell My Personal Information” option, and when they exercise it, you must stop selling their data to third parties. GDPR is more restrictive at the front end; CCPA creates an ongoing opt-out honoring obligation.
Does CCPA apply to businesses outside California? CCPA applies to for-profit businesses that collect personal information from California residents and meet one of three thresholds: annual gross revenue over $25 million, annual sale of personal information of 50,000 or more consumers, or derivation of 50 percent or more of revenue from selling personal information. California residents’ data is protected wherever the business is located — a New York adtech company serving California users is subject to CCPA if it meets the threshold criteria.
What is a “sale” of personal information under CCPA? CCPA defines “sale” broadly to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating consumer personal information to a third party for monetary or other valuable consideration. This broad definition encompasses many standard adtech data flows, including DSP data marketplace transactions and data onboarding from publisher to exchange. Organizations should not assume that data sharing arrangements that don’t involve direct payment fall outside CCPA’s sale definition.
What are the penalties for CCPA violations? The California Attorney General can seek civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. For a DSP processing millions of California user records, the per-violation exposure can aggregate to significant amounts for systemic violations. CCPA also includes a private right of action for data breaches, allowing California consumers to seek statutory damages of $100 to $750 per consumer per incident, creating class action litigation exposure that is separate from AG enforcement.