There is some good information and an ongoing discussion in this thread.
[webmasterworld.com...]

Yes, I googled and read all posts on CCPA here before posting, but they didn't answer my questions. So I hoped that maybe someone with more knowledge than me will reply here. So far, I concluded CCPA doesn't apply to me and enabled ad personalization for California. We will see how it goes.

We've just posted a guide to this for publishers, but I'm not allowed to link it. A colleague of mine is taking the lead on CCPA here, but let me share my understanding of those points:

1. According to Google Adsense, they don't sell personal information. This can be found here [support.google.com ]
So if Google Adsense doesn't sell personal information and I don't, why do we even need to worry about "Do Not Sell My Personal Information" link?

This is just my personal take. It feels to me like the interpretation is that a publisher passing personal information to Google for ad targeting (by putting google code on the site) and getting paid (adsense earnings) is "selling personal information". The rest of the act seems to work on this basis.

2. If I were to place "Do Not Sell My Personal Information" link, where is it supposed to go? I am only aware of the page that allows to turn off ad personalization here [adssettings.google.com ] but it doesn't seem like it will do the trick...

You have to link it to a page that then allows the user to express that preference. You will need some form of consent management to actually carry out the instruction. In short you'll need to save their preference and pass that instruction on to google using the requestNonPersonalizedAds=1 method described here : [support.google.com...] (or the GAm method if using that)

3. The new bill applies only to businesses that do business in California. I am not California-based and do not sell anything there, however people from California do access my website too and they could see my Adsense ads. Am I "doing business in California"?

The law says you are doing business in California if...
* You receive 50,000 or more unique visitors from California per year on your ad-funded website, or
* You conduct 50,000 or more credit transactions per year, or
* The combined total number of visitors to your site from California and credit transactions per year equates to 50,000 or more.

4. The bill describes what it refers to as "business". One of the points states: "Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices."

So obviously, I receive many more visitors than 50,000 per year, even if we exclude all other locations. However, I do not store or use their information. I am not sure what Google Adsense ads do in this regard, but on my end I don't receive any info for my "business' commercial purposes". Am I considered a "business" under this bill?

We're probably now into the realms of "lets see how the courts interpret this". However Google's lawyers clearly feel that a publisher using AdSense is covered by this definition. They've probably looked into this in far more depth than we will. Don't forget that the law also covers processing of personal information which would seem to be more clearly covered.

@matbennett Thanks for taking time to write this. I guess I need to look more into it. The more I read, the more confused I become.Because if Google feels we fall under this bill, why do they say:

Publishers must decide for themselves when and how to enable restricted data processing mode, based on their own compliance obligations and legal analysis.

I enabled personalized ads last night just like that, and the revenue is higher today. I guess it really matters, unlike EU issue last year when I didn't feel any difference by disabling personalazied ads there. If you can hint somehow at location of your guide, please do so. I will find it via Google. Thanks again.

The "decide for yourself" line is very Googly. They're always very careful to not be giving legal advice. They did exactly the same with GDPR although then followed it up with a far stronger "in order to be compliant with OUR policy you MUST" approach.

Hello-

A publisher passing personal information to Google for ad targeting (by putting google code on the site) and getting paid (adsense earnings) is "selling personal information".

If you want to go into depth, you might wonder what does "passing personal information" means. Displaying adsense on site, the publisher is passing nothing to Adsense. The IP and referrer page is passed by the Web browser, not the publisher ... The closer definition would be that a publisher is "allowing" a third part to collect information, but it's not the publisher collecting, and it's not the publisher which is transmitting...

Does the referrer page is considered "personal information" ? It tells what you visited, but is it personal?

Does an IP address is a personal information? In EU, it's more or less considered personal information, in fact, regulators are not all agree on the definition. Technically, an IP becomes a personal information, from the moment, you can connect this IP to identify a physical person. Which is more or less subjective. Because, if you don't know the identity of the visitor, his IP is no longer personal information. You need to have both the identity of the person, and his IP, for the two to be personal information.

I mean I am only worried about being compliant with Google's policies to keep my account active. I am not in the US anyway.

Much of that is going to depend on how judges decide to interpret it. Here in Europe we have been given clarity on the fact that an IP address counts as personal information. I don't agree with that, but I suspect that same will happen in the US. Like you, I'd argue that (logically) a publisher isn't controlling or processing that IP with it is just passed through a tag on the page, but the lawmakers and lawyers have decided otherwise.

Much of that is going to depend on how judges decide to interpret it. Here in Europe we have been given clarity on the fact that an IP address counts as personal information. I don't agree with that, but I suspect that same will happen in the US. Like you, I'd argue that (logically) a publisher isn't controlling or processing that IP with it is just passed through a tag on the page, but the lawmakers and lawyers have decided otherwise.

I don't store their IPs. There are logs in my cPanel, but in my understanding they are discarded at the end of each month. Also I don't use GA or any other analytics.

As for Adsense, I wish there was more clarity. I don't mind placing a link on my homepage, but the link should be something from Adsense since they are the ones who collect the info for commercial purposes. If I collected it myself, there would be no question. I would know what to do. But it's all about Adsense.

I am thinking to add a link to ad personalization opt-out on every page just to be safe.

IP is passed from page to adSense as part of the request. CCPA isn't just about "collecting" but I agree that small/med publishers haven't really been considered in any of this legislation. The onus is on us, yet we are generally the party with the least visibility and access to the data. Advertisers and SSPs get far more visibility but pass the buck to the publisher.

I am thinking to add a link to ad personalization opt-out on every page just to be safe."

I'd definitely do that, yes.

There are logs in my cPanel, but in my understanding they are discarded at the end of each month.

Don't even go there! There is a strong case that none of us should be doing that without permission either, but no-one is picking up on that yet.

For example, if you use fail2ban, this is technically illegal too, regarding the GDRP / CCPA (and similar regulations).

Emails you receive, are also covered by these regulations, you are not supposed to keep the emails, without the explicit consent of the sender. Sending an email is NOT an explicit consent !

And what about those using cdn ? This is also a third part accessing IP and URL because of "you"...

I don't know for the CCPA, but for the GDPR, anyone can ask you to delete ALL the data you have about them ... which means , including in your backups. So, if you have tar.gz (zip, or other compressed) backup of your data, to be compliant, you have to be able to go through the archive and delete the data on demand ...

etc etc..

These regulations can easilly be exploited, to take anyone down... Now, in EU (I don't know for the USA), the thing is, it's not handled by the justice, but by national watchdogs regulators. It's not the same, it "easier" to argue and negotiate with these organisms, especially if you are small business. They will not fine you millions of euros, and excepting if you really-really did something bad , on purpose, you will not have fine at all, but just a reminder of the law. Show that you did the best as you could, and this will be fine. (also, there are countries which are nicer than others. If you are in Germany of France, this s harder to work, than in other countries).

ps: I believe that those who made these regulations, should have simply excluded small businesses , like for example those under 1 million $ of earnings, or even $500.000 or $100.000.

Franz Kafka wrote both the EU law and the CCPA, I believe.