We plan to stay small, to avoid it. Hahaha!

Disclaimer: I am not a law-type-person, the following is not legal advice; always take your specifics to a competent qualified lawyer.

That said, if:
1. your annual gross revenue is less than 25 million USD or
2. your sale of consumers PII is less than 50% of annual gross revenue or
3. you buy/receive/sell PII on less than 50,000 consumers annually
you can ignore the CCPA as those are the thresholds defining a business under the act.

Having complied with GDPR regulation via appropriate pseudonymisation (aka I recognise you but haven’t a clue who you are) my sites already meet the CCPAs ‘depersonalisation’ exception. And as my sites inform and get appropriate GDPR required opt-in consent from every visitor not just those in the EU...
Note: done well it is a strong trust signal rather than scarecrow.

you buy/receive/sell PII on less than 50,000 consumers annually

in some cases this includes sites that attract an average of 137 or more daily uniques.

I've spent the past few months removing Facebook scripting from *some of my sites, so I can't stand accused of collecting the data of others, albeit ever so by proxy. /sarcasm

The California law is designed to give it's residents a false sense of comfort and security because that's what "feel good legislation" does.

... Big Tech is so engrained into the fabric of the internet that laws like this will never prevent it from collecting your data ...

California is just trying to stay relevant in a world whose most recent technologies are built specifically for data collection .. If Californian's were so worried about data privacy, they would outlaw the use of certain data collection tools such as Google Chrome, Windows 10, Android OS ... things like SIRI or Cortana ... all of the other so-called IoT writes that run their refrigerators, microwaves, and in-home security systems ...

Legislation like this reminds me of the 3 year old that sits on the kitchen floor banging pots and pans together because that's all he knows how to do ... it doesn't really serve a useful purpose at all other than just to make a bit of noise and to garner a bit of attention.

There is an upside ... some Californians will be put on duty to harass ... er ... check the web for infractions. Thus a pay check is ensured!

check the web for infractions.

.... by using the very same principle methods and tools they've actively tried to legislate against

*seems legit

Exceptions for small companies is a big improvement GDPR.

I'm confused about the whole "sale of consumer PII" part. When AdSense displays personalized ads on my site based on a visitor's browsing history, that is considered "selling" their personal information?

In regard to the criteria: "you buy/receive/sell PII on less than 50,000 consumers annually"

Phranque points out that a website might meet this with as little as 137 unique website visitors per day. (50,000 uniques/365 days)

I'm having trouble understanding what activities or mechanisms taking place on my website might result in my being put into the over 50,000 buying/recieving/selling PII category.

Related to visitor information on my website, my company/website does none of this. So there is zero overt "buying/recieving/selling PII" done at my end.

But as an Adsense publisher, is it possible that Adsense's or advertisers' activities that take place on my website via their ads that I display could put me above the "50,000 consumer's PII" annual limit?

Almost certainly, everyone who posts here is serving Adsense ads to over 137 unique visitors per day. (Which would suggest that essentially everyone would need to either choose the "restrict data" Adsense option, or else not restrict and show a button. No one could just ignore this law because no website really does that few uniques/day.)

I'm simply confused and unclear about what takes place through Adsense ads in terms of "buying/recieving/selling PII" and how that activity affects my status in the eyes of this law.

Thanks.

It definitely seems odd that the criteria for having to comply with the CCPA is $25 million a year in revenue or 137 website visits a day. It's like saying "only the super rich, and also everyone else".

Almost certainly, everyone who posts here is serving Adsense ads to over 137 unique visitors per day.

Not me. Found it was a waste of time... no revenue to get excited about and no favours in ranking. In fact it was Goofle that stopped monitoring because I was under their threshold for minimum usage. But I was getting more than 137 unique visitors per day.

So does the new California privacy thing only apply if you are serving paid ads?

Hello-

137 unique website visitors per day

"From California".
If you are not storing the IP of visitors, this is not considered "receiving" PII. (iif you store IP, email, address, name, phone, etc... that is a different question of course).

As for Adsense, since there is an option, I assume that you just check it, and you are fine. Otherwise, why would Adsense propose the option?

ps: now, if you really want to go that way...what if a Californian person, is visiting NYC (or any where else), and accessing the Internet from there? (Same for europeans and the GDPR :))

--If you are not storing the IP of visitors--

LOGS, I store LOGS going back to 2003 on one site, never seen 137 unique visitors from CA though.

LOGS, I store LOGS going back to 2003

I was doing the same, then, to conform with the GDPR, I "pseudonymized" all my logs, and since I am no longer logging IP. I do have a separate "temporary" logging to detect abuse, scrappers and so on, but these IP are not kept for more than 24 hours, then they are deleted.

If you use IP deny in .htaccess does that count? Inquiring minds want to know.

Hey tangor: RT(Fabulous)M :)

Note: GDPR (General Data Protection Regulation) comprises 99 Articles and 173 Recitals. The Recitals provide additional detail and insight into the Articles.

Recital 47 largely clarifies the weighing of interests to determine if consent is required:
The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.

As a matter of transparency one should disclose that, for example, IP address is collected and how used. However, for the purpose of this thread with IP collected in log files, referenced in i.e. .htaccess, iptables, etc., not otherwise stored, associated, shares/sold, visitor opt-in is NOT required.

Note: for a quick overview:
* Does an organisation need my consent? [ico.org.uk], ICO (Information Commissioner's Office, UK)

Note: a BS in gobbledygook is pretty much a requirement, a post graduate degree in bureaucratese is recommended.

This is all such globalist BS I have completely disregarded it. Let Google and California and the EU figure out that killing the internet is a good idea, then we'll move on from there.

The mendacity and stupidity of government and big corporations (the combination of which is the definition of fascism) never ceases to amaze me.

It makes me think there's a plan to destroy everything and it's being executed in real time on the internet. Sorry. I just can't buy into the madness.

The mendacity and stupidity of government

They made the Do Not Call list, to protect me, and my phone rings all day.
They passed many spam laws, and email is despised by many as a result, young people avoid using it.
They always tried to write complex laws that govern well-meaning people, and they do a real horrid job of pounding the actual law breakers into submission.

So I raise your mendacity, and add f e c k l e s s and i m p o t e n t, with a dash of Dunning-Kruger syndrome sprinkled on top.

Regulation always coalesces out of some need. In the case of GDPR and ePrivacy (EU), CCPA (CA USA; my parochial self views CA by itself as Canada :)) that need is the growing push back response to widespread PII (mal)appropriation.

This in turn provides opportunity as well as aggravation; the aggravation in dealing with regulatory requirements, the opportunity in marketing ones compliance and trust stature.

I have had significant interest in my pages detailing how I handle visitors PII and meet (exceed!) various jurisdictions regulations.
Note: it’s not just EU and California, there are ~100 comprehensive data protection laws just in the independent jurisdictions my target audiences reside.

Mindset: impediment or benefit.
Often what many/most view as a problem is a competitive advantage in disguise.

Note: Whether the need is actual or corrupt, the solution appropriate or not fit for purpose are whole other topics.