CCPA Compliance for Facebook Ads (California)

Pix-Vu Team||4 min read
CCPA Compliance for Facebook Ads (California)

Quick Answer

Under the California Consumer Privacy Act, every business that targets California residents through Facebook ads must (1) post a clear 'Do Not Sell or Share My Personal Information' link on the homepage and footer, (2) honour the Global Privacy Control (GPC) browser signal automatically, (3) flip Meta's Limited Data Use (LDU) setting on for any visitor who opts out, and (4) update its privacy policy to disclose that it shares data with Meta for cross-context behavioural advertising.

What the rule actually says

The CCPA, as amended by the California Privacy Rights Act, treats the act of sending a visitor's identifiers to Meta for retargeting as a 'sale' or 'share' of personal information, even if no money changes hands. That triggers the consumer's right to opt out under Cal. Civ. Code Section 1798.120.

The California Attorney General and the new California Privacy Protection Agency (CPPA) have made clear that:

  • The opt-out link must be in plain English and reachable in two clicks or fewer.
  • GPC must be treated as a valid opt-out signal at the browser level.
  • Service-provider exemptions do not apply to Meta's advertising products because Meta uses the data for its own purposes.
  • Sensitive personal information (precise geolocation, race, religion, health, sexual orientation, immigration status) needs an additional 'Limit the Use of My Sensitive Personal Information' link.

What is allowed and what is banned

Allowed: running Facebook ads to Californians, building Custom Audiences from your own customer list, and using Lookalike Audiences — provided the consumer has not opted out and you have honoured GPC.

Banned: continuing to share data with Meta after a consumer clicks the Do Not Sell link, ignoring GPC, charging consumers a fee for opting out, retaliating against opt-outs, or processing the personal information of minors under 16 for cross-context advertising without affirmative opt-in.

Step-by-step compliance setup

  1. Add a 'Do Not Sell or Share My Personal Information' link in your global footer and homepage hero.
  2. Add a separate 'Limit the Use of My Sensitive Personal Information' link if you collect any sensitive categories.
  3. Configure your CMP (OneTrust, Termly, Cookiebot, Osano) to detect the Sec-GPC: 1 header and treat it as an opt-out.
  4. Wire the opt-out state to Meta's Limited Data Use flag by passing data_processing_options: ['LDU'], data_processing_options_country: 1, data_processing_options_state: 1000 for California users.
  5. Update your privacy policy to list the categories of personal information shared, the business purposes, and the recipients (Meta Platforms, Inc.).
  6. Keep records of every opt-out request and verifiable consumer request for 24 months.
  7. Train any staff who handle requests on the 45-day response window.
  8. Audit Meta Custom Audiences quarterly to remove anyone who opted out.
  9. Sign Meta's California Addendum inside Business Manager.
  10. Run a third-party privacy audit annually if you process the data of more than 4 million Californians.

Frequently asked questions

Does CCPA apply to me if I am not based in California?
Yes, if you do business in California and meet one of the thresholds: USD 25 million in annual revenue, processing the data of 100,000 or more Californian consumers/households, or deriving 50% of revenue from selling personal information.

Is the Meta Pixel a 'sale' under CCPA?
The CPPA's enforcement guidance treats the Pixel as a 'sharing' for cross-context behavioural advertising, which gives consumers an opt-out right.

Do I still need a cookie banner?
CCPA does not strictly require a banner, but you do need an opt-out mechanism. A banner that surfaces the Do Not Sell link is the cleanest solution and is what the AG recommends.

What is the fine for ignoring GPC?
Up to USD 7,500 per intentional violation and USD 2,500 per unintentional one. Sephora paid USD 1.2 million in 2022 specifically for ignoring GPC.

Can I keep using Lookalike Audiences?
Yes, as long as the seed list excludes anyone who has opted out and you have updated your privacy policy.

Real fine examples

  • Sephora — USD 1.2 million (California AG, 2022) for failing to disclose sales and ignoring GPC.
  • DoorDash — USD 375,000 (California AG, 2024) for sharing personal information with a marketing co-op without disclosure.
  • Tilting Point Media — USD 500,000 (California AG, 2024) for collecting children's data and sharing it with advertisers.
  • Honda — USD 632,500 (CPPA, 2025) for confusing opt-out flows and not honouring GPC.
  • A Bay Area fintech — USD 1.55 million (CPPA, 2025) for failing to flip Meta LDU after opt-outs.

How Pix-Vu helps

Pix-Vu lets California-based ad teams preview, A/B test and screenshot Facebook ad creatives in a sandbox that never sells, shares or transmits visitor data. Use it to QA campaigns, build creative libraries, and produce client-ready mockups without ever firing the Pixel on real Californian users. Start at https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts