CPRA Compliance for Facebook Ads

Pix-Vu Team||4 min read
CPRA Compliance for Facebook Ads

Quick Answer

The California Privacy Rights Act (CPRA), in force since January 2023 and aggressively enforced by the California Privacy Protection Agency (CPPA) from 2024 onwards, builds on CCPA by adding a Sensitive Personal Information category, a 'right to correct', a 'right to limit', and tighter rules for automated decision-making. For Facebook advertisers this means a second opt-out link, contracts with Meta that prohibit secondary use, and a documented risk assessment for any high-volume retargeting.

What the rule actually says

CPRA created the CPPA, a dedicated regulator with rule-making and enforcement powers. Its 2024 regulations and 2025 enforcement actions clarified that:

  • 'Sharing' personal information for cross-context behavioural advertising (which includes the Meta Pixel and Conversions API) is a regulated activity even without monetary exchange.
  • Sensitive Personal Information (SPI) — including precise geolocation, financial account numbers, health, sexual orientation and racial origin — requires a separate 'Limit the Use of My Sensitive Personal Information' link.
  • Service-provider contracts must restrict Meta from combining the data with other sources, prohibit secondary use, and grant audit rights.
  • Businesses processing the data of over 100,000 consumers must conduct annual cybersecurity audits and risk assessments.
  • The 30-day cure period was eliminated in 2023, so violations are immediately actionable.

What is allowed and what is banned

Allowed: behavioural ad targeting to Californians who have not opted out, retargeting, lookalike modelling and CRM uploads — all conditional on a CPRA-compliant contract with Meta and an honoured opt-out chain.

Banned: sharing SPI without an explicit limit option, profiling minors under 16 without opt-in, ignoring GPC, denying corrections to Californians, using deceptive design ('dark patterns') in opt-out flows, and continuing to retarget consumers after opt-out.

Step-by-step compliance setup

  1. Map every Facebook event you fire and tag which categories are personal information vs SPI.
  2. Add both the 'Do Not Sell or Share' and 'Limit the Use of My Sensitive Personal Information' links in your footer.
  3. Implement a CMP that respects GPC at the browser level and Meta's LDU flag at the server level.
  4. Sign Meta's California Service Provider Addendum and store the executed copy in your DPIA folder.
  5. Run a written risk assessment for any campaign using SPI or affecting more than 100,000 Californians.
  6. Update your privacy policy to list the categories of SPI, the purposes, the retention period and the recipients.
  7. Build a verifiable consumer request portal supporting access, deletion, correction and opt-out.
  8. Scrub your Meta Custom Audiences against your opt-out list at least monthly.
  9. Document automated decision-making logic if Meta's algorithm makes ad-eligibility decisions affecting employment, housing or credit.
  10. Train staff and rotate access to your Business Manager.

Frequently asked questions

What is the difference between CCPA and CPRA?
CPRA is an amendment to CCPA. It adds the SPI category, the right to correct, the right to limit, and creates the CPPA as the enforcement agency.

Is health data from a fitness ad considered SPI?
If the data reveals a health condition or precise health status, yes. Generic 'interested in fitness' interest data usually is not.

Does CPRA require opt-in for any ads?
For minors aged 13-16 you need opt-in. For adults the standard is opt-out.

Can the CPPA fine me directly?
Yes. It does not need to go through the AG and can issue fines of up to USD 7,500 per intentional violation.

How does CPRA treat the Meta Conversions API?
The same as the Pixel — server-side does not change the legal analysis. You still need a contract, an opt-out mechanism and a privacy disclosure.

Real fine examples

  • Honda — USD 632,500 (CPPA, 2025) for unclear opt-out flows.
  • Healthline Media — USD 1.55 million (CA AG, 2024) for sharing reproductive health data with advertisers.
  • Tilting Point Media — USD 500,000 (CA AG, 2024) for processing children's data without opt-in.
  • A national retail chain — USD 3.2 million (CPPA, 2025) for failing to honour GPC across mobile properties.
  • DoorDash — USD 375,000 (CA AG, 2024) for marketing co-op data sharing without disclosure.

How Pix-Vu helps

Pix-Vu gives California marketing teams a way to design and review Facebook ad creatives in a fully sandboxed environment — no Pixel, no SPI capture, no risk of unintentional sharing. Pix-Vu's preview-only architecture is built for jurisdictions with strict consumer rights laws and is used by US agencies serving California clients. Try it at https://pix-vu.com.

Ready to automate your Facebook ads?

Let AI handle your ad creative, targeting, and optimization. Launch profitable campaigns on autopilot.

Get Started Free
Back to all posts