Logo Logo
Cookiebot

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Google Analytics and CCPA are not incompatible, but needs your attention.

Updated September 4, 2020.


Google Analytics is the most widely used analytics tool, implemented on close to thirty million websites worldwide. Chances are you already use it.

But is Google Analytics compliant with the California Consumer Privacy Act (CCPA)?

In this article, we look at the legal and technical intersection between Google Analytics and CCPA: what does the law demand from your website setup and how can you make sure you use Google Analytics in CCPA compliance?


Google Analytics and CCPA


On January 1, 2020, California enacted a data privacy law that changes the way data is understood in the Golden State. Now, California residents have control over the personal information (PI) they generate online, and businesses must change their practices around the collection and selling of it.

So, what about your use of Google Analytics? What does the CCPA say there?

Well, the CCPA's definition of personal information makes this clear: Google Analytics collects and shares personal information.

But why, you might ask. Isn’t data in Google Analytics anonymized?



CCPA and Google Analytics can work together, if you make privacy changes to your website.

CCPA and Google Analytics are not incompatible.



Yes, but even though it doesn’t collect direct PI (such as names, emails and phone numbers), Google Analytics works in a way that can indeed make you liable under the California privacy law.

This has to do with the technical aspect and workings of Google Analytics, and with the specifics of the CCPA’s personal information definition.

Let’s dissect this in an easy to understand way.

Try Cookiebot free for 30 days... or forever if you have a small website.


Reminder: what is CCPA?


California Consumer Privacy Act (CCPA) is the first comprehensive data protection law in the United States.

It regulates how businesses are allowed to handle the personal information (PI) of California residents (or “consumers”), who the law empowers with enforceable rights over their own data.

California residents have the –

Most well-known is perhaps the requirement that websites must feature a Do Not Sell My Personal Information link on their website that consumers can use to stop the selling of their data.


CCPA - who needs compliance?

So, what if your website uses Google Analytics? Does that automatically make you liable for CCPA compliance?

First of all, you need to meet the definition of “business” in the law before you have to worry about CCPA compliance at all.



For a business under the CCPA, Google Analytics is a compliance liability.

If your are a "business" under CCPA, Google Analytics is a compliance liability.



A business is defined in the CCPA as a company or organization that meets any of the following three thresholds:

Second of all, the CCPA is not like the General Data Protection Regulation (GDPR).

The European data law is an opt-in law, i.e. it requires the explicit consent of users before websites are allowed to process their data.

The CCPA is an opt-out law, i.e. California residents have to actively opt out or request disclosure or deletion before any changes are required to be made to your website’s collection and processing scheme.

However - you do have to implement other changes to your website in order to be CCPA compliant.

So, if your website meets any of the three thresholds above, and your website uses Google Analytics, then keep on reading.

Is Google Analytics GDPR compliant?


How does Google Analytics work?


Google Analytics collects data on website traffic and aggregates it to inform website owners on who their users are and how they behave, e.g. where in the world they are located, on which sites they land, and for how long they stay.

You can think of GA as a map showing how users travel your websites and how they behave when there. It gives you insight into how many visitors your website has over time, details about their sessions and duration, and information on how your individual subpages perform.


ClientID, Google Analytics and CCPA

Technically, Google Analytics works through JavaScript tags that are inserted into your website’s source code, commonly operated through Google Tag Manager.

When a user lands on and interacts with your website, these tags will fire and set first-party cookies that contain what is known as a ClientID.

A ClientID is a sequence of numbers that Google Analytics will randomly assign to a device that a visitor is using to view your website, e.g. a computer or smartphone.

A ClientID typically looks something like this (marked in bold):

GA1.2-3.45648374.1950695483.


They are found at the end of the string of numbers located inside the Google Analytics cookies stored on your users’ browsers.


ClientIDs are how Google Analytics measure the each individual user and their behavior, and basically how it is able to aggregate and present any meaningful data about your website at all.

Some websites with Google Analytics will also be using a UserID, an even more direct identifier, able to refer to a single individual user in order to track them across devices, e.g. in regard to online advertisement.

UserIDs are stored in your own system, often tied to a user’s e-mail or other direct personal information. Should a user request disclosure or deletion of the PI you have collected through Google Analytics, CCPA requires you to find and delete the UserID from your system.


ClientIDs, on the other hand, are not stored in your system, but directly in the first-party cookies placed on the individual user’s browser.

Should a user request disclosure or deletion of their PI, a different approach is needed than if you use UserIDs. We will get into the details of how you respond to requests of disclosure and deletion further down.

But first, let’s be clear on why Google Analytics and the CCPA overlap.


Where Google Analytics and CCPA meet


Okay, so what’s the deal? How can you use Google Analytics on your website and be in compliance with the CCPA?

The CCPA and Google Analytics are not incompatible, but GA does work by assigning ClientIDs that the CCPA recognizes as “personal information”, or –

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”


This definition includes unique identifiers aka a persistent identifier like a ClientID that can be used to “recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services”.



ClientIDS through Google Analytics are CCPA-defined personal information.

ClientIDs through Google Analytics are CCPA-defined personal information.



So again, even though the data that Google Analytics collects is anonymized – i.e. contains no direct PI such as names or emails – a ClientID is recognized by the CCPA as a persistent identifier exactly because of its ability to recognize a device linked to a consumer or family over time and across platforms.

This is no great surprise, because that is basically the core function of a ClientID.

But it does mean that using Google Analytics on your website can make you liable under the CCPA.


How to use Google Analytics in CCPA compliance


Using Google Analytics is compatible with CCPA compliance, if you get the following things in order:

  1. Update your privacy policy
  2. Know how to respond to requests for disclosure
  3. Know how to respond to requests for deletion
  4. Implement a CMP for full CCPA compliance


1. Update your website's privacy policy


As mentioned above, the CCPA empowers California residents with the right to be informed about what categories of personal information you collect, who you share it with and for what purposes, as well as notifying them of their rights to opt out, gain access to and request deletion of their collected data.

In other words, you must update your privacy policy to –

Visit Google Analytics Help Center to learn how to avoid sending PI to Google when collecting data through GA.


Respond to requests for disclosure


If a user requests access to their personal information collected by your website through Google Analytics, here’s how you retrieve it –

Read more about ClientIDs and UserIDs in Google Analytics Help Center


3. Respond to requests for deletion


If a user requests deletion of whatever personal information you have collected on your website through Google Analytics, here’s how you delete it –

Visit Google’s User Deletion API to read more about deleting user data


4. Use a CMP for full CCPA compliance


Using Google Analytics in a CCPA compliant way is possible and quite easy to manage, as we’ve shown you above.

But the CCPA is about more than Google Analytics. It requires you to inform your users of all the other ways you might be collecting their personal information, and all other third parties you might be sharing it with.

Real compliance with the CCPA requires you to get the full picture of what is happening on your website – to know exactly how many cookies and trackers are present, what type of personal information they collect and to whom it is sent.


Cookiebot for CCPA compliance

Cookiebot is a consent management platform (CMP) that deep scans your entire website – not just the frontpage – to find all cookies and similar tracking technologies.

Cookiebot then presents you with a complete scan report that gives you the big picture –

Cookiebot creates a detailed cookie declaration for you to implement on your website so that your end-users can be notified of all, as required by the CCPA– including the Do Not Sell My Personal Information link.



Cookiebot can help you get compliant with CCPA and Google Analytics.

Cookiebot cookie declaration for CCPA compliance.



Cookiebot is the leading consent management platform in the industry, enabling true compliance with both the California Consumer Privacy Act (CCPA), the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR).

Try Cookiebot for free today... or forever if you have a small website.


Use Google Consent Mode to run your Google Analytics


On September 3, 2020, Google launched the Google Consent Mode that makes it possible for your website to run all its Google-services (such as Google Analytics, Gtag, Google Tag Manager, Google Ads and more) based on user consents and opt outs.

Cookiebot fully supports the Google Consent Mode and makes CCPA compliance and digital advertisement a sustainable balance on your website.

If a user chooses to opt out of analtics cookies by clicking on the required Do Not Sell My Personal Information link, Cookiebot will forward the opt out status to the Google Consent Mode, which will run your Google-services based on the user’s wishes, but making sure that you still get valuable insights into your website’s performance, such as –

Try Cookiebot for free with the Google Consent Mode for full GDPR compliance as well – a requirement if you have users from inside the EU.

Try Cookiebot free for 30 days – or forever if you have a small website.


FAQ


Does Google Analytics set cookies on my website?

Yes. Google Analytics works through JavaScript tags that are inserted on your website and commonly operated through Google Tag Manager. When a user visits your website, these tags will fire and place cookies directly on the user’s browser. These cookies contain Client IDs that allow Google Analytics to track and measure each individual user.

Learn more about CCPA and cookies


Does Google Analytics collect personal information?

Yes. Google Analytics uses Client IDs to measure each individual user and their behavior in order to aggregate and present data about your website’s performance. Client IDs fall under the CCPA’s definition of personal information because they can be used to recognize a consumer over time and across different services. Use of Google Analytics will therefore mean that your website will collect and share personal information with third parties.

Learn more about CCPA and personal information


Is Google Analytics CCPA compliant?

Google Analytics is a tool for website analytics and optimization that collects and shares personal information from your website’s end-users, when you use it. To ensure that you use Google Analytics in a CCPA compliant way, you must update your website’s privacy policy and respond to requests for opt-outs, as well as access to and deletion of already collected personal information.

Learn more about CCPA compliance


How can I control third-party cookies on my website?

Controlling third-party cookies can be very difficult, since they often load other trackers, many of whom change on repeated visits. Using a consent management platform (CMP) can help your website gain control and ensure its compliance with data privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

Try Cookiebot free for 30 days for full cookie control and compliance.


Resources


California Consumer Privacy Act (CCPA)

CCPA compliance with Cookiebot

CCPA and website privacy policies

CCPA and cookies

CCPA and personal information

Google Analytics Help Center

Google Analytics and cookies

Google Analytics and ClientIDs

Google’s User Deletion API

Google Analytics and GDPR compliance

New Google Consent Mode 

Cookiebot integrates perfectly with the new Google Consent Mode.

Make your website’s use of cookies and online tracking compliant today

Try for free