Logo Logo

Try our free compliance test to check if your website's use of cookies and online tracking is GDPR/ePR compliant.

The test also shows what data your website collects and which third parties it shares with, a requirement under the CCPA.

Google Analytics and CCPA are not incompatible, but needs your attention.

February 11, 2020.

Google Analytics is the most widely used analytics tool, implemented on close to thirty million websites worldwide. Chances are you already use it.

But is Google Analytics compliant with the California Consumer Privacy Act (CCPA)?

In this article, we look at the legal and technical intersection between Google Analytics and CCPA: what does the law demand from your website setup and how can you make sure you use Google Analytics in CCPA compliance?

Google Analytics and CCPA

On January 1, 2020, California enacted a data privacy law that changes the way data is understood in the Golden State. Now, California residents have control over the personal information (PI) they generate online, and businesses must change their practices around the collection and selling of it.

So, what about your use of Google Analytics? What does the CCPA say there?

Well, the CCPA's definition of personal information makes this clear: Google Analytics collects and shares personal information.

But why, you might ask. Isn’t data in Google Analytics anonymized?

CCPA and Google Analytics can work together, if you make privacy changes to your website.

CCPA and Google Analytics are not incompatible.

Yes, but even though it doesn’t collect direct PI (such as names, emails and phone numbers), Google Analytics works in a way that can indeed make you liable under the California privacy law.

This has to do with the technical aspect and workings of Google Analytics, and with the specifics of the CCPA’s personal information definition.

Let’s dissect this in an easy to understand way.

Reminder: what is CCPA?

California Consumer Privacy Act (CCPA) is the first comprehensive data protection law in the United States.

It regulates how businesses are allowed to handle the personal information (PI) of California residents (or “consumers”), who the law empowers with enforceable rights over their own data.

California residents have the –

Most well-known is perhaps the requirement that websites must feature a Do Not Sell My Personal Information link on their website that consumers can use to stop the selling of their data.

CCPA - who needs compliance?

So, what if your website uses Google Analytics? Does that automatically make you liable for CCPA compliance?

First of all, you need to meet the definition of “business” in the law before you have to worry about CCPA compliance at all.

For a business under the CCPA, Google Analytics is a compliance liability.

If your are a "business" under CCPA, Google Analytics is a compliance liability.

A business is defined in the CCPA as a company or organization that meets any of the following three thresholds:

Second of all, the CCPA is not like the General Data Protection Regulation (GDPR).

The European data law is an opt-in law, i.e. it requires the explicit consent of users before websites are allowed to process their data.

The CCPA is an opt-out law, i.e. California residents have to actively opt out or request disclosure or deletion before any changes are required to be made to your website’s collection and processing scheme.

However - you do have to implement other changes to your website in order to be CCPA compliant.

So, if your website meets any of the three thresholds above, and your website uses Google Analytics, then keep on reading.

Is Google Analytics GDPR compliant?

How does Google Analytics work?

Google Analytics collects data on website traffic and aggregates it to inform website owners on who their users are and how they behave, e.g. where in the world they are located, on which sites they land, and for how long they stay.

You can think of GA as a map showing how users travel your websites and how they behave when there. It gives you insight into how many visitors your website has over time, details about their sessions and duration, and information on how your individual subpages perform.

ClientID, Google Analytics and CCPA

Technically, Google Analytics works through JavaScript tags that are inserted into your website’s source code, commonly operated through Google Tag Manager.

When a user lands on and interacts with your website, these tags will fire and set first-party cookies that contain what is known as a ClientID.

A ClientID is a sequence of numbers that Google Analytics will randomly assign to a device that a visitor is using to view your website, e.g. a computer or smartphone.

A ClientID typically looks something like this (marked in bold):


They are found at the end of the string of numbers located inside the Google Analytics cookies stored on your users’ browsers.

ClientIDs are how Google Analytics measure the each individual user and their behavior, and basically how it is able to aggregate and present any meaningful data about your website at all.

Some websites with Google Analytics will also be using a UserID, an even more direct identifier, able to refer to a single individual user in order to track them across devices, e.g. in regard to online advertisement.

UserIDs are stored in your own system, often tied to a user’s e-mail or other direct personal information. Should a user request disclosure or deletion of the PI you have collected through Google Analytics, CCPA requires you to find and delete the UserID from your system.

ClientIDs, on the other hand, are not stored in your system, but directly in the first-party cookies placed on the individual user’s browser.

Should a user request disclosure or deletion of their PI, a different approach is needed than if you use UserIDs. We will get into the details of how you respond to requests of disclosure and deletion further down.

But first, let’s be clear on why Google Analytics and the CCPA overlap.

Where Google Analytics and CCPA meet

Okay, so what’s the deal? How can you use Google Analytics on your website and be in compliance with the CCPA?

The CCPA and Google Analytics are not incompatible, but GA does work by assigning ClientIDs that the CCPA recognizes as “personal information”, or –

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”

This definition includes unique identifiers aka a persistent identifier like a ClientID that can be used to “recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services”.

ClientIDS through Google Analytics are CCPA-defined personal information.

ClientIDs through Google Analytics are CCPA-defined personal information.

So again, even though the data that Google Analytics collects is anonymized – i.e. contains no direct PI such as names or emails – a ClientID is recognized by the CCPA as a persistent identifier exactly because of its ability to recognize a device linked to a consumer or family over time and across platforms.

This is no great surprise, because that is basically the core function of a ClientID.

But it does mean that using Google Analytics on your website can make you liable under the CCPA.

How to use Google Analytics in CCPA compliance

Using Google Analytics is compatible with CCPA compliance, if you get the following things in order:

  1. Update your privacy policy
  2. Know how to respond to requests for disclosure
  3. Know how to respond to requests for deletion
  4. Implement a CMP for full CCPA compliance

1. Update your website's privacy policy

As mentioned above, the CCPA empowers California residents with the right to be informed about what categories of personal information you collect, who you share it with and for what purposes, as well as notifying them of their rights to opt out, gain access to and request deletion of their collected data.

In other words, you must update your privacy policy to –

Visit Google Analytics Help Center to learn how to avoid sending PI to Google when collecting data through GA.

Respond to requests for disclosure

If a user requests access to their personal information collected by your website through Google Analytics, here’s how you retrieve it –

Read more about ClientIDs and UserIDs in Google Analytics Help Center

3. Respond to requests for deletion

If a user requests deletion of whatever personal information you have collected on your website through Google Analytics, here’s how you delete it –

Visit Google’s User Deletion API to read more about deleting user data

4. Use a CMP for full CCPA compliance

Using Google Analytics in a CCPA compliant way is possible and quite easy to manage, as we’ve shown you above.

But the CCPA is about more than Google Analytics. It requires you to inform your users of all the other ways you might be collecting their personal information, and all other third parties you might be sharing it with.

Real compliance with the CCPA requires you to get the full picture of what is happening on your website – to know exactly how many cookies and trackers are present, what type of personal information they collect and to whom it is sent.

Cookiebot for CCPA compliance

Cookiebot is a consent management platform (CMP) that deep scans your entire website – not just the frontpage – to find all cookies and similar tracking technologies.

Cookiebot then presents you with a complete scan report that gives you the big picture –

Cookiebot creates a detailed cookie declaration for you to implement on your website so that your end-users can be notified of all, as required by the CCPA– including the Do Not Sell My Personal Information link.

Cookiebot can help you get compliant with CCPA and Google Analytics.

Cookiebot cookie declaration for CCPA compliance.

Cookiebot is the leading consent management platform in the industry, enabling true compliance with both the California Consumer Privacy Act (CCPA), the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR).

Try Cookiebot for free today.


California Consumer Privacy Act (CCPA)

CCPA compliance with Cookiebot

CCPA and personal information

Google Analytics Help Center

Google Analytics and cookies

Google Analytics and ClientIDs

Google’s User Deletion API

Google Analytics and GDPR compliance

Make your website’s use of cookies and online tracking compliant today

Try for free