Google Analytics and CCPA
On January 1, 2020, California enacted a data privacy law that changes the way data is understood in the Golden State. Now, California residents have control over the personal information (PI) they generate online, and businesses must change their practices around the collection and selling of it.
So, what about your use of Google Analytics? What does the CCPA say there?
Well, the CCPA’s definition of personal information makes this clear: Google Analytics collects and shares personal information.
But why, you might ask. Isn’t data in Google Analytics anonymized?
Yes, but even though it doesn’t collect direct PI (such as names, emails and phone numbers), Google Analytics works in a way that can indeed make you liable under the California privacy law.
This has to do with the technical aspect and workings of Google Analytics, and with the specifics of the CCPA’s personal information definition.
Let’s dissect this in an easy to understand way.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.
Reminder: what is CCPA?
California Consumer Privacy Act (CCPA) is the first comprehensive data protection law in the United States.
It regulates how businesses are allowed to handle the personal information (PI) of California residents (or “consumers”), who the law empowers with enforceable rights over their own data.
California residents have the –
- Right to be informed of how your website collects, sells and discloses their PI, what third parties you share it with and for what purposes.
- Right to see what data your website has collected on them in the past twelve months.
- Right to have data deleted that your website has already collected.
- Right to opt out of having their data sold to third parties.
- Right to equal services, meaning your website is not allowed to discriminate based on their choice of exercising their rights.
Most well-known is perhaps the requirement that websites must feature a Do Not Sell My Personal Information link on their website that consumers can use to stop the selling of their data.
CCPA – who needs compliance?
So, what if your website uses Google Analytics? Does that automatically make you liable for CCPA compliance?
First of all, you need to meet the definition of “business” in the law before you have to worry about CCPA compliance at all.
A business is defined in the CCPA as a company or organization that meets any of the following three thresholds:
- Annual gross revenue of $25 million or higher
- 50% of annual revenues from data sales
- Buys, sells or shares the personal information of at least 50.000 California residents
Second of all, the CCPA is not like the General Data Protection Regulation (GDPR).
The European data law is an opt-in law, i.e. it requires the explicit consent of users before websites are allowed to process their data.
The CCPA is an opt-out law, i.e. California residents have to actively opt out or request disclosure or deletion before any changes are required to be made to your website’s collection and processing scheme.
However – you do have to implement other changes to your website in order to be CCPA compliant.
So, if your website meets any of the three thresholds above, and your website uses Google Analytics, then keep on reading.
Is Google Analytics GDPR compliant?
How does Google Analytics work?
Google Analytics collects data on website traffic and aggregates it to inform website owners on who their users are and how they behave, e.g. where in the world they are located, on which sites they land, and for how long they stay.
You can think of GA as a map showing how users travel your websites and how they behave when there. It gives you insight into how many visitors your website has over time, details about their sessions and duration, and information on how your individual subpages perform.
ClientID, Google Analytics and CCPA
Technically, Google Analytics works through JavaScript tags that are inserted into your website’s source code, commonly operated through Google Tag Manager.
When a user lands on and interacts with your website, these tags will fire and set first-party cookies that contain what is known as a ClientID.
A ClientID is a sequence of numbers that Google Analytics will randomly assign to a device that a visitor is using to view your website, e.g. a computer or smartphone.
A ClientID typically looks something like this (marked in bold):
GA1.2-3.45648374.1950695483.
They are found at the end of the string of numbers located inside the Google Analytics cookies stored on your users’ browsers.
ClientIDs are how Google Analytics measure the each individual user and their behavior, and basically how it is able to aggregate and present any meaningful data about your website at all.
Some websites with Google Analytics will also be using a UserID, an even more direct identifier, able to refer to a single individual user in order to track them across devices, e.g. in regard to online advertisement.
UserIDs are stored in your own system, often tied to a user’s e-mail or other direct personal information. Should a user request disclosure or deletion of the PI you have collected through Google Analytics, CCPA requires you to find and delete the UserID from your system.
ClientIDs, on the other hand, are not stored in your system, but directly in the first-party cookies placed on the individual user’s browser.
Should a user request disclosure or deletion of their PI, a different approach is needed than if you use UserIDs. We will get into the details of how you respond to requests of disclosure and deletion further down.
But first, let’s be clear on why Google Analytics and the CCPA overlap.
Where Google Analytics and CCPA meet
Okay, so what’s the deal? How can you use Google Analytics on your website and be in compliance with the CCPA?
The CCPA and Google Analytics are not incompatible, but GA does work by assigning ClientIDs that the CCPA recognizes as “personal information”, or –
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”
This definition includes unique identifiers aka a persistent identifier like a ClientID that can be used to “recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services”.
So again, even though the data that Google Analytics collects is anonymized – i.e. contains no direct PI such as names or emails – a ClientID is recognized by the CCPA as a persistent identifier exactly because of its ability to recognize a device linked to a consumer or family over time and across platforms.
This is no great surprise, because that is basically the core function of a ClientID.
But it does mean that using Google Analytics on your website can make you liable under the CCPA.
How to use Google Analytics in CCPA compliance
Using Google Analytics is compatible with CCPA compliance, if you get the following things in order:
- Update your privacy policy
- Know how to respond to requests for disclosure
- Know how to respond to requests for deletion
- Implement a CMP for full CCPA compliance
1. Update your website’s privacy policy
As mentioned above, the CCPA empowers California residents with the right to be informed about what categories of personal information you collect, who you share it with and for what purposes, as well as notifying them of their rights to opt out, gain access to and request deletion of their collected data.
In other words, you must update your privacy policy to –
- Inform your users that your website uses Google Analytics in order to analyze its traffic and optimize its performance
- Explain that your Google Analytics setup places cookies on their device, including a ClientID that is recognized by the CCPA as a persistent identifier
- Disclose that you share this information with Google (a third party)
- Notify your users that they have the right to see the data you’ve collected through Google Analytics, the right to have the data deleted, and the right to opt out of third party selling.
Respond to requests for disclosure
If a user requests access to their personal information collected by your website through Google Analytics, here’s how you retrieve it –
- If your GA setup uses ClientIDs, ask the user to find the Google Analytics cookie in their browser (_ga) and to locate the number sequence, in which the ClientID is found. If they find several Google Analytics cookies with several ClientIDs, ask them to send all of them to you.
- Once you have their ClientIDs, you can use Google’s User Explorer Report to recover all data about the user that your website has collected from them through Google Analytics.
- If your GA setup uses UserIDs, this will be stored in your own GA system and you will likely need the user’s email to retrieve it. Once you have the UserID, use the same method as above.
Read more about ClientIDs and UserIDs in Google Analytics Help Center
3. Respond to requests for deletion
If a user requests deletion of whatever personal information you have collected on your website through Google Analytics, here’s how you delete it –
- If your GA setup uses ClientIDs, ask the user to find the Google Analytics cookie in their browser (_ga) and to locate the number sequence, in which the ClientID is found.
- Tell your user to delete all Google Analytics cookies from their browser.
- Use the ClientID in Google’s User Explorer Report to find all data that your website has collected through Google Analytics.
- Use the function Delete User to delete all collected data.
Visit Google’s User Deletion API to read more about deleting user data
4. Use a CMP for full CCPA compliance
Using Google Analytics in a CCPA compliant way is possible and quite easy to manage, as we’ve shown you above.
But the CCPA is about more than Google Analytics. It requires you to inform your users of all the other ways you might be collecting their personal information, and all other third parties you might be sharing it with.
Real compliance with the CCPA requires you to get the full picture of what is happening on your website – to know exactly how many cookies and trackers are present, what type of personal information they collect and to whom it is sent.
Cookiebot CMP for CCPA compliance
Cookiebot CMP is a consent management platform (CMP) that deep scans your entire website – not just the frontpage – to find all cookies and similar tracking technologies.
Cookiebot CMP then presents you with a complete scan report that gives you the big picture –
- what cookies are in operation on your website
- which third parties are present
- what type of personal information your website collects
- and for what purposes
Cookiebot CMP creates a detailed cookie declaration for you to implement on your website so that your end-users can be notified of all, as required by the CCPA– including the Do Not Sell My Personal Information link.
Cookiebot CMP is the leading consent management platform in the industry, enabling true compliance with both the California Consumer Privacy Act (CCPA), the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR).
Try Cookiebot CMP for free today… or forever if you have a small website.
Use Google Consent Mode to run your Google Analytics
On September 3, 2020, Google launched the Google Consent Mode that makes it possible for your website to run all its Google-services (such as Google Analytics, Gtag, Google Tag Manager, Google Ads and more) based on user consents and opt outs.
Cookiebot CMP fully supports the Google Consent Mode and makes CCPA compliance and digital advertisement a sustainable balance on your website.
If a user chooses to opt out of analtics cookies by clicking on the required Do Not Sell My Personal Information link, Cookiebot CMP will forward the opt out status to the Google Consent Mode, which will run your Google-services based on the user’s wishes, but making sure that you still get valuable insights into your website’s performance, such as –
- Timestamps
- User agents
- Referrers
- Other basic measurements for modelling
Try Cookiebot CMP for free with the Google Consent Mode for full GDPR compliance as well – a requirement if you have users from inside the EU.
Try Cookiebot CMP free for 14 days – or forever if you have a small website.
FAQ
Does Google Analytics set cookies on my website?
Yes. Google Analytics works through JavaScript tags that are inserted on your website and commonly operated through Google Tag Manager. When a user visits your website, these tags will fire and place cookies directly on the user’s browser. These cookies contain Client IDs that allow Google Analytics to track and measure each individual user.
Does Google Analytics collect personal information?
Yes. Google Analytics uses Client IDs to measure each individual user and their behavior in order to aggregate and present data about your website’s performance. Client IDs fall under the CCPA’s definition of personal information because they can be used to recognize a consumer over time and across different services. Use of Google Analytics will therefore mean that your website will collect and share personal information with third parties.
Is Google Analytics CCPA compliant?
Google Analytics is a tool for website analytics and optimization that collects and shares personal information from your website’s end-users, when you use it. To ensure that you use Google Analytics in a CCPA compliant way, you must update your website’s privacy policy and respond to requests for opt-outs, as well as access to and deletion of already collected personal information.
How can I control third-party cookies on my website?
Controlling third-party cookies can be very difficult, since they often load other trackers, many of whom change on repeated visits. Using a consent management platform (CMP) can help your website gain control and ensure its compliance with data privacy laws like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Try Cookiebot free for 14 days for full cookie control and compliance.
Resources
California Consumer Privacy Act (CCPA)
CCPA compliance with Cookiebot
CCPA and website privacy policies