February 11, 2020.
Google Analytics is the most widely used analytics tool, implemented on close to thirty million websites worldwide. Chances are you already use it.
But is Google Analytics compliant with the California Consumer Privacy Act (CCPA)?
In this article, we look at the legal and technical intersection between Google Analytics and CCPA: what does the law demand from your website setup and how can you make sure you use Google Analytics in CCPA compliance?
On January 1, 2020, California enacted a data privacy law that changes the way data is understood in the Golden State. Now, California residents have control over the personal information (PI) they generate online, and businesses must change their practices around the collection and selling of it.
So, what about your use of Google Analytics? What does the CCPA say there?
Well, the CCPA's definition of personal information makes this clear: Google Analytics collects and shares personal information.
But why, you might ask. Isn’t data in Google Analytics anonymized?
CCPA and Google Analytics are not incompatible.
Yes, but even though it doesn’t collect direct PI (such as names, emails and phone numbers), Google Analytics works in a way that can indeed make you liable under the California privacy law.
This has to do with the technical aspect and workings of Google Analytics, and with the specifics of the CCPA’s personal information definition.
Let’s dissect this in an easy to understand way.
California Consumer Privacy Act (CCPA) is the first comprehensive data protection law in the United States.
It regulates how businesses are allowed to handle the personal information (PI) of California residents (or “consumers”), who the law empowers with enforceable rights over their own data.
California residents have the –
Most well-known is perhaps the requirement that websites must feature a Do Not Sell My Personal Information link on their website that consumers can use to stop the selling of their data.
So, what if your website uses Google Analytics? Does that automatically make you liable for CCPA compliance?
First of all, you need to meet the definition of “business” in the law before you have to worry about CCPA compliance at all.
If your are a "business" under CCPA, Google Analytics is a compliance liability.
A business is defined in the CCPA as a company or organization that meets any of the following three thresholds:
Second of all, the CCPA is not like the General Data Protection Regulation (GDPR).
The European data law is an opt-in law, i.e. it requires the explicit consent of users before websites are allowed to process their data.
The CCPA is an opt-out law, i.e. California residents have to actively opt out or request disclosure or deletion before any changes are required to be made to your website’s collection and processing scheme.
However - you do have to implement other changes to your website in order to be CCPA compliant.
So, if your website meets any of the three thresholds above, and your website uses Google Analytics, then keep on reading.
Google Analytics collects data on website traffic and aggregates it to inform website owners on who their users are and how they behave, e.g. where in the world they are located, on which sites they land, and for how long they stay.
You can think of GA as a map showing how users travel your websites and how they behave when there. It gives you insight into how many visitors your website has over time, details about their sessions and duration, and information on how your individual subpages perform.
When a user lands on and interacts with your website, these tags will fire and set first-party cookies that contain what is known as a ClientID.
A ClientID is a sequence of numbers that Google Analytics will randomly assign to a device that a visitor is using to view your website, e.g. a computer or smartphone.
A ClientID typically looks something like this (marked in bold):
They are found at the end of the string of numbers located inside the Google Analytics cookies stored on your users’ browsers.
ClientIDs are how Google Analytics measure the each individual user and their behavior, and basically how it is able to aggregate and present any meaningful data about your website at all.
Some websites with Google Analytics will also be using a UserID, an even more direct identifier, able to refer to a single individual user in order to track them across devices, e.g. in regard to online advertisement.
UserIDs are stored in your own system, often tied to a user’s e-mail or other direct personal information. Should a user request disclosure or deletion of the PI you have collected through Google Analytics, CCPA requires you to find and delete the UserID from your system.
ClientIDs, on the other hand, are not stored in your system, but directly in the first-party cookies placed on the individual user’s browser.
Should a user request disclosure or deletion of their PI, a different approach is needed than if you use UserIDs. We will get into the details of how you respond to requests of disclosure and deletion further down.
But first, let’s be clear on why Google Analytics and the CCPA overlap.
Okay, so what’s the deal? How can you use Google Analytics on your website and be in compliance with the CCPA?
The CCPA and Google Analytics are not incompatible, but GA does work by assigning ClientIDs that the CCPA recognizes as “personal information”, or –
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”
This definition includes unique identifiers aka a persistent identifier like a ClientID that can be used to “recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services”.
ClientIDs through Google Analytics are CCPA-defined personal information.
So again, even though the data that Google Analytics collects is anonymized – i.e. contains no direct PI such as names or emails – a ClientID is recognized by the CCPA as a persistent identifier exactly because of its ability to recognize a device linked to a consumer or family over time and across platforms.
This is no great surprise, because that is basically the core function of a ClientID.
But it does mean that using Google Analytics on your website can make you liable under the CCPA.
Using Google Analytics is compatible with CCPA compliance, if you get the following things in order:
As mentioned above, the CCPA empowers California residents with the right to be informed about what categories of personal information you collect, who you share it with and for what purposes, as well as notifying them of their rights to opt out, gain access to and request deletion of their collected data.
If a user requests access to their personal information collected by your website through Google Analytics, here’s how you retrieve it –
If a user requests deletion of whatever personal information you have collected on your website through Google Analytics, here’s how you delete it –
Using Google Analytics in a CCPA compliant way is possible and quite easy to manage, as we’ve shown you above.
But the CCPA is about more than Google Analytics. It requires you to inform your users of all the other ways you might be collecting their personal information, and all other third parties you might be sharing it with.
Real compliance with the CCPA requires you to get the full picture of what is happening on your website – to know exactly how many cookies and trackers are present, what type of personal information they collect and to whom it is sent.
Cookiebot is a consent management platform (CMP) that deep scans your entire website – not just the frontpage – to find all cookies and similar tracking technologies.
Cookiebot then presents you with a complete scan report that gives you the big picture –
Cookiebot creates a detailed cookie declaration for you to implement on your website so that your end-users can be notified of all, as required by the CCPA– including the Do Not Sell My Personal Information link.
Cookiebot cookie declaration for CCPA compliance.
Cookiebot is the leading consent management platform in the industry, enabling true compliance with both the California Consumer Privacy Act (CCPA), the European General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR).