How to make Google Analytics CCPA Compliant

If your website uses Google Analytics, you need to brace yourselves for stricter compliance with privacy laws like the California Consumer Privacy Act (CCPA). Google Analytics is the most popular analytics tool used by businesses to track a website’s performance and use the data to improve website navigation and user experience. Since it collects data from a sites’ visitors, website owners and publishers need to ensure that their use of Google Analytics is compliant with the CCPA.  

This article will guide you through the steps you need to take to stay compliant with CCPA while using Google Analytics. 

California Consumer Privacy Act (CCPA) is a data privacy regulation passed by the state of California in the United States (US) and came into effect on January 1, 2020. Similar to the European Union’s GDPR, the CCPA set out rules and regulations about how businesses can manage consumer data. CCPA requires businesses to be transparent on how they collect, share and use the personal information of consumers. 

CCPA applies to any for-profit entity that:

• Do business in the State of California or
• Collects personal information of California residents and determine the purpose and means of processing it and 
• Meets at least one of the following criteria:
  • Has an annual gross revenue of more than $25 million
  • Buys, receives, or sells the personal information of 50,000 or more California residents, households or devices or
  • Gets 50% or more of their annual revenue from selling California residents’ personal information

This means CCPA can apply to businesses that are located outside of California or outside of the US, as long as they collect data from California residents and meet one of the 3 additional criteria.  

Google Analytics (GA) collects data from a website’s visitors and uses it to curate reports that can be used to analyse user behaviour. GA collects personal data such as online identifiers, including cookies, internet protocol (IP) addresses, device identifiers and client identifiers.

Google Analytics stores cookies on a website visitor’s browser and uses “cookies to identify unique users across browsing sessions”.  When a user visits your website, Google Analytics will drop a cookie that stores your ClientID (cid). This Client ID is used to identify you, the user and to recognize your unique combination of browser and device.  Similarly, GA uses UserID (uid) to help websites to associate a single user with sessions across multiple devices. 

Google Analytics uses cookies to remember a visitor’s previous interactions on a website and also to determine unique users. Some of the cookies used by Google Analytics include:

• _gid, used to distinguish users for 24 hours
• _ga used to distinguish users on your domain lasts for 2 years
• _gat used to limit the number of user requests lasts 1 minute
• AMP_TOKEN used to assign a unique ID to each user on your domain, lasts for 30s to 1 year

The CCPA considers unique online identifiers, cookies and IP addresses as personally identifiable information (PII). Therefore, Google Analytics comes under the purview of the regulation. Also, note that Google uses data collected from Google Analytics to improve its products services on Google and its partner sites. Therefore, it is important that you adhere to CCPA-compliant data collection practices. 

01 Update your privacy policy

The most important step that you need to do is to update your privacy policy. You should inform users what information your website collects and its purposes, clearly in your policy. With regards to Google Analytics, your privacy policy should include information about:

• How you use Google Analytics on your website i.e. GA features (like Client ID, Google Analytics Advertising features, User ID tracking etc.) that you have implemented on your site. 
• The list of GA cookies used by your website (like Google Analytics Client ID, DoubleClick cookies etc.)
• Steps to opt-out of data collection by Google Analytics, ​Google Tag Manager and how to disable Analytics cookies.

02 Review your Google Analytics for PII

Review all the data from your website that is accessed by GA to ensure that no Personally Identifiable Information (PII) is collected. A common cause of PII collection is when the URLs contain a query string with parameters that capture personal data. For example: www.website.com/page?name=john&email=john@gmail.com

If you have enabled form tracking on GA, ensure that it does not contain PII. There are a few built-in ways GA allows you to exclude parameters. In your Google Analytics account, you can use the ‘Exclude URL Query Parameters, feature. Enter each parameter, separated by a comma (name, email etc).

Admin > View > View Settings > Exclude URL Query Parameters

• You can also filter out parameters using the Search & Replace option from: Admin > View > Filters > Search & Replace
• Check for PII within Events, Campaign Parameters, Custom Dimensions and eCommerce Affiliations and consult the best practices to avoid PII in Google Analytics. 
• Note that filters do not delete the PII data. Hence, the suggested method is to rectify the issue at source or the code level and prevent any data from being sent to Google Analytics.

03 Enable IP anonymization

Google Analytics uses IP addresses to determine the geolocation of a visitor i.e. continent, country and city. To prevent the collection of IP addresses, you can anonymise your website users’ IP addresses. 

Note: IP anonymization is always enabled for GA4 properties. Anonymization does not have noticeable effects on accuracy at the continent or country level, however, might impact data at the city level. 

IP Anonymisation can be enabled in the ways shown below. For step-by-step instruction, check out IP Anonymization for Google Analytics.

• For tracking code deployed within your pages:
  • For analytics.js
    ga(‘set’, ‘anonymizeIp’, true);
  • For gtag.js
    gtag(‘config’, ‘<GA_TRACKING_ID>’, { ‘anonymize_ip’: true });
• For tracking code deployed via Google Tag Manager (GTM), set aip within your GTM tag.
• If you are using the Measurement Protocol, add to the URL aip=1

Note: To test that you’ve implemented IP anonymization in Google Analytics effectively, go to your website, head to Google Developer Console > Network. Then reload your web page. In the search text box, enter collect. Then, click on the listing which includes www.google-analytics.com and check if you can find the IP anonymization parameter (aip=1).

04 Disable data sharing

Google Analytics uses a feature called Restricted Data Processing by default. This feature allows Google products to comply with data privacy regulations like CCPA and GDPR. You can implement a few additional steps on your Google Analytics account. 

To limit data sharing, go to: 

Admin > Account Settings > Data Sharing Settings and uncheck the features

• To disable data sharing for advertising purposes, go to:

Admin > Property > Tracking Info > Data Collection > Turn off Remarketing and Advertising Reporting Features

• Review GA’s Data Processing Agreement in the Account Settings and accept the terms.

Admin > Account Settings > Data Processing Amendment

05 Add a cookie consent banner on your website 

You’ve seen how CCPA impacts the use of cookies and that Google Analytics sets cookies. Hence, another best practice you can follow on your website is to implement a cookie consent banner. Similarly, if your website uses cookies, especially third-party cookies that may fall under CCPA’s definition of “sale”, you can display a cookie banner and obtain consent from your site’s visitors.

CookieYes is the #1 cookie consent solution in the world that powers over 1.2 million websites worldwide. With CookieYes, you can display a CCPA-specific ‘do not sell’ banner on your website. Not just CCPA, but you can comply with multiple privacy regulations like the GDPR (Europe) and LGPD (Brazil) with the CookieYes banner. 

After you implement a CookieYes cookie banner, you can manage how the tags and triggers are activated including the Google Analytics tag. You can fine-tune your settings so that cookies are triggered only when users have given consent. CookieYes will also auto-block third-party scripts from deploying cookies on a user’s browser.

06 Provide access to data on request

CCPA provides consumers with the right to access and delete their data, collected by businesses. These are usually referred to as Data Subject Access Requests. To give users access to the data collected by Google Analytics, head to your GA Account

• Audience > User Explorer > Export the data associated with Client ID or User ID

• You can also ​​use the User Activity API and submit a request to the API with the Client ID or User ID.

For requests on data to be deleted, head to 

• Audience > User Explorer > Client ID and select ‘Delete user’ from the bottom left panel
• You can also use Google’s User Deletion API and submit a request to delete the ClientID/UserID or delete any data Google has on them.

While following the steps above, you can steer clear of sharing your visitor’s personally identifiable information (PII) that would potentially put you at risk of non-compliance. You can also implement the above steps to make your account compliant with GDPR. Check out the guide on Google Analytics and GDPR.

Is Google Analytics CCPA compliant?

Google Analytics by default is not CCPA compliant. While Google has incorporated privacy controls and features like Restricted data processing to make the platform CCPA-friendly, your use of Google Analytics may still not be compliant. Therefore, you have to implement the additional steps to set up your use of Google Analytics to be completely CCPA compliant.

How do I make Google Analytics CCPA compliant?

To make your use of Google Analytics CCPA compliant, implement the following steps:

• Update your privacy policy
• Review personal data collected by your Google Analytics 
• Enable IP anonymization
• Turn off data sharing
• Display a cookie banner on your site
• Honour data access/deletion requests from users

Is Google a service provider under the CCPA?

Google is a service provider under the CCPA. The CCPA defines a service provider as an entity that operates for-profit and receives consumers’ personal information from a business and process the personal information on their behalf, pursuant to a written contract. 

Google updated their existing data protection terms and now includes service provider terms under the CCPA, effective January 1, 2020. 

Does Google Analytics collect personal data?

If a website has installed Google Analytics tracking on its website, then Google can collect data from a website visitor. This includes data such as browser information like browser name, resolution and user’s location (derived from the IP address ), language (from browser settings).

While GA, by default, does not collect personal information such as email addresses, phone numbers etc, it collects online identifiers. As per Google, it collects information such as, “Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers”

These fall under personal data under privacy regulations like the GDPR and CCPA. The data collected is also used and shared with other Google products, including advertising services like AdSense. This means Google collects information that can be defined as personal data (GDPR) or personally identifiable information (CCPA).

What is CCPA compliance?

The California Consumer Privacy Act (CCPA) is a comprehensive state-level privacy act passed by the California State in 2018. It can apply to any for-profit organization doing business in California or any business that process the personal information of California residents. To comply with CCPA, businesses must adhere to certain requirements and provide consumers with rights to their personal data. For more information and steps for compliance, refer to the Complete Guide to CCPA.

Is Google Analytics GDPR compliant?

Google Analytics by default is not GDPR compliant. While Google has incorporated privacy controls and features like Restricted data processing to make the platform GDPR-friendly, your use of Google Analytics may still not be compliant. However, your use of Google Analytics may not still be GDPR compliant. Therefore, you have to take steps for stricter compliance with CCPA such as:

• Update your privacy policy
• Review PII collected by your Google Analytics 
• Implement IP anonymization
• Disable data sharing
• Display cookie consent banner on your site
• Honour data access/deletion requests from users