This blog post outlines how to use Google Analytics while complying with CPRA regulations for businesses. If you operate your business in California and use Google Analytics, read this blog post to learn about CPRA compliance for GA4.
Google Analytics uses cookies and tracking scripts to collect information from site visitors about their session activities on a website. With the update from Universal Analytics to GA4, Google introduced some changes to comply with the latest privacy regulations.
However, GA4’s default settings are not compliant with CPRA guidelines. To make it compliant with CPRA, you need to adjust some GA4 settings and provide users with additional options to control their data.
In this article, you will learn about CPRA compliance for Google Analytics and how to effectively use GA4 without getting fined for non-compliance.
Let’s dive in.
The California Privacy Rights Act (CPRA) is an amendment to the existing statewide privacy law CCPA, the California Consumer Privacy Act. It came into effect on January 1, 2023, and will be applicable to the data collected on or after January 1, 2022.
Here are the major changes introduced in CPRA:
- Revised the definition of personal information
- Introduced sensitive personal information (SPI) as a new category of personal information that requires additional protection
- Expanded the scope of the law to more types of businesses
- Updated existing rights of data subjects and introduced new rights
- Enhanced regulations for behavioral advertising
- Established the California Privacy Protection Agency (CPPA) for enforcing and implementing the law.
- Introduced new data protection features similar to GDPR.
Check out our detailed guide on the California Privacy Rights Act (CPRA) for more information.
The CPRA applies to businesses operating in California or those that collect or process the personal information of California residents and meet one or more of the following conditions:
- Generated over twenty-five million dollars ($25,000,000) of annual revenue in the preceding calendar year.
- Buys, sells, or shares personal information of 100,000 or more consumers annually.
- Earns 50 percent of annual revenue from selling or sharing consumers’ personal information.
So, if your business falls under the above categories, you’ll have to comply with the California Privacy Rights Act.
Google Analytics (GA4) uses cookies to collect information from website visitors to identify users and their session state on the website. It does not collect any personally identifiable information such as IP address. Instead, it uses a masked portion of the IP address.
Cookies used by Google Analytics (GA4) include:
Cookie name | Default expiration time | Description |
_ga | 2 years | used to identify users. |
_ga_<container-id> | 2 years | used to remember information about users’ activity during their visit. |
The CPRA requires you to be transparent about your data collection practices and provide users with the option to opt out of cookies. You may also need to take some additional steps to respect the rights of the data subjects to comply with the CPRA guidelines.
Step 1: Create a Privacy Policy
Create a privacy policy page on your website to disclose how you use personal information. You should specify what data you collect, why it is collected, how long it will be retained, and who has access to it.
You can also consider creating a cookie policy for your website. The policy should specify how you use Google Analytics on your website, the list of cookies used, and their purpose. Additionally, it should provide users with instructions on how to opt out of Google Analytics cookies and how to access and delete the data gathered by the platform.
You should also ensure that the privacy policy page on your website is accessible to all your site visitors.
Step 2: Analyze the Data Collection Practices in GA4
Google Analytics generally doesn’t collect personally identifiable information such as name, email address, or phone number. However, it does collect data that are indirectly related to the individual, depending on how it’s configured on your website.
Here’s a breakdown of the data collected by GA4:
- Number of users on the website
- Device information such as operating system, browser, screen resolution, etc.
- Approximate location based on the IP address. (not precise enough to pinpoint an individual’s exact location)
- Website activities such as pages viewed, time spent on the webpage, triggered events, etc.
Do a complete audit of your data collection practices and check for PII on your events and campaigns. Also, follow Google’s best practices to avoid sending PII in Google Analytics.
Also Read: How GDPR Affects Google Analytics and Google Tag Manager?
Step 3: Allow Users to Opt-Out of Data Collection
Unlike GDPR, CPRA requires an opt-out mechanism. This means that you don’t need to obtain prior consent from your website visitors to use tracking cookies; instead, you should provide an opt-out option for your customers.
The best way to allow users to opt out of cookies is to deploy a cookie consent banner on your website. Using a cookie consent banner, you can disclose the use of cookies and allow users to opt out of analytical cookies. You can also add links to the cookie policy and privacy policy on the cookie banner so that it is easily accessible to your users.
Check out our step-by-step guide on how to create a CCPA-compliant cookie banner for more information.
Step 4: Manage User Data in GA4
CPRA grants users the right to know and the right to delete their information shared with businesses. Upon users’ request, export the users’ data gathered in GA4 and share it with users.
To export users data in GA4 using Effective User ID:
- Log in to your GA4 Account, then go to the Explore tab from the left side menu. Select User explorer, then select the Effective User ID you want to export.
- Click on the download icon on the right corner to export the data. (refer to the screenshot below)
To initiate data deletion in GA4:
- Head on to the Admin page of your GA4 property and select Data deletion request under Data collection and modification.
- Click on the Schedule data deletion request to create a new deletion request.
- Select the deletion type, along with the start and end dates for the deletion process.
- Choose the data fields you want to delete and provide a value to identify the specific data for deletion.
- Then click on Submit.
Once, you have submitted the deletion request, you have seven days grace period to cancel the deletion. After the seven-day grace period, Google Analytics will process the deletion request.
Refer to this article to learn more about data deletion in GA4.
Step 5: Use a Consent Management Platform
A Consent Management Platform (CMP) is a software that helps you obtain and manage consent from your site visitors for collecting, processing, or sharing their personal data using cookies and other tracking scripts.
If you are using WordPress as your website CMS, check out our GDPR Cookie Consent Plugin, which is one of the best Consent Management Platforms for WordPress websites. We also have a detailed article on Why Do You Need a Native WordPress Consent Management Plugin?
Using our CMP, you can set up both opt-in and opt-out consent management for your website. It will simplify consent management efforts and let you comply with major data protection laws such as GDPR and CCPA.
Our plugin is also listed as a certified CMP by Google and is compliant with IAB TCF guidelines, so publishers and advertisers can manage Google’s additional consent requirements on their websites.
By following the above-mentioned steps, you can use Google Analytics while complying with the CCPA/CPRA guidelines. If you operate your business in the EU or handle the personal data of EU users, refer to our article on GDPR Compliance for Google Analytics for more information.
Does Google Analytics 4 Requires IP Anonymization?
No, GA4 does not require IP Anonymization. It doesn’t store or log the complete IP address of users. Instead, it uses a masked portion of the IP address.
What Data Does Google Analytics Collect?
Google Analytics generally collects the following information from users:
- Number of users on the website
- Device information such as operating system, browser, screen resolution, etc.
- Approximate location based on the IP address. (not precise enough to pinpoint an individual’s exact location)
- Website activities such as pages viewed, time spent on the webpage, triggered events, etc.
Is Google Analytics GDPR Compliant?
Google Analytics, by default, is not GDPR compliant. However, the GA4 has implemented a lot of privacy-enhancing features that will help you comply with GDPR. Follow the below steps to make GA4 compliant with GDPR:
- Audit your data collection practices
- Create a privacy policy and cookie policy
- Obtain prior consent from users
- Minimize data collection
- Restrict data sharing
- Display a cookie consent banner
- Provide access or delete data upon request
How Can I Control Third-Party Cookies on My Website?
Third-party cookies can risk your compliance with privacy laws such as GDPR and CCPA. You can use a consent management platform (CMP) to controll and block third party cookies on your website. Check out our guide on how to block third party cookies for more information.
Google Analytics (GA4) has implemented new updates to align with the latest privacy regulations. By default, it minimizes data collection, refrains from collecting personally identifiable information from website visitors, and employs masked IP addresses.
However, to ensure CCPA or CPRA compliance for GA4, you need to take some additional steps, such as updating your privacy policy, maintaining transparency regarding data collection, and respecting the privacy rights of your site visitors.
This article aims to guide you in complying with CCPA and CPRA guidelines when using Google Analytics. However, we do have a caveat for you: the privacy landscape is evolving, and new regulations are coming up.
In order to comply with the latest changes, Google will introduce further updates in the future. Consequently, some of the settings and options outlined in this article may change. Thus, we recommend staying up-to-date with privacy regulations and seeking professional assistance as needed.
If you find this article helpful, please let us know in the comments.