Google Analytics is installed on over 30 million sites - so it’s no understatement to say millions are waiting with bated breath for clarification on whether Google Analytics is CCPA compliant.
Fortunately, as the law is written, you shouldn’t have to worry about using GA under CCPA, even if the user has opted-out of data selling.
That said, there are still steps you need to take to be fully compliant, which are detailed below.
The information pertains specifically to Google Analytics browser/website tracking - not to Google’s Firebase SDK, a tool for in-app analysis. If you're concerned how GA is impacted by GDPR too, we also have a GDPR Google Analytics Compliance Guide.
Please note, we are not a law firm. Please view this as informational, not legal advice.
Table of Contents:
1. Google Analytics and CCPA - what’s the issue?
3. Create a process for honoring the data rights
4. Google Analytics and opt-outs
5. Additional precautionary steps
What is CCPA, and why should I care?
The California Consumer Privacy Act is a digital privacy law going into effect January 2020. For a detailed overview, read our CCPA summary. Its key highlights are:
- It applies just to large organizations who:
a. Have $25M+ in annual gross revenue or
b. Have 50%+ of annual revenue from data sales or
c. Have bought, sold, and/or shared personally identifiable info (PII) on 50K+ California residents
- Unlike GDPR, it’s an opt-out law; not opt-in. Therefore, it’s not about acquiring consent to sell PII; it’s about opting them out if they request it
- It includes user data rights (such as access, deletion, and opt-out)
- It’s specifically against selling or sharing PII in exchange for money or something of equivalent value
- It pertains just to CA residents
Google Analytics is a free website tool that collects anonymized data on individuals; aggregates it; and provides reports on where users came from, what pages they looked at, and so on.
While GA’s tags don’t collect PII like email address or name, the CCPA defines PII to include such persistent IDs as this ClientID. Many companies also use the UserID feature, which involves sending internal, anonymized IDs for more accurate tracking. Plus, the tracking tag sends Google the user’s IP Address, which is considered PII under the CCPA too.
As such, since you are sharing your visitors’ PII with Google Analytics, there are steps you need to take to have Google Analytics be CCPA compliant.
It must also describe what information you collected, sold, and/or disclosed since January 1, 2019, as well as why you did it and how.
"We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie
(_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have - or ask us to delete any GA data - please delete your
_ga cookies, reach out to us via this form, and/or install the Google Analytics Opt-Out Browser Add-On."
Understanding the CCPA’s data rights isn’t rocket science: if they ask to see or delete their data, you must do it. This includes any Google Analytics data you or Google has on them.
What’s more difficult is figuring out how to honor that request from a technical standpoint. Even this is doable, though, and below lists multiple ways to access or delete their GA data. Fortunately the law gives you some breathing room - you have 10 days to acknowledge the request and 45 days to comply.
To access the data Google Analytics has on the user:
First, ask the user to provide their Google Analytics ClientID. To find this, they’ll need to go to their browser’s settings and manually look at what cookies are stored. They should find one named
_ga, which is the Google Analytics cookie, and within it is a string like
The user’s ClientID are the numbers before and after the final period (in this case,
318596131.1556642125). If they have multiple
_ga cookies on their browser, they should send all of the ClientIDs.
If you are relying on UserIDs instead of ClientIDs (the differences are here), then you must grab the ID yourself (for instance, if you know their email and have their UserID tied to it).
Next, use Google's User Explorer Report to pull any data associated with this ClientID or UserID, and then send that user this information.
Alternatively, you could use Google's User Activity API to pull the data. The API Response will look like:
To delete their data:
- Tell them to clear any
_gacookies on their browser. This would delete their cookie’s ClientID
- If you are storing a UserID tied to them, delete it
- Ask them for their ClientID (see above) and use Google's User Explorer Report to see what data Google has stored on them. In the report you'll see a 'Delete User' button in the bottom left panel. Google says that after you press this, the user's data is removed from the report after 72 hours, but it could take up to two months for the data to be deleted from their servers.
Alternatively you could use Google's User Deletion API and their ClientID/UserID to delete any data Google has on them.
Without doing this step, Google would store that user's data for 26 months, violating the CCPA deletion request. So you must manually delete their data via one of these steps should they request it.
|Caveat||Why it's important|
|It's a one-time request||Asking for data deletion is not the same as opting-out of data selling (they are two different rights). So if a user asks for data deleted, it’s fine if the GA cookie drops again the next visit|
|PII is tied to a household||For whatever reason, the CCPA associates PII to a household, not to an individual. So if a user requests deletion, you would technically have to follow the same steps above for everyone in their house. This isn’t feasible, so we’ll see if that rules changes over time|
|User verification||The law says that businesses cannot provide data to individuals (the right to access) without authenticating the request, but it’s unclear how to verify the person is who they say they are|
As a reminder, CCPA is an opt-out law. Meaning, if a user never requests to be excluded, you can legally continue sharing, using, and selling their data.
The question becomes: if the user does opt-out of data selling, does that mean you have to stop tracking them via Google Analytics?
From two different angles the answer looks to be "no". Those reasons are:
The definition of “sell”
The CCPA is explicitly against selling PII. Their definition of “sale” includes “selling, renting, releasing, disclosing...personal information to a third party for monetary or other valuable consideration”.
With Google Analytics you are not making money from selling this PII (which, again, is just IP Address and a randomly-generated anonymous ID). While one could argue that insights gleaned from website analytics has value, without a true transactional quid pro quo, this seems like a stretch. In other words, if a user opts-out of data selling, it doesn’t apply to GA cookies, and you can continue using Google Analytics without penalty.
Beyond that, the CCPA allows companies to use PII to provide needed business services. One of their examples is using PII to “audit consumer interactions”. As GA measures how users interact with your site, it appears website analytic tools fall under this business purpose - meaning that, like above, GA tracking would not fall under the purview of an opt-out.
This is totally fair. Nobody wants a class-action lawsuit. Plus, respecting your users’ privacy should be a default, not something you skirt around thanks to technicalities.
On top of that, it’s possible that since Google uses GA data to augment ad targeting and analyze market trends (which drives more revenue for them) that this PII sharing would indeed fall under the definition of “sale”.
If you want to take the safer route, here are steps you should take:
1. Review your integration with Google Analytics for PII leakage
For instance, if you are sending internal UserIDs to Google, make sure they are anonymized and not actual PII, like an email. Also check that you aren’t appending PII to URLs, such as
https://email@example.com after a form fill-out, as they would be sent to GA.
2. Review Google’s best practices for privacy compliance
- IP Anonymization - This removes the last octet of the IP Address before it’s sent to Google (aka 123.456.789.555 becomes just 123.456.789.0, which helps anonymize who it is)
- Reduce Data Retention Length - By default, Google Analytics stores data tied to an ID for 26 months. You can change this to 14 months in Admin → Tracking Info → Data Retention if you wanted to be more strict (the lowest option available)
- Turn 'Reset on New Activity' off - In the same spot as above, there is a toggle called 'Reset on new activity'. While this seems to be privacy-focused, it really just extends how long you track them, as every new time they visit your site, the 14 month retention period resets
- Sign DPA - Go to Admin → Account Settings and accept the Data Processing Agreement created for the GDPR, if you haven’t already. This is very important to do
- Data Deletion Requests - Monitor your Data Deletion Requests tab in Admin. Google will flag any instances where it finds PII, and you’ll need to delete them as needed
- Disable Demographics and Interests Reports - Under Admin → Property Settings → Advertising Features, turn this off to prevent Google from making reports around user info
- Turn Off Data Sharing - With Google Analytics, a lot of information is shared with other services. If you go into Account Settings -> Data Sharing, you can turn off these settings
- Unlink Google Ads / Ad Exchange - If you use Adwords/Adsense/Google Ads Manager, you may have set up linking between the two platforms. Under Admin --> Product Linking, you can turn this off, further limiting what data leaves GA (though this would impact your ad campaign efforts)
- Turn off Remarketing & Ad Reporting - Under Admin → Tracking Info → Data Collection, you could turn off Remarketing and Advertising Reporting Features, an additional way to limit what's shared
- Enable 'Advertising Personalization' - This is a new feature that Google has not officially released (as of Dec 2019), but the description says it'll allow customers to limit how data is used
- Limit the Session Settings time - Under Tracking Seetings --> Session Settings, you can edit the timeout time for individual sessions and campaigns. For instance, if you set the session timeout to 5 minutes, that means that after five minutes of inactivity, that SessionID on the user is no longer tied to anything
- Reduce Cookie Expiration Time - Unless cleared, the `_ga` cookie lasts on the user’s browser for 24 months. Fortunately, you can set this expiration period to whatever you want via the `cookieExpires` parameter in the GA tag. For instance, hardcoding it to `0` turns it into a session-based cookie, and the ClientID will expire when they exit the site
3. Fully honor an opt-out request so you never drop another GA cookie
If a user opts out of data selling, and you want to honor that CCPA request by blocking Google Analytics tracking for them, you can:
|Dynamically drop GA tag||Have the GA tag appear only for users that haven’t opted-out. You would have to write custom code that references an exclusion list before dropping the GA script in the page’s `head` tag|
|Add code to the GA tag||Follow Google’s User Opt Out instructions. Similar to above, this would involve dynamically identifying the user and adding specific code for their sessions|
|Browser extension||Have them install the Google Analytics Opt-Out browser extension. This prevents GA from dropping a _ga cookie|
To use Google Analytics and stay CCPA compliant, you'll need to:
- Have a process for deleting/accessing the user’s Google Analytics data upon request (instructions above)
- While GA looks to be excluded from opt-out requests, there are nonetheless steps you can take to limit and/or stop sending a user's data to Google
Of course, further clarifications could change these guidelines, and we’ll update the article if that happens! If you have any additional thoughts on the topic, please join the discussion below!
Join the Ad.Product community
Sign up for our upcoming newsletter and to be notified of our Ad.Product Slack channel and conference.
Ad.Product is the first community for product managers, engineers, and others to discover and discuss how to build innovative, user-first ad platforms.