The California Consumer Privacy Act (CCPA) is designed to protect the privacy of California residents and has implications for businesses that handle their personal information. In many ways, the CCPA is regarded as the equivalent of the GDPR in Europe.
In this article, we’ll outline what the CCPA stands for and how its applied. Also, we provide steps for businesses that use Google Analytics to ensure compliance.
Let’s dive in!
- What is the CCPA?
- Who has duties under the CCPA?
- What does the CCPA mean for web analytics?
- Is Google Analytics CCPA compliant?
- How do I make Google Analytics privacy compliant?
- Final thoughts
What is the CCPA?
The California Consumer Privacy Act is a statute that protects the privacy rights of California residents. The CCPA was adopted in 2018 and amended in 2020 by the California Privacy Rights Act. It is part of the California Civil Code.
In-depth information about the CCPA can be found on the website of the Californian government.
Who has duties under the CCPA?
Not all organizations are covered by the CCPA.
The act only covers businesses when they fulfill certain criteria:
- they have gross annual revenue of over $25M
- they buy, sell, or share the personal information of 100,000 or more California residents, households, or devices
- at least 50% of their revenue comes from the sale of personal information of California residents.
These criteria are alternative: as long as one is satisfied, the CCPA applies. The CCPA also has an extra-territorial effect in that it can apply to businesses established outside California and the US.
The CCPA focuses on businesses and does not apply to government agencies and non-profit organizations for the most part. It also does not apply to entities covered by certain other privacy laws, such as HIPAA.
What does the CCPA mean for web analytics?
The CCPA originally required an opt-in system for the sale of personal information.
The CCPA defined the sale of personal information in very broad terms. Still, some companies argued that disclosing personal information for cross-context behavioral advertising did not constitute a sale.
The Legislature of California decided to clarify the point with the CPRA. The new law extended the opt-in system from the CCPA to sharing of personal information and clarified that the sharing of information includes cross-context behavioral advertising.
Bottom line, cross-context behavioral advertising requires opt-out consent. This was already fairly clear before the CPRA and is now true beyond doubt.
On the other hand, if you analyze visitor behavior strictly for the purpose of web analytics, the opt-out requirement does not apply.
Is Google Analytics CCPA compliant?
The CCPA does not require opt-in consent for placing cookies. However, consumers have a right to opt-out of the selling and sharing of their personal data.
The notion of sharing the data covers cross-context behavioral advertising- that is, profiling and advertising carried out by a business based on information collected from other websites and applications.
Google Analytics does this by default. Compliant use of Google Analytics is possible, but it is the customer’s responsibility to use the tool lawfully.
If you use Google Analytics, you have two alternatives to comply with the CCPA:
- providing your visitors with an option to opt-out through a “Do Not Sell Or Share My Data” page
- enable the restricted data processing setting for Google Analytics.
If you choose to restrict data processing, you may need to enable the setting for other Google services too. For instance, this setting needs to be enabled manually for Google Ads (which will restrict advertising on your website to non-targeted ads). This list from Google clarifies which Google services support the option and whether it is enabled by default.
Whether you decide to share personal information or not, you must also provide a notice about the collection of personal information and honor requests to access and delete information from your visitors.
How do I make Google Analytics privacy compliant?
Provide a “Do Not Sell Or Share” page
The CCPA requires businesses that sell or share data to make a “Do Not Sell Or Share My Data” page available on their websites.
The link to the page must be clear and visible: if it is difficult to find, the website is violating the law. The option to opt-out must also be easily available: businesses are not allowed to require registration or verification of identity to opt-out.
Additionally, you are not allowed by law to withhold features of your website or service from users who opt-out of the selling and sharing of personal data: you need to treat users who opt-out the same as everyone else.
Of course, the page is not just for show: you need to ensure that you have technical procedures in place to honor requests not to sell or share.
Global Privacy Control
Global Privacy Control is a technical standard for requests not to track. A GPC signal is sent from the visitor’s browser and asks websites not to sell or share the visitor’s information. Some browsers natively support GPC, while others require an extension.
Under California law, GPC signals must be honored as if they were requests to opt-out. Therefore, if you share personal information, you must stop sharing it. This rule has already been enforced in the past against cosmetics retailer Sephora.
Please note that GPC is not an opt-out from data collection in and of itself, only data sharing. You can still collect personal information from visitors who send a GPC signal if you do not sell or share it.
Providing a notice
Websites subject to the CCPA must inform visitors that their data are being collected. The information must be provided when the data are collected or beforehand.
The notice must inform visitors about the information collected and the purposes for the collection. It must also link to the website’s privacy policy (which is not the same as the notice itself). Additionally, if the website shares visitor information, it must inform them that this is the case and link to the Do Not Sell Or Share My Data page.
This requirement does not depend upon the selling or sharing of the data: even if you do not share the data you collect, you must still provide a notice to your visitors.
Honoring consumer requests
Consumers can ask businesses for information about the data, including the types and sources of the personal information, the purposes for its use, and information on data disclosures. They can also require businesses to delete their information.
If you receive one of such requests, you can comply within 45 days (which can be extended by 45 more, for a total of 90 days). To handle requests properly, you should establish standard procedures beforehand and properly train your staff.
Businesses must verify that the request comes from the consumer the personal information refer to. To do this, they are allowed to request more personal information. This information can only be used for verification and cannot be used by the business in any other way.
Like the provision of information, the duty to respond to requests also covers businesses that do not share data: if you collect personal information of California residents, you have a duty to respond to such requests, no matter what you do with the information.
Final thoughts
We’ve provided the necessary steps for businesses to ensure compliance in relation to website analytics. Complying with privacy regulations is important but can be a hassle sometimes. Luckily, there are website analytics products that are compliant out of the box.
We built Simple Analytics with privacy in mind. We took a privacy-by-design approach and provide the insights every business needs without using cookies or collecting personal data. We’re 100% CCPA compliant. We believe the internet should be independent and friendly to website visitors. If this resonates with you, feel free to give us a try!