California’s Privacy Law & Google Analytics 4

An increasing number of states are rolling out their own privacy regulations. Each state’s legislation has its own specifics regarding who needs to comply and how to comply. This blog post starts a series in which I’ll break down these privacy laws across various states and explore their implications for using digital tools and platforms such as Google Analytics and Google Ads. One caveat applies: I’m not a lawyer. I implement and manage several cookie consent mechanisms (usually working with lawyers who explain what’s needed but not why). I’m writing and sharing this information to deepen my own understanding and to spark a conversation.

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are legislation aimed at safeguarding the privacy rights of California residents. The CCPA, enacted in 2018, gave consumers some control over organizations collecting, using, and selling their personal information. The CPRA passed in 2020 and amended the CCPA, further strengthened privacy protections by introducing new rights, established the California Privacy Protection Agency, and imposed stricter obligations on businesses handling personal information. The CPRA became effective on January 1, 2023.

Although this is oversimplified, I think the original law (the CCPA) applies mostly to advertising companies. The original law focused on selling personal information, which is basically what digital advertising companies do. The CPRA (the amendments to the CCPA) cast a much wider net. Instead of primarily focusing on selling personal information, the new law also focuses on sharing personal information. That’s a significant difference. An example of “sharing” personal information is installing the Google Analytics tag on your website; it shares personal information about your website visitors with Google. While the CCPA initially focused on holding advertising companies (such as Google) responsible and accountable, the CPRA resulted in a much broader law that now applies to businesses that use Google Analytics.

Note: Since the CPRA amends the CCPA, I’ll refer to California’s law as “CCPA” in what follows.

Who Needs to Comply?

The following companies need to comply with the CCPA:

  • For-profit businesses operating in California or targeting California residents with products and services. Businesses in states other than California can have a legal obligation to comply with CCPA.
  • Additionally, businesses must meet at least one of the following conditions:
    • Businesses with gross revenue exceeding $25 million in a calendar year (from January to December)
    • Businesses that generate at least 50% of their revenue from selling or sharing personal information. California does not mention a minimum amount of revenue tied to this condition.
    • Businesses that buy, sell, or share the personal information of at least 100,000 California residents with third parties. For example, if a for-profit business has at least 100,000 California residents visiting its website and that website has a Google Analytics tag, that business needs to comply with CCPA. Additionally, if a for-profit business buys or sells a mailing list of 100,000 California residents, it must comply with CCPA.

California exempts some organizations from the CCPA, such as nonprofits and government agencies. Businesses working in industries regulated by other California or federal laws (e.g., insurance, healthcare, and financial institutions) are also exempt. Additionally, the CCPA only applies to for-profit educational institutions; nonprofit educational institutions aren’t required to comply.

How to Comply

If your organization meets the criteria listed above, you’ll need to do the following:

  • You must allow users to opt out of data sharing with Google and other third parties. When users visit your website, you’ll need to give them an option to prevent tools such as Google Analytics from firing.
  • You must recognize Global Privacy Control (GPC) mechanisms and apply them to data that would be shared with third parties such as Google. The requirement to allow for GPC was added with CPRA (in 2020) but wasn’t required until January 1, 2023. As of the date of this post (April 30, 2024), Chrome still doesn’t offer native GPC support, but it can be achieved with plugins. Other browsers, such as Firefox, offer native support.
  • Businesses must inform users through their privacy policy that they share information with third parties such as Google Analytics.
  • The privacy policy should also state how long Google Analytics data is retained (corresponding with your data retention settings in GA4).

Although the CPRA became effective on January 1, 2023, there was a six-month grace period. This grace period resulted in Google’s intention to shut down Universal Analytics on July 1, 2023. The fact that CCPA killed Universal Analytics underscores how serious it is. Additionally, California has a webpage highlighting privacy enforcement actions related to CCPA, including a $375k judgment against DoorDash and a $1.2 million judgment against Sephora.

Need Help?

If you find navigating or complying with California’s privacy regulations confusing and challenging, feel free to contact me. As a digital marketer deeply committed to ethical practices, I understand the importance of protecting personal data and ensuring privacy. This is more than just compliance; it’s about respecting and valuing individual rights. I see this as a way to help make the web a better place.