The Colorado Privacy Act (CPA) & Google Analytics 4
This post is the second in a series where I examine details related to different digital privacy laws in various states and explain how they influence the use of standard 3rd party tools such as Google Analytics 4 and Google Ads. You can view all posts here. I’ll update these posts as legislation and best practices evolve.
What is the Colorado Privacy Act?
The Colorado Privacy Act (CPA) is legislation aimed at safeguarding the privacy rights of Colorado residents. (Waves a tiny Colorado flag.) The Colorado General Assembly passed the CPA on June 8, 2021. It was signed into law by Governor Jared Polis on July 7, 2021. It became effective on July 1, 2023, with additional provisions becoming effective over time.
Who Needs to Comply?
The following organizations need to comply with the Colorado Privacy Act:
- Businesses operating in Colorado or targeting Colorado residents with products and services.
- Additionally, businesses must meet at least one of the following conditions:
- Businesses that control the processing of personal data of 100,000 or more Colorado residents.
- Businesses that control the processing of personal data of 25,000 consumers or more and generate revenue from the sale of this data.
The Colorado Privacy Act is noticeably more relaxed than California’s privacy law. However, it’s important to note that there’s no exemption for nonprofits or educational institutions. If such organizations collect data from at least 100,000 Colorado residents, the CPA applies to them, and they need to comply with its requirements.
How to Achieve Compliance as of July 1, 2023
Like California, you don’t need to ask users to opt-in to performance-based cookies or tracking (such as Google Analytics 4). You only need users to opt-in if you want to collect sensitive data, such as race, health conditions, religious beliefs, citizenship status, etc. However, also like California, you need to allow some people to opt-out of various things.
- You must inform users that you share information with Google Analytics in your privacy policy. (You should be doing this already anyway.)
- The CPA requires that consumers be able to have their data deleted, but only Google can do that for GA4 data. When you mention that you use Google Analytics in your privacy policy, include a link to Google’s privacy policy since they’re responsible for such requests.
- You should also provide an overview of your data retention settings in your privacy policy. How long do you keep more detailed data in GA4?
- The CPA requires businesses to provide consumers with the ability to opt-out of targeted advertising. Because of these shenanigans, using different Google tags (gtag.js) for GA4 and Google Ads is an increasingly good idea. That way, you can run different gtags as advertising and performance cookies in your cookie management platform.
- The CPA also specifies that if you sell data, you need to allow consumers to opt-out of the sale of that data.
How to Achieve Compliance as of July 1, 2024
The following additional elements of the CPA became effective as of July 1, 2024:
- Applicable organizations must allow Colorado consumers to use universal opt-out mechanisms (UOOM). A UOOM is a browser setting (or plugin) allowing users to opt-out of certain types of tracking, including targeted advertising. As of July 1, 2024, the most popular browser (Chrome) did not support UOOM.
- You need to monitor and review your data protection practices proactively; when you do, you should document everything. You should be doing this anyway.
What This Means for Google Analytics 4
Colorado’s law only requires organizations to allow users to opt-out of targeted advertising. I can’t find anything applicable right now that requires organizations to allow users to opt-out of data sharing with GA4. That’s a significant difference from California’s privacy law. However, if you need to comply with the Colorado Privacy Act, I recommend using different gtags for Google Analytics 4 and Google Ads. That way, if your users opt-out of targeted advertising, a script can still send their pageview data to GA4. When configuring these tags in your cookie management platform, assign the Google Ads tag as an advertising cookie and the GA4 tag as a performance cookie.
Need Help?
Contact me if you think I could help you with Colorado’s privacy regulations.