CCPA Compliance Guide for Google Analytics 360
Google Analytics 360 (as well as the free Standard version) may require modifications from how you currently leverage it as the CCPA privacy law goes into effect on January 1st, 2020. Even if your organization is not based in California, you likely serve California consumers and thus you will be impacted by this law.
Below is your handy guide to demystifying CCPA and the specific steps you can take to make Google Analytics CCPA Compliant.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a privacy law that goes into effect on January 1st, 2020 and may impact your usage of Google Analytics 360 (or the free Standard version of Google Analytics).
At the core of CCPA are privacy rights for California consumers that provide for transparency (right to know) what Personal Information (PI) is collected from them, how it is used, and with whom it is shared. Consumers have the right to opt-out of the sale of their Personal Information (PI).
One of the more complex parts of interpreting the CCPA comes down to the terminology of “sale.” Specifically, “sale” is defined broadly as including the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
While it may be your first reaction to say that your organization currently does not “sell” consumer personal information, you may want to check with your legal team to fully understand. Even if you do not “sell” consumer information, you are still subjected to parts of the CCPA if you meet the requirements of being a for-profit business that has revenues in excess of $25 million globally (not just with California consumers).
Key Dates & Penalties of the CCPA Law:
- Law goes into effect January 1st, 2020
- Law enforcement begins July 1st, 2020 by the California Attorney General
- Penalties can be up to $7,500 per violation per individual as well as private right of action (lawsuits) by individuals of between $100 and $750 per incident per individual or actual damages, whichever is greater
There are many great resources online to learn about this law, who it impacts, and about the consumer rights. Below are a few resources we recommend:
- California Attorney General CCPA Fact Sheet
- CSO Article – What you need to know to be compliant
- California Attorney General CCPA Website Home
Does Google Analytics 360 have Personal Information (PI)?
First, let’s define what Personal Information (PI) is versus what Personally Identifiable Information (PII) is.
All PII can be PI, but not all PI is considered PII :). Confused? Read on and I’ll clarify…
Personal Information (PI) – The CCPA law directly defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer of household.”
Personally Identifiable Information (PII) – Google defines PII as “information that could be used on its own to directly identify, contact, or precisely locate an individual.”
The key difference between these is that PII is directly identifiable information, such as email address, SSN, name, precise locations, usernames, etc. While PI includes these same ones, it also includes indirectly identifiable information, such as a numeric User ID or any “persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family.” Yep, that means cookies, mobile ad identifiers and more.
PII has always been against the Terms of Service of Google Analytics, but the terms specifically exclude: pseudonymous cookie IDs, pseudonymous advertising IDs, and other pseudonymous end user identifiers. This same source mentions that IP Address is not interpreted as direct PII, but my interpretation is that you should never capture IP Addresses in Google Analytics in plain text.
So back to the question, does GA 360 contain Personal Information? It does under the definition of PI for the CCPA. Examples of PI:
- Randomly generated Google Analytics Cookie ID (Client ID)
- IP Address
- User ID
- Hashed Email ID
How Does Google’s Restricted Data Processing Mode Help?
To be compliant in Google’s eyes, you need to take steps for Restricted Data Processing on both Google Analytics and Google Ads.
In November 2019, Google released a feature called ‘Restricted Data Processing’ which aims to help organizations that leverage Google products to comply with the CCPA. Each Google product is listed as either already operating using Restricted Data Processing or as a product that requires additional action to enable Restricted Data Processing.
Google Analytics, Google Analytics 360, and Analytics for Firebase all have an asterisk (*) next to them because the condition is “where data sharing with Google products and services is disabled.” In the section further below, we discuss what this means and how to adjust the settings in Google Analytics accordingly.
Google Ads is listed as a product which requires action to enable Restricted Data Processing. There are specific instructions and steps you must take to get Google Ads enabled to operate in a Restricted Data Processing mode. Since this is done through code in your global site tag (gtag), this means that you could decide to do this only for California visitors or for all of your visitors.
You may be leveraging Google Analytics 360 with Google Ads for remarketing purposes. This is where things get tricky. If you have taken steps to make Google Analytics 360 operate in the Restricted Data Processing mode, but you don’t do the same for Google Ads, then the consumer’s data is no longer being used in this restricted mode. To be compliant in Google’s eyes, you need to take steps for Restricted Data Processing on both Google Analytics and Google Ads.
What Steps Can I Take to Become CCPA Compliant with Google Analytics 360?
Step 1 – Audit Your Google Analytics 360 Data Collection
Start by auditing your implementation of Google Analytics 360 to first ensure that you are not already violating the Terms of Service of collecting personally identifiable information (PII). Then, identify what personal information (PI) you may be collecting, such as User IDs.
Auditing your data collection is not a one-time task. You should have ongoing audits (perhaps quarterly or partially automated).
Step 2 – Accept the Data Processing Terms
Google will have updated Data Processing Terms with a CCPA service provider addendum. If you purchase Google Analytics 360 from a reseller, then your data processing terms are with the reseller and not with Google directly. If you purchase Google Analytics 360 directly from Google or you use the free standard version of Google Analytics, then you can accept the Data Processing terms under Account -> Account Settings.
Step 3 – Adjust Data Retention & IP Anonymization Settings
To further reduce the collection of PI, you may also wish to turn on IP Anonymization, which will remove the last octet of the user’s IP address. In this situation, the user’s full IP address is never written to the disk. Do recall that IP Address is clearly considered Personal Information (PI) under the CCPA. If you turn this feature on, the accuracy of geo-location will decrease. Brian Clifton provided an impact study on this enabling this feature, which is very helpful.
Under CCPA and really all privacy regulations around the world, you need to clearly describe what personal information you collect and where it is being sent. It is a good idea to address that you send to Google the user’s IP Address and that the _ga cookie identifier (Client ID) is a persistent cookie. Beyond this, include the other personal information (PI) that you identified in the audit.
“Wait – do I need to offer opt out? Well, read on at step 5…”
Step 5 – Determine if Consent Opt-Out is Necessary
In November 2019, Google released a feature called ‘Restricted Data Processing’ which aims to help organizations that leverage Google products to comply with the CCPA. Google’s guidance is that by keeping or adjusting your usage of their products to a Restricted Data Processing mode, your organization can be compliant with CCPA.
As it relates specifically to Google Analytics, they’ve provided a help article which provides their guidance of using Google Analytics under the Restricted Data Processing mode. Specifically, “Google Analytics will act as a service provider to its customers (when data sharing with Google products and services is disabled).”
To limit Data Sharing with other Google products and services, there is a clear step to take by performing the following adjustment in your Google Analytics account:
- Admin -> Account Settings – Edit the “Data Sharing Settings”, and turn off for all services
You may also want to inquire with your legal team whether you should disable the Google Signals feature, which is located in the GA admin under Property -> Tracking Info -> Data Collection.
If your legal team determines that you should offer opt-out for Google Analytics 360, then you’ll need to integrate this into your consent management platform. Many of our clients use platforms such as Tealium iQ Consent Management, CookiePro by OneTrust, or Evidon Universal Consent. Further, you’ll likely need to provide notice of the data you are collecting and sharing.
Step 6 – Create a Process for Honoring Data Rights
Under CCPA law, you must have a process for honoring data rights of California consumers if you are collecting personal information (PI). These data rights are the data deletion and data access requests. The data access request allows the consumer to receive all the data a company has collected on them over the previous 12 months. This right is not directly dependent on also offering opt-out.
For this process, you have two options, manual or automated:
- Manual Process
- Data Access Request – Upon an authenticated request, head over to the Audience -> User Explorer report to request a download of any data associated with a Client ID or User ID. Enter a date range of 12 months to find all sessions for that user and then click the ‘Export’ button. This export will be provided as a .json file.
- Data Deletion Request – On the exact same report under Audience -> User Explorer, find the user and on the bottom left of the report, simply click the ‘Delete User’ button. Once you click it, you’ll receive a modal asking you to confirm and informing you that it will take 72 hours to delete from the Individual User Report and then deleted from Analytics servers during the next deletion process.
- Manual Process
- Automated Process
- Data Access Request – By leveraging the User Activity API, you can submit a request to the API with the Client ID or User ID as well as the 12 months of data to retrieve. You’ll receive back as JSON response with all User Activity for the user you’ve queried.
- Data Deletion Request – The Data Deletion API provides a method to submit a request against a specific Client ID or User ID.
The manual process described above requires someone to go in and initialize the requests in the GA 360 interface. The automated process can be fully automated, but does require a developer to build a means to interface with the API.
A common question I’ve received about this is that users do not know their GA Client ID value. This is absolutely true and the advice I give on this is that you could setup a form on your website that grabs their current Client ID value (from their cookie) and then that is automatically populated and sent with the access/deletion request.
Ask Questions or Share Your Input
The CCPA law can be difficult to interpret and the choices your organization must make to become fully compliant. Beyond your organization’s own legal counsel, it often takes a community to arrive at the best solutions. Do you have questions or other tips that I did not include in this blog post on how to best gain compliance with the CCPA for Google Analytics? We’d love to hear from you in our comments section below and we promise to respond in a reasonable time period.
Disclaimer: I am not a lawyer and this blog post is based on my own research and interpretation of the California Consumer Privacy Act (CCPA). You are advised to seek legal counsel that specializes in the CCPA to ensure that your organization conforms to these regulations. CCPA is complex and interpretations vary. If you have questions or suggested clarifications, please comment and provide sources, as appropriate.