Online privacy is really big news lately with the passage of new laws, and the updating of existing laws. It’s scary to think about getting sued because your website isn’t up to the right privacy standards!
If you have visitors from California viewing and interacting with your website, it’s important to understand the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Not only do you need to be concerned if you gather information via forms, but also if you have Google Analytics running on your website.
In this article, we’ll go over what CCPA and CPRA are. We’ll also take a look at how to make your website and Google Analytics usage CCPA/CPRA compliant.
Legal Disclaimer: Due to the dynamic nature of websites, no single plugin can offer 100% legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. Nothing on this website should be considered legal advice.
What are CCPA and CPRA?
The California Consumer Privacy Act (CCPA) is a bill the California state legislature passed in 2018, but didn’t go into effect until 2020. It’s meant to work similar to how the General Data Protection Regulation (GDPR) does in the EU. Basically, it governs how companies handle consumers’ personal information, such as name, phone number, email address, age, geolocation data, IP address, and pretty much any other personal information you can think of.
Then, in November of 2020, the California state legislature passed another bill that will revise/replace CCPA starting in 2023. The new bill, called the California Privacy Rights Act (CPRA), will take the CCPA and add to it, and change a few things. The general law remains the same:
- You must give California residents the option to opt out of having their data sold to third parties
- You must be willing to disclose what data you have collected
- You must delete that data if a consumer requests it
The Difference Between CCPA/CPRA and GDPR
While California’s bill is similar to GDPR, there is one really key difference: prior consent.
GDPR is a bit more strict, requiring a website to inform someone right away that they are being tracked by cookies (which you use if you have Google Analytics installed).
CCPA/CPRA, on the other hand, says that someone needs to be able to opt out of having their information sold, not to be able to opt out of tracking overall.
However, it’s strongly recommended that all websites that use Google Analytics or other data collection measures become compliant with GDPR anyway, whether you’re also selling data or not.
Basically, if you collect data or use cookies in any way, it’s time to become compliant.
How to Make Google Analytics CCPA/CPRA Compliant
By default, Google Analytics is not GDPR compliant.
Remember, there was a difference between CCPA/CPRA and GDPR about collecting data. If you’re trying only to be CCPA/CPRA compliant, you just have to alert users if you’re selling their data.
To be GDPR compliant, on the other had, you need to inform users that you’re collecting data, whether you’re planning to sell it or not.
At this time, you wouldn’t have to set up a notice or acceptance button on your website in order to be CCPA/CPRA compliant. However, the consensus across the web is that we all must start adhering to GDPR.
So, to be compliant across all privacy laws, you need to either make sure you’re informing visitors that they’re being tracked, or stop collecting certain data.
That sounds complicated, doesn’t it?
Luckily, ExactMetrics has an easy-to-use addon that can quickly and painlessly make Google Analytics GDPR compliant.
The ExactMetrics EU Compliance Addon automates a lot of processes that are needed to comply with privacy laws. With a few clicks, your website can meet California and EU requirements, while you can focus on running your website.
How to Set Up The ExactMetrics EU Compliance Addon
Now that you know that ExactMetrics can help you with Google Analytics CCPA/CPRA and GDPR compliance, we’ll guide you through using the addon.
Step 1: Install ExactMetrics WordPress Plugin
ExactMetrics is the most powerful Google Analytics plugin for WordPress, without the high costs. In addition to the compliance addon we’re going to be setting up here, you’ll get a whole list of features that will help you grow your business with the help of analytics.
So to start, head to the Pricing page and get started with ExactMetrics at the Plus level or above. Once you complete checkout, download the plugin.
Next, upload it to your website.
Step 2: Add Your License Key and Connect to Google Analytics
Now that you have ExactMetrics installed, you can add your license key and connect your Google Analytics account. To get set up, click on ExactMetrics under your WordPress Dashboard and click the big green “Launch the wizard!” button.
Once you’re in the wizard, you’ll get to this page where you can add your license key and connect with Google Analytics:
After that, just keep following the setup prompts, answering questions about your business, until setup is complete.
Step 3: Install and Configure the EU Compliance Addon
To install the EU Compliance addon, open ExactMetrics » Addons. Scroll down to the EU Compliance addon and click Install.
The next step is to configure your ExactMetrics EU Compliance addon settings. Head to ExactMetrics » Settings » Engagement.
Click Enable EU Compliance to use the addon. You can scroll down to a change your settings for GDPR compliance. If you do not want to turn on some of these settings, make sure to complete Step 5 below.
Step 4: Change Google Analytics Settings
In addition to setting up ExactMetrics and its addon, you’ll also have to make changes to Google Analytics to comply with GDPR requirements.
To make the changes, open your Google Analytics account and then click on Admin (the Gear icon) on the bottom left of the page.
Now in the middle Property column, click Tracking Info. Then, click on Data Retention. You can select the time period you want to retain the data (14 months, 26 months, 38 months, or 50 months).
You can also select Do not automatically expire, which means that Google Analytics will retain all your data. Once you’re satisfied with the settings, click Save.
For more on these settings, you can go through our guide on Google Analytics account settings for EU Compliance.
Step 5 (Optional): Offer an Opt-Out Option and Consent Checkbox
If you didn’t turn on all of the EU compliance settings, you’ll need the user’s consent to track their information. If they don’t want to be tracked, then you’ll have to offer an opt-out option.
Thanks to the ExactMetrics integration with Cookie Notice and CookieBot, you can easily set up a sitewide opt-out option.
Both these plugins have an opt-out popup you can use. They also help you offer a consent checkbox. If either of these two plugins is active on your site, ExactMetrics will wait to load the Google Analytics tracking script until the user gives permission.
If you’re not using these plugins, then you can use ExactMetrics opt-out link integration. You can follow our guide on how to make Google Analytics opt-out links with ExactMetrics.
Step 6: Update Your Privacy Policy
Now, the last step is to update your privacy policy about Google Analytics and GDPR (and CCPA/CPRA) compliance. It will help provide transparency to your visitors and comply with privacy requirements.
If you’re wondering which type of cookies Google Analytics uses and what their purpose is, then check out our full guide on updating your privacy policy.
That’s it! You’ve now taken the steps you need to take to be GDPR (and CCPA/CPRA) compliant.
We think you might also like to read ExactMetrics vs. Google Analytics: Which Is The Best?
Don’t forget to follow us on Twitter and Facebook to see all the latest Google Analytics tutorials.