Online privacy is really big news lately with the passage of new laws, the updating of existing laws, and the transition to Google Analytics 4. It’s scary to think about getting sued because your website isn’t up to the right privacy standards, like CCPA/CPRA compliance!
If you have visitors from California viewing and interacting with your website, it’s important to understand the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Not only do you need to be concerned about gathering information via forms, but also if you have Google Analytics running on your website.
In this article, we’ll go over what CCPA and CPRA are. We’ll also take a look at how to make your website and Google Analytics usage CCPA/CPRA compliant.
Legal Disclaimer: Due to the dynamic nature of websites, no single plugin can offer 100% legal compliance. Please consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases. Nothing on this website should be considered legal advice.
What Is CCPA and CPRA?
The California Consumer Privacy Act (CCPA) is a bill the California state legislature passed in 2018 that went into effect in 2020. It’s meant to work similarly to how the General Data Protection Regulation (GDPR) does in the EU, but there are some key differences. Basically, it governs how companies handle consumers’ personal information, such as name, phone number, email address, age, geolocation data, IP address, and pretty much any other personal information you can think of.
In 2020, the California state legislature passed another bill that revised/replaced CCPA starting in 2023. The new bill, called the California Privacy Rights Act (CPRA), took the CCPA, added to it, and changed a few things, but the general laws remain the same.
- You must give California residents the option to opt out of having their personal data shared or sold.
- You must be willing to disclose what data you have collected.
- You must delete that data if a consumer requests it.
Am I Subject to the CCPA?
The CCPA/CPRA only applies to profit-seeking businesses that process personal data from California residents AND meet at least ONE of the following requirements:
- Yearly gross revenue exceeding $25 million
- Process personal data from 50,000 or more Californians per year
- 50% or more of yearly income is generated by the sale of consumers’ personal data
What’s the Difference Between CCPA/CPRA and GDPR?
While California’s bill is similar to GDPR, there’s one really key difference: prior consent.
GDPR is a bit more strict, requiring a website to inform someone right away that they are being tracked by cookies (which you use if you have Google Analytics installed). You need to ask for consent to track certain data before you start collecting it.
CCPA/CPRA, on the other hand, says that someone needs to be able to opt out of having their information shared or sold, not the option to opt out of tracking overall.
However, it’s strongly recommended that all websites that use Google Analytics or other data collection measures become compliant with GDPR anyway, whether you’re also selling data or not.
Basically, if you collect data or use cookies in any way, it’s time to become compliant.
Is Google Analytics CCPA/CPRA Compliant?
Unlike its predecessor (Universal Analytics), Google Analytics 4 is CCPA/CPRA compliant thanks to more privacy-friendly data collection methods. That said, Google Analytics does not make your website compliant by default.
Remember, there’s a difference between CCPA/CPRA and GDPR laws when it comes to consent. If you’re only focused on being CCPA/CPRA compliant, you’re in the clear. You don’t need to obtain prior consent using a cookie banner or consent box for Google Analytics.
However, you do still need to abide by CCPA/CPRA policy if you’re business is subject to it and you share or sell personal consumer data. This includes passing data between Google products such as using personal data collected in Google Analytics with Google Ads.
How to Make Google Analytics CCPA/CPRA Compliant?
Assuming CCPA/CPRA applies to you, here’s what you need to do to be compliant:
- Inform users of any data sharing in the privacy policy that’s served when they arrive on your website.
- Provide an option for consumers to opt out of data sharing with a “Do Not Share My Personal Information” link, ideally in your site’s footer.
- If you sell personal data, you also need to include that information in your privacy policy and provide a separate opt-out link, “Do Not Sell My Personal Data.”
- Set your data retention period in Google Analytics and state it clearly in your privacy policy.
- Honor consumer requests to opt out of tracking, access their own data, or have it removed.
- Set up your site to abide by Global Privacy Control (GPC) signals, meaning it won’t send GA cookies or any other cookies if the user’s browser sends an opt-out signal.
Even though you wouldn’t have to set up a notice or acceptance button on your website in order to be CCPA/CPRA compliant at this time, the consensus across the web is that we all must start adhering to GDPR.
So, to be compliant across all privacy laws, you do need to either stop collecting certain data or explicitly inform visitors that they’re being tracked and obtain consent, regardless of whether you plan to share or sell their data.
That sounds complicated, doesn’t it?
Luckily, ExactMetrics has an easy-to-use addon that can quickly and painlessly make Google Analytics GDPR compliant.
The ExactMetrics EU Compliance Addon automates a lot of processes that are needed to comply with privacy laws. With a few clicks, your website can meet California and EU requirements, while you can focus on running your website.
How to Set Up GDPR and CCPA/CPRA Compliance
Now that you know that ExactMetrics can help you with Google Analytics CCPA/CPRA and GDPR compliance, we’ll guide you through using the addon.
Step 1: Install ExactMetrics WordPress Plugin
ExactMetrics is the most powerful Google Analytics plugin for WordPress. In addition to the compliance addon we’re going to be setting up here, you’ll get a whole list of features that will help you grow your business with the help of analytics.
So to start, head to the Pricing page and get started with ExactMetrics at the Plus level or above. Once you complete checkout, download the plugin.
Next, upload it to your website.
Step 2: Add Your License Key and Connect to Google Analytics
Now that you have ExactMetrics installed, you can add your license key and connect your Google Analytics account. To get set up, click on ExactMetrics under your WordPress Dashboard and click the big green Launch the wizard! button.
Once you’re in the wizard, you’ll get to this page where you can add your license key and connect with Google Analytics:
After that, just keep following the setup prompts, answering questions about your business, until setup is complete.
Step 3: Install and Configure the EU Compliance Addon
To install the EU Compliance addon, open ExactMetrics » Addons. Scroll down to the EU Compliance addon and click Install.
The next step is to configure your ExactMetrics EU Compliance settings.
Head to ExactMetrics » Settings » Engagement.
Click Enable EU Compliance to use the addon. You can scroll down to change your settings for GDPR compliance. If you do decide to turn off some of these settings, make sure to complete Step 5 below.
Step 4: Change Google Analytics Settings
In addition to setting up ExactMetrics and its addon, you’ll probably want to make changes to your Google Analytics data retention settings. GA4 will retain data for 2 months by default, but most users want to change this to the 14-month option.
To make the changes, open your Google Analytics account and then click on Admin (the Gear icon) at the bottom left of the page. In the Property column, click Data Settings » Data Retention. Then, you can use the drop-down menu to change your Event data retention.
Once you’re satisfied with the settings, click Save.
For more information on Google Analytics settings that affect compliance, you can go through our guide on Google Analytics account settings for EU Compliance.
Step 5 (Optional): Offer an Opt-Out Option and Consent Checkbox
If you didn’t turn on all of the EU compliance settings, that means you’re tracking certain user information that you need consent for under GDPR. You’ll have to offer an opt-out option for visitors who don’t want to be tracked.
Thanks to ExactMetrics’ integration with popular cookie plugins, you can easily set up a sitewide opt-out option. The EU addon works with CookieBot, Cookie Notice, Complianze, and CookieYes.
All of these plugins can help you offer opt-out popups/banners and consent checkboxes. have an opt-out popup you can use. If any of these plugins are active on your site, ExactMetrics will wait to load the Google Analytics tracking script until the user gives permission.
If you’re not using one of these plugins or only need an opt-out link for CCPA/CPRA compliance, you can use ExactMetrics opt-out link integration. Follow our guide on how to make Google Analytics opt-out links with ExactMetrics.
Step 6: Update Your Privacy Policy
Now, the last step is to update your privacy policy to reflect Google Analytics compliance with GDPR and CCPA/CPRA. It should provide transparency to your visitors and comply with privacy requirements.
If you’re wondering which type of cookies Google Analytics uses and what their purpose is, check out our full guide on updating your privacy policy.
That’s it! You’ve now taken the steps you need to be GDPR (and CCPA/CPRA) compliant.
We think you might also like to read ExactMetrics vs. Google Analytics: Which Is The Best?
Not using ExactMetrics yet? What are you waiting for?
Don’t forget to follow us on Twitter and Facebook to see all the latest reviews, tips, and Google Analytics tutorials.