Can you use Google Analytics in California? What if a user does a CCPA opt out?
29 July 2020
The short answer is yes. Google Analytics is even on the oag.ca.gov site.
Since CCPA is opt out, Google Analytics is going to be fine unless you know the site visitor has opted out. Once a site visitor sends you a CCPA opt out, what do you have to do to square it with Google?
This is where the Google documentation
gets a little confusing. They're not
going to tell you too much about whether a specific setting will get you to
compliance, probably because that sounds
too much like giving legal advice, and every site is different anyway. A wise man once
Go not to the Elves for counsel, for they will
say both no and yes.
Realistically, the Attorney General's office has limited time to bring CCPA enforcement cases, and realistically, hardly anybody has time to read n pages of Google documentation except the n/(reading speed) developers that Google can afford to hire, and nobody has enough C++ developers to keep up with Google's replacement technologies for the 3rd-party cookie, either so all you really need to do is not be one of the dozen or so creepiest, or most famous for being creepy, companies out there.
So read through the stuff on Helping
advertisers, publishers, and partners comply
with the California Consumer Privacy Act
make sure that you're set up with
the new version of the data processing
and then if someone opts out, do a
'allowAdPersonalizationSignals', false); like it
says on Advertising Features | Analytics for Web
And you should be good.
There is similar CCPA compliance stuff for other areas like ads, which gets a little more gnarly. But unless you have time to do every privacy compliance thing to white-glove standards, Google Analytics is probably not worth that much time. (Facebook Custom Audiences, on the other hand, are a big potential red flag, and anyone who takes the time to rage-surf Facebook for companies giving their contact info to the World's Creepiest PHP Programmer is going to see them. Probably worth more compliance checking time than it looks like they're getting. But that's another story.) The one exception is if you're stuffing PII into analytics events (which you can do, because you can put all kinds of stuff in analytics) but that's hopefully rare enough that nobody reading this blog is doing it. So there's plenty more to worry about than Google Analytics. And like I keep saying, all this stuff should be a win, not a cost center. In the near future, healthy organizations, fandoms, communities of practices and audiences will cooperatively (and with the help of publishers) spew forth CCPA opt-outs to protect themselves, like Penicillium colonies soaking their neighborhoods in antibiotics.