blog: Don Marti


Can you use Google Analytics in California? What if a user does a CCPA opt out?

29 July 2020

The short answer is yes. Google Analytics is even on the oag.ca.gov site.

Since CCPA is opt out, Google Analytics is going to be fine unless you know the site visitor has opted out. Once a site visitor sends you a CCPA opt out, what do you have to do to square it with Google?

This is where the Google documentation gets a little confusing. They're not going to tell you too much about whether a specific setting will get you to compliance, probably because that sounds too much like giving legal advice, and every site is different anyway. A wise man once said, Go not to the Elves for counsel, for they will say both no and yes.

Realistically, the Attorney General's office has limited time to bring CCPA enforcement cases, and realistically, hardly anybody has time to read n pages of Google documentation except the n/(reading speed) developers that Google can afford to hire, and nobody has enough C++ developers to keep up with Google's replacement technologies for the 3rd-party cookie, either so all you really need to do is not be one of the dozen or so creepiest, or most famous for being creepy, companies out there.

So read through the stuff on Helping advertisers, publishers, and partners comply with the California Consumer Privacy Act (CCPA), make sure that you're set up with the new version of the data processing terms, and then if someone opts out, do a ga('set', 'allowAdPersonalizationSignals', false); like it says on Advertising Features | Analytics for Web (analytics.js). And you should be good.

There is similar CCPA compliance stuff for other areas like ads, which gets a little more gnarly. But unless you have time to do every privacy compliance thing to white-glove standards, Google Analytics is probably not worth that much time. (Facebook Custom Audiences, on the other hand, are a big potential red flag, and anyone who takes the time to rage-surf Facebook for companies giving their contact info to the World's Creepiest PHP Programmer is going to see them. Probably worth more compliance checking time than it looks like they're getting. But that's another story.) The one exception is if you're stuffing PII into analytics events (which you can do, because you can put all kinds of stuff in analytics) but that's hopefully rare enough that nobody reading this blog is doing it. So there's plenty more to worry about than Google Analytics. And like I keep saying, all this stuff should be a win, not a cost center. In the near future, healthy organizations, fandoms, communities of practices and audiences will cooperatively (and with the help of publishers) spew forth CCPA opt-outs to protect themselves, like Penicillium colonies soaking their neighborhoods in antibiotics.

Follow the Money: How Digital Ads Subsidize the Worst of the Web

‘Contextual on steroids’: How Insider is tracking and scaling audience behavior using first-party data

The demise of advertising. Part 2,232,086,991.

CPRA promises short-term consumer benefits, long-term uncertainty

Importance of CCPA Compliance Highlighted by First Round of Private Actions

Is This Amazon Review Bullshit? – The Markup

European Courts Find U.S. Can't Be Trusted to Process and Store Data