How to Make Google Analytics Compliant with CCPA

Using Google Analytics means you're collecting visitor data, and if any of those users are from California, you need to understand the California Consumer Privacy Act (CCPA). This landmark privacy law changes how you handle the data of California residents. This guide will walk you through what CCPA means for your Google Analytics setup and provide the concrete steps to make your tracking compliant.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

What Exactly Is the CCPA and Why Does It Matter for Google Analytics?

The California Consumer Privacy Act (CCPA), now amended by the California Privacy Rights Act (CPRA), is a state law designed to give consumers more control over their personal information. If you're a for-profit business that collects data from California residents, you likely need to comply if you meet at least one of these criteria:

• You have an annual gross revenue of over $25 million.
• You buy, sell, or share the personal information of 100,000 or more California consumers or households.
• You derive 50% or more of your annual revenue from selling or sharing California consumers' personal information.

The term "personal information" is broad under CCPA. It includes identifiers like cookies, IP addresses, and device IDs - the exact kind of data Google Analytics collects to measure website traffic and user behavior. Even if you're not based in California, the law applies to you if you serve California residents.

Under CCPA, consumers have several key rights, including:

• The right to know: Consumers can ask what personal information you've collected about them.
• The right to delete: They can request that you delete the personal information you have on them.
• The right to opt out: They can tell you not to "sell" or "share" their personal information.

That last point is the most important one for Google Analytics. The definition of "sell" is tricky, it doesn't just mean exchanging data for money. It can include sharing data with a third party (like Google) in a way that benefits your business, such as for ad targeting or remarketing. This is where your default Google Analytics setup could create a compliance issue.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

The Key to Compliance: Enabling "Restricted Data Processing"

To help businesses comply with CCPA, Google introduced a feature called "Restricted Data Processing" (RDP). When you enable this feature, you're signaling to Google that data from a specific user (or all users from California) should be handled with certain restrictions. Specifically, turning on RDP limits how Google can use that user's data and ensures it doesn't get used for things like Ads Personalization or added to remarketing lists.

Legally, this helps shift Google's role from a "business" that is "selling" or "sharing" your data to a "service provider" that is only processing data on your behalf. This one setting is the most critical piece of the CCPA compliance puzzle for Google Analytics.

Your Step-by-Step Guide to CCPA Compliance in GA

Making your Google Analytics account compliant with CCPA involves a few essential updates to your settings and your website's privacy practices. Before you begin, a quick disclaimer: This guide offers technical steps and practical advice, not legal counsel. We always recommend consulting with a legal professional to ensure your business fully complies with all applicable privacy laws.

Step 1: Update Your Privacy Policy

Your privacy policy is the foundation of your compliance efforts. It needs to be clear, accessible, and accurately reflect your data collection practices.

What to include for CCPA compliance:

• Description of Consumer Rights: Explicitly state the rights provided by CCPA (the right to know, delete, and opt-out).
• Data Collection Categories: List the kinds of personal information you collect (e.g., "Identifiers" like cookies and IP addresses collected via Google Analytics).
• "Do Not Sell or Share My Personal Information" Link: Your site must have a clear link, often in the footer, that allows users to opt out of the sale or sharing of their personal information. When clicked, this link should trigger the necessary technical controls, like enabling Restricted Data Processing.

Step 2: Implement a Cookie Consent Banner with an Opt-Out Mechanism

While the pop-up cookie banners are often associated with Europe's GDPR, they serve a vital purpose for CCPA, too. A proper banner gives users a clear notice of tracking and a direct way to exercise their right to opt out. Your banner should:

• Inform users that you use cookies and other tracking technologies.
• Link to your updated Privacy Policy.
• Contain the legally required "Do Not Sell or Share My Personal Information" link or button.

You can manage this with a Consent Management Platform (CMP). Tools like Cookiebot, OneTrust, or Termly can automatically present the right notices to users based on their location and integrate with Google Tag Manager to fire tags appropriately based on their consent choices. When a user from California clicks "Do Not Sell," your CMP should signal to Google Analytics to enable Restricted Data Processing for them.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

Step 3: Enable Restricted Data Processing in your Google Analytics Property

This is the most direct action you can take inside your GA account. How you do this depends on whether you are using Google Analytics 4 or the soon-to-be-obsolete Universal Analytics (UA). We'll cover both.

For Google Analytics 4:

Restricted Data Processing in GA4 works in tandem with a couple of features meant to disable Ads Personalization.

1. Go to your Admin panel.
2. In the Property column, click on Data Settings > Data Collection.
3. Under Advanced settings to allow for ads personalization, you'll see a setting that can be restricted on a per-state basis. Find California and make sure it is turned off. This prevents data from California users from being used for personalized ads.

For more specific control triggered by a user's action like opting out, you can set a parameter through Google Tag Manager. A signal (like lspa=true) can be sent along with your GA hits, which tells Google to put that user's session into Restricted Data Processing mode.

For Universal Analytics (UA):

Even though UA is officially deprecated, its properties still exist and contain historical data. Here’s how you manage RDP there:

1. Navigate to the Admin section.
2. Under the Property column, click Tracking Info > Data Collection.
3. You should find a section for CCPA Settings. Here, you can enable RDP.

This option sets RDP for all your California traffic. Your site's consent tools are still necessary to fulfill the user's specific choice to opt out via the "Do Not Sell" link.

Step 4: Disable Google Signals

Google Signals collects data from users who have turned on Ads Personalization in their Google accounts, allowing you to build cross-device reports and remarketing audiences. This data sharing can be classified as a "share" under CCPA.

To disable it in GA4:

1. Go to Admin > Data Settings > Data Collection.
2. Toggle off the switch for Google Signals data collection.
3. It’s also wise to review the user data acknowledgment to ensure your practices align with its terms.

Be aware that turning this off will affect remarketing capabilities and will cause you to lose access to demographic and interests reporting data provided via Signals. It's a trade-off: richer audience insights versus simpler and tighter CCPA compliance.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

Step 5: Fulfilling Data Subject Requests (DSRs)

Your CCPA obligations don't stop at settings adjustments. You also need a process in place to handle "right to know" and "right to delete" requests from users. If a user asks you to delete their data, here’s how to do it in Google Analytics:

1. Find the user's Client ID or User ID. You may need to ask the user for this or find it through other means, like your CRM or e-commerce platform by finding sessions that happened when they made a particular purchase.
2. In GA4, navigate to Explore > User Explorer.
3. You can search for the user by their ID by entering it into the filter field labeled "ID". Once you've found it, check its activity to confirm if it is the "Client ID" or "User ID" you selected.
4. To delete it, on the top right corner, there will be an option to delete the user. A prompt will warn that you cannot undo this action. Click "delete user" again to fulfill the request.

What Are the Effects of Enabling These Settings?

When you enable Restricted Data Processing, some Google Analytics functionality gets limited. Don't be alarmed, this is by design. Here's what to expect:

• No Remarketing: Users in RDP mode aren't added to your remarketing or similar audiences.
• Limited Ad Personalization: You can’t use data from these users to personalize ads.
• No Google Signals: Disabling Signals means you lose access to cross-device reporting and more detailed demographic and interest reports.

Put simply, enabling these compliance features turns Google Analytics into a pure analytics tool rather than an advertising one for those users. You'll still get a rich understanding of your website's performance, but with a more privacy-focused approach.

Final Thoughts

Making Google Analytics compliant with the CCPA is less about a complete overhaul and more about being deliberate with your settings. It requires you to be transparent in your privacy policy, offer clear opt-out mechanisms, and enable features like Restricted Data Processing to honor a user's choices. This ensures you can continue to gather valuable insights while respecting visitor privacy.

Once you’ve set up your compliance tools, the larger goal is turning all that data into meaningful action without losing your whole week to reports. Juggling different data sources manually - pulling from GA, then your sales platform, then your ad accounts - is the kind of data drudgery we designed Graphed to solve. We connect all your sources in one place so you can get consolidated dashboards and answer questions across platforms using simple language, helping you find insights in seconds, not hours.