How to Use Google Analytics 4 in Compliance with Colorado Privacy Act

Google Analytics 4 in an update to Google’s Universal Analytics. Its emphasis on privacy shows a change in Google’s data processing approaches, yet the two versions do not differ too much. However, with Colorado's new comprehensive privacy law, you may question whether Google Analytics 4 complies with the law and what you should do to stay away from penalties.

You can use Google Analytics 4 in compliance with the CPA, but be careful - it also imposes certain obligations on your business.

In this article we'll delve into these obligations, namely:

• Is Google Analytics 4 CPA compliant
• How to use GA4 in compliance with the CPA
• A simple tool to help you comply effortlessly
  

Is Google Analytics 4 Colorado CPA Compliant?

While Google Analytics 4 is in line with CPA requirements, it does not automatically make your website compliant. There are still steps you need to take.

Google Analytics 4 employs online trackers to amass and process user data. Their data processing agreement transparently states that they collect "Online IDs, including cookie IDs, IP addresses, and device IDs." The gathered data is aggregated to generate insightful analyses for businesses. That’s the data you think of when you think about Google Analytics.

Google Analytics cookies monitor user navigation patterns across a website on various devices. These first-party cookies generate a client ID, offering businesses insights into visitor demographics, origin, time spent on pages, and more. This information enables website operators to understand their site usage better and optimize the user experience based on this data.

The setup process is straightforward, requiring no advanced technical knowledge, and that’s why many small website operators love it. A business owner merely needs to establish a GA4 property, insert a JavaScript tracking code onto the website, and start with data collection. 

This data can be integrated with other Google products and advertising features like retargeting and personalized ads. As you may assume, Google creates user profiles with this data.

CPA applies to this data. The law, like all the other US states’ privacy laws, relies on an opt-out model, meaning that businesses are not required to get CPA cookie consent to use Google Analytics. As a result, you can process web user data via Google Analytics 4. Google Tag Manager can also be employed in tandem.

You don’t need to ask website visitors for that. You just need to stop tracking them if they opt out of tracking for advertising purposes. But, only if the Colorado Privacy Act applies to your business.

The CPA applies to businesses operating in Colorado or targeting its residents with their products or services, and that have met the following criteria in the preceding year:

• Control the processing of personal data of 100,000 consumers or more
• Control the processing of personal data of 25,000 consumers or more and derive revenue from the sale of personal data (including by receiving a discount on the price of goods or services).

If you collect the data of 100,000 Colorado residents, the CPA applies to you, and you need to comply with its requirements.

How to Use Google Analytics 4 in Compliance with the CTDPA

You can use Google Analytics 4 in Colorado or any part of the US without user consent.

This contrasts with the regulations in the European Union where the General Data Protection Regulation (GDPR), which requires websites to acquire approval for the use of Google Analytics via cookie banners, a requirement that is absent in US data privacy laws.

However, upon collection of customer data, CPA prescribes certain standards. If you're employing Google Analytics 4, these include:

• Provide a privacy notice. You don’t need consent, but you need to inform consumers that you use GA4 cookies and collect their browsing data.
• Providing consumers the choice to opt out of the sale of personal information, if applicable. This applies to you only if you sell personal information collected by Google Analytics 4. 
• Giving consumers the option to opt out of targeted advertising. This is an explicit requirement of the CPA. Consumers who don’t want to be targeted online with relevant ads can opt out of that. You can still use GA4 to analyze website traffic, but you must not use the same data to place Google ads on the internet. That’s targeted advertising and users can opt-out.
• Establishing data retention periods. Don’t keep the data forever. Set a limit for storing GA4 data and stick to that.
• Honoring consumer requests. Consumers have the right to know if you collect their personal information, can access the data, transfer it to another controller, have it removed, and other rights. You could receive such requests in relation to GA4 data and you need to comply with them.