How to Use Google Analytics 4 in Compliance with Colorado Privacy Act
Learn about Google Analytics 4 and its alignment with Colorado's Comprehensive Privacy Law (CPA). Discover how to use GA4 in compliance with the CPA and avoid penalties, including essential obligations, data processing requirements, and user consent guidelines.
Google Analytics 4 in an update to Google’s Universal Analytics. Its emphasis on privacy shows a change in Google’s data processing approaches, yet the two versions do not differ too much. However, with Colorado's new comprehensive privacy law, you may question whether Google Analytics 4 complies with the law and what you should do to stay away from penalties.
You can use Google Analytics 4 in compliance with the CPA, but be careful - it also imposes certain obligations on your business.
In this article we'll delve into these obligations, namely:
- Is Google Analytics 4 CPA compliant
- How to use GA4 in compliance with the CPA
- A simple tool to help you comply effortlessly
Is Google Analytics 4 Colorado CPA Compliant?
While Google Analytics 4 is in line with CPA requirements, it does not automatically make your website compliant. There are still steps you need to take.
Google Analytics 4 employs online trackers to amass and process user data. Their data processing agreement transparently states that they collect "Online IDs, including cookie IDs, IP addresses, and device IDs." The gathered data is aggregated to generate insightful analyses for businesses. That’s the data you think of when you think about Google Analytics.
Google Analytics cookies monitor user navigation patterns across a website on various devices. These first-party cookies generate a client ID, offering businesses insights into visitor demographics, origin, time spent on pages, and more. This information enables website operators to understand their site usage better and optimize the user experience based on this data.
The setup process is straightforward, requiring no advanced technical knowledge, and that’s why many small website operators love it. A business owner merely needs to establish a GA4 property, insert a JavaScript tracking code onto the website, and start with data collection.
This data can be integrated with other Google products and advertising features like retargeting and personalized ads. As you may assume, Google creates user profiles with this data.
CPA applies to this data. The law, like all the other US states’ privacy laws, relies on an opt-out model, meaning that businesses are not required to get CPA cookie consent to use Google Analytics. As a result, you can process web user data via Google Analytics 4. Google Tag Manager can also be employed in tandem.
You don’t need to ask website visitors for that. You just need to stop tracking them if they opt out of tracking for advertising purposes. But, only if the Colorado Privacy Act applies to your business.
The CPA applies to businesses operating in Colorado or targeting its residents with their products or services, and that have met the following criteria in the preceding year:
- Control the processing of personal data of 100,000 consumers or more
- Control the processing of personal data of 25,000 consumers or more and derive revenue from the sale of personal data (including by receiving a discount on the price of goods or services).
If you collect the data of 100,000 Colorado residents, the CPA applies to you, and you need to comply with its requirements.
How to Use Google Analytics 4 in Compliance with the CTDPA
You can use Google Analytics 4 in Colorado or any part of the US without user consent.
This contrasts with the regulations in the European Union where the General Data Protection Regulation (GDPR), which requires websites to acquire approval for the use of Google Analytics via cookie banners, a requirement that is absent in US data privacy laws.
However, upon collection of customer data, CPA prescribes certain standards. If you're employing Google Analytics 4, these include:
- Provide a privacy notice. You don’t need consent, but you need to inform consumers that you use GA4 cookies and collect their browsing data.
- Providing consumers the choice to opt out of the sale of personal information, if applicable. This applies to you only if you sell personal information collected by Google Analytics 4.
- Giving consumers the option to opt out of targeted advertising. This is an explicit requirement of the CPA. Consumers who don’t want to be targeted online with relevant ads can opt out of that. You can still use GA4 to analyze website traffic, but you must not use the same data to place Google ads on the internet. That’s targeted advertising and users can opt-out.
- Establishing data retention periods. Don’t keep the data forever. Set a limit for storing GA4 data and stick to that.
- Honoring consumer requests. Consumers have the right to know if you collect their personal information, can access the data, transfer it to another controller, have it removed, and other rights. You could receive such requests in relation to GA4 data and you need to comply with them.
Get Started For Free with the
#1 Cookie Consent Platform.
No credit card required

Personalization Without Privacy Violations: Tactics & Tools for GDPR & CCPA Compliance
Your personalization strategy is a privacy violation waiting to happen. While customers demand tailored experiences, personalization privacy compliance has become the make-or-break factor that determines whether your customization efforts build trust or trigger devastating regulatory penalties.
- Legal & News
- Data Protection
- GDPR

First-Party Data Collection & Compliance: Best Practices for GDPR & CCPA in 2025
Your marketing strategy depends on first-party data collection compliance, but navigating the complex web of privacy regulations can feel overwhelming. With GDPR fines reaching €20 million, CCPA penalties expanding under CPRA, and 20+ US states enacting comprehensive privacy laws by 2025, collecting customer data legally has never been more critical—or complicated.
- Legal & News
- Data Protection
- GDPR
- CCPA

Customer Journey Mapping Under GDPR & CCPA: How to Embed Privacy at Every Touchpoint
Your customer journey maps are exposing you to massive privacy violations and regulatory penalties — and you might not even realize it. Most organizations approach customer journey mapping GDPR compliance as an afterthought, failing to integrate privacy requirements into each touchpoint where personal data flows through their customer experience.
- Legal & News
- Data Protection
- GDPR