June 2, 2023

VCDPA Requirements with Google Analytics 4: A Comprehensive Guide

Discover how Google Analytics 4 aligns with the Virginia Consumer Data Protection Act (VCDPA) and the responsibilities it entails. Learn about VCDPA compliance requirements, opting out of data sharing, data retention periods, honoring consumer requests, and conducting data protection assessments.

The newly launched Google Analytics 4, succeeding the widely popular Universal Analytics, is one of Google's most significant tools in the digital marketing and eCommerce sectors. Its design incorporates a more privacy-conscious approach, signaling a change in data processing methods. However, with the Virginia privacy law becoming increasingly stringent, one must question whether Google Analytics 4 complies with the Virginia Consumer Data Protection Act (VCDPA).

In short, the answer is affirmative - Google Analytics 4 indeed meets the VCDPA requirements. However, its usage imposes certain responsibilities on your company.

In this article, we will delve into the details of the following:

  • Google Analytics 4's VCDPA compliance
  • The actions businesses must take with Google Analytics data to remain compliant with the VCDPA
  • The consequences of non-compliance with the VCDPA
  • How to manage VCDPA compliance requirements related to GA4

Is Google Analytics 4 VCDPA Compliant?

Google Analytics 4 meets the VCDPA standards but doesn't automatically make your website VCDPA-compliant. There's still work to be done.

Google Analytics 4 uses online trackers to gather and process user data. The company's data processing agreement clearly states they handle "Online identifiers, including cookie identifiers, IP addresses, and device identifiers; client identifiers."

Google Analytics cookies track user browsing habits on a website across different devices. Its first-party cookies generate a client ID, providing businesses insights into demographics, traffic sources, duration spent on specific pages, etc. These insights help website owners understand how users interact with their websites, enabling them to refine the user experience based on this data.

Its usage is quite straightforward. The business owner needs to set up. embed a JavaScript tracking code, GA4 property, and data on the website. This data can be leveraged with other Google products and advertising capabilities, such as retargeting and Google ad customization. As you might expect, Google uses the data for profiling purposes. They track the websites you visit, learn about your interests, then serve you with relevant ads.

This data falls under the purview of the VCDPA. It operates on an opt-out basis, meaning businesses are not obligated to acquire cookie consent for using Google Analytics. This implies that you can process website user data via Google Analytics 4. It can also be used in conjunction with Google Tag Manager.

However, it may entail additional VCDPA obligations for your business, provided that the VCDPA applies to your business.

You are required to comply with the Virginia Consumer Data Protection Act (VCDPA) if your business operates in Virginia or targets Virginia residents, as long as it meets at least one of the following criteria:

  • Processing the personal data of no fewer than 100,000 Virginia residents, or
  • Processing the personal information of at least 25,000 Virginia consumers and deriving over half of your gross revenue from the sale of personal data.

Unlike other privacy regulations in different U.S. states, the VCDPA does not impose a specific gross revenue threshold within a fiscal year for covered businesses.

How to Use Google Analytics 4 in Compliance with VCDPA

Google Analytics 4 can be utilized in Virginia, or any part of the United States, without soliciting user consent.

This contrasts with the situation in the European Union, where the General Data Protection Regulation (GDPR) requires websites to obtain consent for using GA through cookie banners, a requirement not imposed by US data privacy laws.

However, the VCDPA obliges you to meet certain criteria once you collect consumer data. In the case of using GA4, these include:

  1. Permitting consumers to opt out of the sale of personal information
  2. Allowing consumers to opt out of processing for targeted advertising
  3. Establishing a data retention period
  4. Honoring consumer requests, and
  5. Conducting a data protection assessment

Opting Out of the Sale of Personal Information and the Processing of Targeted Advertising

If you sell personal information, you must provide data subjects with a mechanism to opt out of the sale of personal information, including data collected by website analytics tools.

However, merely sharing Google Analytics data for targeted advertising gives your users the right to opt out of sharing personal data, too.

In simple terms, if you use Google products in such a way that allows the sharing of GA4 data with Google Tag Manager, and then you use that data to target your users across the internet, you must enable them to opt out of the sharing of the data if they choose to opt-out.

When a user opts out, you can use their data for website analytics. You can track how they use your website. You must not, however, share that data with other Google products for targeted advertising.

If you want to eliminate the obligation to provide an opt-out link and you don’t run Google ads, you can simply sever the connection between Google Analytics 4 and Google advertising products. That way, you can still use cookies for website analytics while respecting user privacy.

Determine Data Retention Periods

You're not permitted to retain GA4 data indefinitely. You need to delete it once the data is no longer required.

The VCDPA mandates you to define the duration of data retention at the time of collection. This can be configured in your administrative panel. Moreover, this information must be incorporated into your privacy policy.

There is no rule for how long you should store the data. Many websites store it for two years, while the CNIL, the French data protection authority enforcing GDPR compliance, suggests businesses store the data for six months before deleting it.

The VCDPA has no strict rules, so you can keep it for longer than six months. Just make sure you don’t retain it indefinitely.

Honoring Consumer Requests

Your website visitors have VCDPA rights concerning the data gathered by GA4 cookies. They have the right to be informed about data processing, access, and request data deletion.

Features within the Google Analytics 4 admin panel simplify addressing a consumer request.

Data Protection Impact Assessments

These assessments enable businesses to identify the risks associated with such processing activities, evaluate the necessity of processing personal data, and establish robust risk management plans.

Considering that such assessments are necessary for processing precise geolocation data and sharing such data for advertising purposes with Google, you may need to conduct a DPIA.

Here's how you can benefit from this requirement:

  1. Risk Assessment. A detailed inspection of how you protect data can reveal any risks of handling private information. This inspection involves reviewing what kind of data is being processed, why it's being processed, how it could impact people, and what safety measures are in place.
  2. The Necessity of Processing. Processing geolocation data can be risky. Do you truly need to use this data? The assessment helps determine if using sensitive data is necessary for your business objectives.
  3. Risk Management Strategies. The review will help devise effective risk management plans, such as employing technical and organizational steps to mitigate identified risks.

What You Don’t Need to Do

The information available online about GA4 data can be confusing for US businesses. A lot of this confusion stems from the GDPR rules about GA.

Since data transfers from GA to the US do not follow GDPR rules, most of the information is about complying with EU laws.

However, US businesses do not have to ask for an opt-in or worry about data transfers worldwide. So, they can ignore the following:

  1. Getting explicit consent. You just need to provide an opt-out option. You don't need anyone to opt-in. All you need to do is allow an opt-out. You can easily do it with the help of consent management platforms (CMP) that support VCDPA, such as Secure Privacy.
  2. Consent mode. This is only for businesses that need consent to use GA cookies. US businesses don't need this.
  3. IP anonymization. This would be useful if you needed consent to use Google Analytics data. The IP address helps GA create a user ID and track certain web behavior. Hiding IP addresses could be useful only if you don't want to handle user requests related to IPs.

VCDPA v. CCPA v. GDPR and Google Analytics 4

Data collection via Google Analytics triggers a range of data protection laws worldwide, including the CCPA, CPRA, GDPR, and others.

GDPR-compliant businesses have to ensure they obtain explicit consent for using GA4 cookies. They must align their marketing efforts with the stringent EU data protection law.

However, US states’ privacy laws do not always affect US businesses. They can use service providers such as Google Analytics 4 if they comply with other legal requirements.

Start your Free Trial