June 27, 2023

CCPA Compliance within Google Tag Manager: A Comprehensive Overview

Discover how Google Tag Manager (GTM) can be part of a CCPA-compliant strategy and learn the steps to ensure compliance. Understand GTM's data processing methods, user consent requirements, and consequences of non-compliance with the California Consumer Privacy Act (CCPA).

Google Tag Manager (GTM), which works like the Google tag, helps you set up and rapidly deploy tags on your website or mobile app using a simple web interface. GTM is a helpful tool that allows you to easily manage third-party scripts on your website. GTM allows for quick and efficient updates to tags and code snippets on your website or mobile app. These could range from analytics cookies and conversion tracking to Adsense integration and remarketing tactics.

By using it, you can enable the operation of scripts like Google Analytics (GA) and Google Ads, which help you collect and process user data.

Because GTM is a tool that processes user data, there are questions about its compliance with data privacy laws, such as the California Consumer Privacy Act (CCPA). To answer this quickly— GTM can be a part of a CCPA-compliant strategy. However, its use does impose certain obligations on your company. Take a look at our guide for GDPR Compliance when using Google Tag Manager.

It is critical to understand how GTM processes personal data and ensures its complies with the CCPA. With the proper knowledge and protocols, tackling this task can be a breeze for businesses.

This blog post will address the following:

  • Is GTM compliant with the CCPA?
  • How to use GTM under CCPA requirements
  • The consequences of non-compliance with the CCPA
  • Managing CCPA compliance obligations concerning GTM

Does Google Tag Manager Comply with the CCPA?

Absolutely! Google Tag Manager can be part of a CCPA-compliant strategy.

However, it is crucial to emphasize that GTM compliance is not automatic. Achieving CCPA compliance depends on your business's use of the tool, as the tool does not possess inherent compliance or non-compliance. Your website or mobile app's tags and code snippets can be updated quickly and easily using GTM. These could include remarketing, site analytics, conversion tracking, and more.

The key to GTM's adherence to CCPA lies in its meticulous data collection and processing methods. Under the CCPA and General Data Protection Regulation (GDPR), businesses are obligated to inform consumers, including California residents and European citizens, about the personal data being collected, its usage, and its sharing protocol. Your GTM implementation must comply with these rights.

CCPA applies to businesses that collect personal information from California residents. This applies whether the business is located within California or not. The CCPA applies to any business that:

  1. Has gross annual revenues in excess of $25 million;
  2. Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices;
  3. Derives 50% or more of its annual revenue from selling California residents' personal information.

How Google Tag Manager Processes Personal Data Under CCPA

Because GTM enables Google Analytics and Google Ads to process user data, you can further use this data to gain insights into website performance, understand user behavior, and improve ad targeting. It's a valuable tool that helps us make informed decisions and deliver a better user experience.

When a user visits a website that uses GTM, GTM will load a small JavaScript file onto the user's device. This file will then communicate with Google's servers to retrieve the tags that are configured for the website.

Once the tags have been retrieved, GTM will execute them on the user's device. Tags can collect a variety of data, including the user's IP address, browser information, and the pages that they visit.

GTM then sends the data that it collects to the third-party services that are configured for the website. These services can use the data for a variety of purposes, including advertising, analytics, and marketing.

Here are some additional things to keep in mind about how GTM processes personal data under the CCPA:

  • GTM does not collect any personal data on its own. GTM only collects data that is collected by the tags that are configured for the website.
  • GTM does not sell personal data. GTM only shares data with third-party services that are configured for the website.
  • GTM allows businesses to control how their data is collected and used. Businesses can choose to collect and use data for a variety of purposes, including advertising, analytics, and marketing.
  • Businesses are responsible for complying with the CCPA when they use GTM to collect and process personal data. GTM does not provide legal advice, and businesses should consult with an attorney to ensure that they are complying with privacy regulations.

How to Comply with CCPA in Google Tag Manager

Here's a guide on how to comply with CCPA in Google Tag Manager:

  1. Set up a CCPA-compliant tag configuration in GTM
  2. Check compliance with user consent, opt-in checkboxes, and privacy controls under CCPA
  3. Ensure restricted data processing in GTM for CCPA compliance
  4. Install a Consent Management Platform (CMP)

Let’s go through this guide step-by-step.

Setting up a CCPA-compliant tag configuration in GTM

CCPA compliance often starts with setting up a compliant tag configuration.

Businesses should ensure that they are only firing tags when they have the necessary consent from users. The tag configuration settings in GTM can be adjusted to reflect this.

This can be done by using triggers that fire tags only when users have given their consent.

Ensuring compliance with user consent, opt-in checkboxes, and privacy controls under CCPA

User consent is a crucial part of CCPA compliance. Businesses must ensure that they are getting explicit consent from their users before collecting their data. This can be implemented in GTM through the use of cookie consent banners or pop-ups on your website that allow users to opt-in or opt-out of data collection. 

  • Collecting user consent: GTM can be used to collect user consent for the collection or sale of personal information. This can be done by creating a custom HTML tag that includes a CCPA consent form. The form should be displayed prominently on the website and should include clear and concise language about what information is being collected and how it will be used.
  • Using opt-in checkboxes: GTM can be used to create opt-in checkboxes for collecting user consent. Opt-in checkboxes should be used for any form of tracking that collects personal information, such as Google Analytics, remarketing, and social media buttons.
  • Providing privacy controls: GTM can be used to provide users with privacy controls. This can be done by creating a custom HTML tag that includes a link to a privacy policy page. The privacy policy page should explain how the business collects, uses, and shares user data.

By following these steps, businesses can use GTM to ensure compliance with the CCPA and protect the privacy of their California customers.

Enabling restricted data processing

To further enhance CCPA compliance, businesses can enable restricted data processing in GTM. When enabled, this feature restricts how data is processed by certain Google products like Google Ads, Google Analytics, etc., helping businesses adhere to the CCPA.

Once you have enabled restricted data processing, Google will only process data from California users that is necessary to provide the services that you have requested. This means that Google will not be able to use this data for purposes such as audience targeting, remarketing, or ad personalization.

Enabling restricted data processing is a good way to enhance CCPA compliance and protect the privacy of California users. However, it is important to note that this feature does not prevent Google from collecting or using data from California users for other purposes, such as fraud prevention and security.

Here are some additional things to keep in mind when using restricted data processing:

  • Restricted data processing is only available for Google products that support it.
  • Restricted data processing may impact the performance of your Google Ads campaigns.

Installing a Consent Management Platform (CMP)

A Consent Management Platform (CMP) can help manage the user consent process, ensuring that users have full control over their data. CMPs can be integrated with GTM, facilitated through APIs and the use of plugins or templates, allowing businesses to seamlessly manage consent across their website.

Remember, while Google Tag Manager itself is a neutral tool that does not process personal data, it is instrumental in controlling how third-party tags (which might process personal data) are fired on a website. These tags, which may process personal data, include elements like gtag and the data layer, which have unique identifiers and parameters. In e-commerce settings, for example, user id or other identifiers may be crucial for personalized experiences.

Therefore, while GTM does not directly comply with privacy laws, it can be configured to help your website comply with such laws, including the CCPA.

Consequences of Non-Compliance with CCPA in Google Tag Manager

Failure to comply with the California Consumer Privacy Act when using Google Tag Manager can result in significant fines and penalties

Each intentional violation of the CCPA can incur a fine of up to $7,500, while unintentional violations can attract penalties of up to $2,500 per occurrence. When considering the scale at which businesses operate, these penalties can rapidly accumulate, leading to substantial financial liabilities.

Moreover, the CCPA entitles California residents to statutory damages in the event of a data breach. This means businesses could be subject to additional financial penalties ranging from $100 to $750 per California resident per incident, or actual damages if they are higher.

How to Provide Consumers with CCPA Compliance In Google Tag Manager

Do I need a Privacy Policy if I use GTM on my website or app?

Yes, you do need a Privacy Policy. 

Under CCPA, any business collecting personal information from California residents is required to have a Privacy Policy that outlines their data collection, storage, usage, and sharing practices. GTM is involved in data collection and therefore necessitates a Privacy Policy. This policy should be easily accessible on your website or app.

Do I need a Cookie Policy if I use GTM on my website or app?

Yes, a Cookie Policy is also required if you use Google Tag Manager on your website or app. 

GTM often manages tags that deploy cookies on your site. Cookies, being a form of data collection that often involve personal information, fall under the requirements of CCPA. A Cookie Policy should explain what cookies are, what type of cookies your website uses, why you use them, and how users can control their cookie preferences.

Do I need a Cookie Banner if I use GTM on my website or app?

Technically, CCPA does not specifically require a Cookie Banner. 

However, CCPA does require businesses to disclose data collection practices and provide a clear and easy way for consumers to opt-out of the sale of their personal information. A cookie banner is a common and effective way to meet this requirement, as it can be used to inform visitors about your use of cookies and offer them the chance to accept or decline cookies that aren't strictly necessary for the functioning of the site.

This can be particularly relevant if you use GTM to manage tags that deploy third-party cookies used for purposes such as analytics or advertising.

Start your Free Trial