June 2, 2023

The Impact of Utah's UCPA on Google Analytics 4: A Comprehensive Guide for Businesses

Discover how Google Analytics 4 complies with Utah's Consumer Privacy Act (UCPA) and learn how to use GA4 in compliance with UCPA requirements. Explore the consequences of non-compliance and find out what you need to do to provide consumers with a privacy notice. Gain insights into managing UCPA compliance obligations with Google Analytics 4 for your business.

Google has launched Google Analytics 4, succeeding the universally recognized Universal Analytics. Google Analytics 4 is one of the most significant digital marketing and eCommerce tools the world has ever seen.

However, it comes with privacy concerns that we need to address. The tool is almost impossible to use in compliance with the General Data Protection Regulation (GDPR) of the EU, which also worries US businesses. Many wonder if they can use it to comply with new state privacy regulations.

GA4 is designed with a stronger emphasis on privacy, suggesting a shift in data collection and processing practices. However, with Utah’s data privacy laws tightening, it's crucial to question whether Google Analytics 4 complies with the Utah Consumer Privacy Act (UCPA).

In short, Google Analytics 4 conforms to the UCPA provisions. Nevertheless, its usage imposes certain obligations on your organization.

This article will delve into:

  • Is Google Analytics 4 compliant with the UCPA?
  • How to use GA4 in compliance with UCPA requirements
  • The consequences of failing to comply with the UCPA
  • How to manage UCPA compliance obligations in connection with GA4

Is Google Analytics 4 UCPA Compliant?

Yes, Google Analytics 4 is UCPA compliant and won’t make you violate the law.

Google Analytics 4 uses web-based tracking tools to collect and process user information on browsing websites. Google's data processing contract states that they process "Online identifiers, including cookie identifiers, IP addresses, and device identifiers; client identifiers." These parameters are considered personal information.

Cookies used by Google Analytics track user web browsing behavior across multiple devices. They create a client ID, which informs businesses about demographics, traffic origins, time spent on specific pages, and more. These insights enable website operators to assess how users engage with their sites and fine-tune the user experience based on this information.

Using Google Analytics 4 is easy. Business owners just need to set up a GA4 property, add a JavaScript code to their website, and then they can start gathering data. The provided metrics can be used with other Google services like retargeting and customizing ads.

The UCPA covers this data. The law uses an opt-out system, meaning businesses don't need to ask for permission to use cookies through Google Analytics. You can use Google Analytics 4 to collect user data from your website, even with Google Tag Manager.

It is important to note that you must concern yourself with GA4 UCPA compliance only if the UCPA applies to your business.

The Utah privacy legislation applies to any data controller or processor who:

  • Does business in Utah or provides a product or service aimed at Utah residents;
  • Makes $25,000,000 or more in a year; and
  • Meets one or more of the following thresholds:

How to Use Google Analytics 4 in Compliance with the UCPA

The use of Google Analytics in compliance with the UCPA is easy and straightforward.

You can install it on your website and track visitors if you provide them with a privacy notice informing them about using GA cookies.

You can do this by providing them with a notice in the form of a cookie banner that appears at the bottom of the website when the user first lands.

The notice can lead to your UCPA privacy policy, where you’ll describe your use of Google Analytics. That’s all you need to do upfront.

Later in the process, a data subject may submit a consumer request asking you if you collect their data, to access the data, or to delete it. You must honor such requests.

Although the Utah Consumer Privacy Act belongs to the group of comprehensive privacy laws of the US states, it is not as comprehensive as the CCPA, CPRA, Colorado CPA, VCDPA, and others. Its requirements are not as strict and are not very likely to get you in trouble with the Utah Attorney General.

What You Don’t Need to Do to Comply with the UCPA

Some laws, such as the GDPR, VCDPA, CCPA, and others, have some requirements related to using GA4, but the UCPA does not.

Simply put, you don’t need to:

  • Obtain explicit consent for the use of GA cookies.
  • Use the IP anonymization features (unless you want to protect users’ privacy, which is a good practice).
  • Use consent mode.

Consequences for Non-Compliance of GA4 Use with UCPA

There is only one way to collect data with GA that violates the UCPA - not providing consumers with a privacy notice on data collection.

This could put you in trouble with the Utah Attorney General. Penalties can go up to $7500 per violation. One user means one violation so that it can add up quickly.

How to Provide Consumers with a Privacy Notice for UCPA-Compliant Use of Google Analytics 4

Secure Privacy provides businesses with UCPA-compliant privacy notices and privacy policies that ensure you won’t get into trouble with data protection authorities in the US or anywhere in the world.

Aside from the UCPA, we can help you comply with the California Consumer Privacy Act, Virginia Consumer Data Protection Act, Colorado Consumer Privacy Act, and others.

Start your Free Trial