← Back to Blog

Is Google Analytics Compliant with CCPA and State Privacy Laws?

Google Analytics collects personal data from your visitors. Here's what that means for CCPA compliance and what you need to do about it.

2026-03-06

If you have Google Analytics on your website, you're collecting personal data from every visitor — whether you realize it or not. That has real implications under CCPA, VCDPA, and the other 18 US state privacy laws now in effect.

Here's what Google Analytics actually collects, what the law says about it, and what you need to do.

What Google Analytics Collects

Even with GA4's "privacy-focused" redesign, Google Analytics still collects:

  • IP addresses (used for geolocation, even if truncated)
  • Device and browser information (screen size, OS, browser version)
  • Pages visited and time spent on each
  • Referral source (where visitors came from)
  • Click behavior and scroll depth
  • Unique identifiers via cookies (_ga, _gid)
  • Demographics (if enabled — age, gender, interests)
  • Cross-site data if linked to Google Ads or other Google services

Under the CCPA's broad definition of "personal information," all of this qualifies. The _ga cookie alone creates a unique identifier tied to a specific visitor's browsing behavior.

Is This "Selling" or "Sharing" Data?

Under the CCPA, "sharing" means making personal information available to third parties for cross-context behavioral advertising. If you use Google Analytics alongside Google Ads, Google can use GA data to:

  • Build audience segments for ad targeting
  • Enable remarketing lists
  • Power conversion tracking

This is almost certainly "sharing" under CCPA, which triggers additional requirements:

  • A "Do Not Sell or Share My Personal Information" link on your site
  • A mechanism for consumers to opt out
  • Disclosure in your privacy policy that you share data with Google

Even without Google Ads, you still need to disclose Google Analytics in your privacy policy and provide a way for consumers to opt out of tracking.

What You Need to Do

1. Disclose Google Analytics in Your Privacy Policy

Your privacy policy must state that you use Google Analytics, what data it collects, and why. A generic "we use cookies for analytics" isn't sufficient — you need to name Google Analytics specifically and describe the data categories.

2. Add a Cookie Consent Banner

Multiple state laws require that consumers can opt out of non-essential cookies before they're loaded. Google Analytics cookies (_ga, _gid) are non-essential — they're not required for your site to function.

Your cookie consent banner should:

  • Load before Google Analytics scripts
  • Block GA from firing until the user consents (or doesn't opt out, depending on the state)
  • Provide a clear option to reject analytics cookies

3. Add a "Do Not Sell or Share" Link

If you use Google Analytics with Google Ads (or any other Google advertising product), you need a "Do Not Sell or Share My Personal Information" link in your footer. This is required by CCPA, Colorado, Connecticut, and several other states.

4. Honor GPC Signals

California, Colorado, Connecticut, and other states require you to treat Global Privacy Control (GPC) browser signals as a valid opt-out. If a visitor's browser sends a GPC signal, you must block Google Analytics from loading — or at minimum, block the advertising-related data sharing.

5. Configure GA4 Privacy Settings

In Google Analytics 4:

  • Disable Google Signals if you don't need demographic data
  • Enable IP anonymization (on by default in GA4)
  • Set data retention to the minimum period you need
  • Disable Ads Personalization if you don't use Google Ads

These settings reduce your compliance exposure but don't eliminate the need for consent and disclosure.

The Bottom Line

Google Analytics is not "free" from a compliance perspective. It creates legal obligations under virtually every US state privacy law. The good news: these obligations are manageable if you have the right privacy policy, cookie consent banner, and opt-out mechanisms in place.

ClearConsent detects Google Analytics on your site, identifies exactly which compliance gaps it creates, and generates the privacy policy and cookie banner you need to cover it.

Scan your site free — see what your Google Analytics setup is actually doing in under 60 seconds.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free