If you are wondering what the GDPR and the CCPA even are and if your website needs to meet the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) compliance, you are not alone. Read on and draw your own conclusion.

What is the GDPR?

The GDPR applies to all websites with users from the EU. The GDPR, agreed upon by the European Parliament and Council in April 2016, replaced the Data Protection Directive 95/46/ec in the Spring of 2018 as the primary law regulating how companies protect EU citizens' personal data.

What is the CCPA?

2020 was the year that the CCPA went into effect, giving Californian online consumers the right to take more control over their data. The CCPA is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States.

What is the Difference Between the GDPR and the CCPA?

Although the GDPR and CCPA are different from one another in some notable ways, the GDPR is much stricter than the CCPA.

Is the GDPR for Big Business Only?

The GDPR does not specifically set out offences and associated penalties for individuals, individuals can still receive fines for infringements of GDPR until national law. Read this article to learn more about this. Can an individual get a GDPR fine?

Despite the breadth of the EU General Data Protection Regulation (GDPR), there is no small business exemption. Companies still need to comply with most of the GDPR even if they have less than 250 employees.

When the GDPR speaks of "monitoring people's behavior," this includes using cookies. Targeted advertising involves tracking a person's activities online, and building up a profile of their preferences. This is also known as "profiling."

It's easy to get caught out if your company uses tracking cookies on its website. For example, if you run Facebook retargeting ads, or your app runs Google AdMob, this qualifies as monitoring people's behavior.

Does Google Analytics Require GDPR or CCPA Compliance?

The short answer is "yes", but a short answer isn't enough here. According to several 2019 rulings, you should ask for consent first, and here is why.

Google Analytics uses User ID, Client ID, and cookies to track the behavior of your users when they land on your website. This means that Google Analytics collects personal information under CCPA.

Even though Google Analytics doesn't collect direct Personal Information (PI) such as names, emails and phone numbers, etc. Google Analytics works in a way that can indeed make you liable under the California privacy law.

The GDPR is very much against websites sharing PI data with any third-party without a user's consent. Google Analytics does precisely this. Unless regulators officially say that analytic cookies are exempt, they fall under the scope of when consent is required.

Does Google Adsense Require GDPR or CCPA Compliance?

Regardless of whether you choose to ask for consent or not, there are still steps you should take. The first is to Create and/or Update your Privacy Policy to be fully compliant.

When the CCPA went into effect, Google has published numerous support articles that help give publishers information on how to comply with the CCPA and other privacy regulations.

One of the latest rollouts by Google AdSense is the ability to make your site both compliant for the GDPR and the CCPA. The best part of this is it is based one a person IP address, so it does not effect people that are not in the areas that don't require it. More information can be found from https://support.google.com/adsense/answer/9460089?hl=en.

Bottom Line

If your site is collecting data, data as innocent as Google analytics, and/or you are running ads on your site, you could be at risk. So why take the chance? At the very least:

• Create a privacy policy and search for a good consent script that will keep you safe from potential fines.
• Have a cookie consent banner. Some seem a bit overkill, but we have found one that is pretty simple with lots of flexible features. This is the plugin we are currently using and we have featured this CCPA and GDPR Cookie Consent Plugin below.
• If you are using Google AdSense, they have a pretty good solution and you do not even have to run ads on your website for it to work. To activate either the GDPR, the CCPA or both, all that is required verifying your website and adding the AdSense 'Auto Add' code to your website. More information can be found at https://support.google.com/adsense/answer/9460089?hl=en

It is such a simple fix, so why not do it? Can you see the ambulance chaser type attorneys searching for this type of infringement? I can see it like they do for using copyright images. Better to be safe than sorry is my thinking, the internet was always moving fast, now the world is moving fast trying to catch up.