If you have spent any amount of time online recently, surely you have noticed all of the consent pop-ups appearing on a growing number of websites. This is all because of the GDPR and the CCPA.
If you are wondering what the GDPR and the CCPA even are and if your website needs to meet the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) compliance, you are not alone. Read on and draw your own conclusion.
What is the GDPR?
The GDPR applies to all websites with users from the EU. The GDPR, agreed upon by the European Parliament and Council in April 2016, replaced the Data Protection Directive 95/46/ec in the Spring of 2018 as the primary law regulating how companies protect EU citizens' personal data.
What is the CCPA?
2020 was the year that the CCPA went into effect, giving Californian online consumers the right to take more control over their data. The CCPA is a state-wide data privacy law that regulates how businesses all over the world are allowed to handle the personal information (PI) of California residents. The effective date of the CCPA is January 1, 2020. It is the first law of its kind in the United States.
What is the Difference Between the GDPR and the CCPA?
Although the GDPR and CCPA are different from one another in some notable ways, the GDPR is much stricter than the CCPA.
Is the GDPR for Big Business Only?
The GDPR does not specifically set out offences and associated penalties for individuals, individuals can still receive fines for infringements of GDPR until national law. Read this article to learn more about this. Can an individual get a GDPR fine?
Despite the breadth of the EU General Data Protection Regulation (GDPR), there is no small business exemption. Companies still need to comply with most of the GDPR even if they have less than 250 employees.
When the GDPR speaks of "monitoring people's behavior," this includes using cookies. Targeted advertising involves tracking a person's activities online, and building up a profile of their preferences. This is also known as "profiling."
It's easy to get caught out if your company uses tracking cookies on its website. For example, if you run Facebook retargeting ads, or your app runs Google AdMob, this qualifies as monitoring people's behavior.
Does Google Analytics Require GDPR or CCPA Compliance?
The short answer is "yes", but a short answer isn't enough here. According to several 2019 rulings, you should ask for consent first, and here is why.
Google Analytics uses User ID, Client ID, and cookies to track the behavior of your users when they land on your website. This means that Google Analytics collects personal information under CCPA.
Even though Google Analytics doesn't collect direct Personal Information (PI) such as names, emails and phone numbers, etc. Google Analytics works in a way that can indeed make you liable under the California privacy law.
The GDPR is very much against websites sharing PI data with any third-party without a user's consent. Google Analytics does precisely this. Unless regulators officially say that analytic cookies are exempt, they fall under the scope of when consent is required.
Does Google Adsense Require GDPR or CCPA Compliance?
When the CCPA went into effect, Google has published numerous support articles that help give publishers information on how to comply with the CCPA and other privacy regulations.
One of the latest rollouts by Google AdSense is the ability to make your site both compliant for the GDPR and the CCPA. The best part of this is it is based one a person IP address, so it does not effect people that are not in the areas that don't require it. More information can be found from https://support.google.com/adsense/answer/9460089?hl=en.
If your site is collecting data, data as innocent as Google analytics, and/or you are running ads on your site, you could be at risk. So why take the chance? At the very least:
- Have a cookie consent banner. Some seem a bit overkill, but we have found one that is pretty simple with lots of flexible features. This is the plugin we are currently using and we have featured this CCPA and GDPR Cookie Consent Plugin below.
- If you are using Google AdSense, they have a pretty good solution and you do not even have to run ads on your website for it to work. To activate either the GDPR, the CCPA or both, all that is required verifying your website and adding the AdSense 'Auto Add' code to your website. More information can be found at https://support.google.com/adsense/answer/9460089?hl=en
It is such a simple fix, so why not do it? Can you see the ambulance chaser type attorneys searching for this type of infringement? I can see it like they do for using copyright images. Better to be safe than sorry is my thinking, the internet was always moving fast, now the world is moving fast trying to catch up.
Start using cookies only with the informed and explicit consent of every new user on your website
- We are not a law firm. This article is based on our own research, view this as informational only and not legal advice. If you have any concerns about your website, please speak to a lawyer before coming to a conclusion.
- Some of the references linked to in this article are using/advertising tools that are designed for EU/UK based businesses, marketing to customers within the EU/UK.
About the Author:
The SEO-Alien is a project started in 2009 regarding all things online marketing. The site started out more of a diary of predictions, suggestions and references to things I frequently used for online marketing... before social media marketing was even an option.
I hope you find the information and tools presented here useful and something worth sharing with others.
If there is anything else about online marketing or any online advertising strategy you think would be helpful, please let me know.