CCPA and Web Analytics: What California Privacy Law Means for Your Tracking

The California Consumer Privacy Act (CCPA) is a state-level privacy law that went into effect on January 1, 2020. It gives California residents the right to know what personal information businesses collect about them, the right to delete that information, and the right to opt out of its sale. In 2023, the California Privacy Rights Act (CPRA) amended and expanded the CCPA, adding new rights and creating the California Privacy Protection Agency to enforce the law.

For website owners and marketers, the CCPA's impact on ccpa website tracking is significant. Traditional analytics tools — particularly Google Analytics — collect IP addresses, device identifiers, cookie data, and browsing behavior that can qualify as “personal information” under the law. If your analytics vendor shares or sells that data (as Google does through its advertising network), you may be on the hook for compliance obligations you didn't realize you had.

The CCPA defines “personal information” broadly: it includes any data that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” IP addresses, unique device identifiers, browsing history, and geolocation data all fall under this umbrella.

The CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following thresholds:

• Annual gross revenue exceeding $25 million. This is the most commonly triggered threshold. If your business earns more than $25 million per year from any source, you must comply regardless of where you're headquartered.
• Buying, selling, or sharing the personal information of 100,000 or more California residents, households, or devices annually. Note: the CPRA changed this from 50,000 to 100,000. If your website gets significant California traffic and uses tools that place cookies or share data with third parties, you could hit this threshold faster than you think.
• Deriving 50% or more of annual revenue from selling or sharing California residents' personal information. This primarily affects data brokers and ad-tech companies, but any business that monetizes user data should evaluate whether it applies.

Crucially, the CCPA applies based on where your visitors are, not where your business is located. A company in New York, London, or Tokyo that serves California residents and meets any threshold must comply.

If you're already familiar with GDPR-compliant analytics, you might assume the CCPA works the same way. It doesn't. While both laws protect consumer privacy, their approaches differ fundamentally:

The practical takeaway for analytics: under GDPR, you often need a consent bannerbefore loading any tracking script. Under CCPA, you can load analytics by default — but you must disclose what you collect, honor opt-out requests, and provide a “Do Not Sell My Personal Information” link if your analytics vendor qualifies as selling or sharing data.

The CCPA doesn't ban analytics. It doesn't even require consent before tracking. But it does impose three major obligations on businesses that use analytics tools collecting personal information:

1. Disclosure at Collection

You must inform California residents at or before the point of collectionabout the categories of personal information you collect and the purposes for which it will be used. For analytics, this means your privacy policy must clearly state:

• What data your analytics tool collects (IP addresses, device info, browsing behavior, cookies, etc.)
• Why you collect it (website improvement, performance monitoring, marketing optimization)
• Whether you share it with third parties and who those parties are
• How long you retain the data

2. Right to Opt Out of Sale and Sharing

If your analytics tool “sells” or “shares” personal information as defined by CCPA, you must provide a way for users to opt out. The definition of “sale” under CCPA is broad — it includes any exchange of personal information for monetary or other valuable consideration. If your analytics vendor uses visitor data to improve its own products, train advertising models, or cross-reference with other datasets, that may qualify as a sale.

Google Analytics is the most prominent example: Google uses data collected through GA to build audience profiles and improve its advertising products. Under CCPA, this constitutes sharing personal information with a third party for cross-context behavioral advertising.

3. Right to Deletion

California residents have the right to request deletion of their personal information. If your analytics tool stores identifiable visitor data, you need a process to:

• Receive and verify deletion requests
• Delete the relevant data from your own systems
• Instruct your analytics vendor to delete it from theirs
• Confirm deletion to the consumer within 45 days

This is where analytics tools that collect no personal information have a massive advantage: if there's nothing identifiable to delete, deletion requests don't apply. No processes to build, no requests to track, no risk of non-compliance.

One of the most visible requirements of the CCPA is the mandatory “Do Not Sell or Share My Personal Information” link. If your business sells or shares personal information (including through analytics or advertising tools), this link must appear:

• On your website's homepage, clearly and conspicuously
• In your privacy policy
• In a way that doesn't require the user to create an account to use it

The CPRA amendments extended this to include “sharing” — which covers cross-context behavioral advertising. If your analytics data flows into any advertising ecosystem (Google Ads, Meta Pixel, third-party retargeting), you almost certainly need this link.

When a user clicks this link and opts out, you must stop selling or sharing their personal information. For analytics, this typically means either:

• Disabling the analytics script entirely for that user
• Switching to a configuration that prevents data from being shared with third parties
• Using the Global Privacy Control (GPC) browser signal, which CCPA recognizes as a valid opt-out mechanism

The simpler alternative? Use an analytics tool that doesn't sell or share personal information in the first place. If there's nothing being sold or shared, you don't need the link at all.

Not all analytics tools handle CCPA compliance equally. The key question is whether a tool collects “personal information” as defined by the law and whether it sells or shares that data with third parties.

Google Analytics (GA4)

Google Analytics collects IP addresses (though GA4 claims to truncate them), client IDs via cookies, device and browser identifiers, and detailed browsing behavior. Google uses this data across its advertising network. Under CCPA, this constitutes sharing personal information for cross-context behavioral advertising. Using GA4 without additional configuration triggers the “Do Not Sell” link requirement, and you must implement consent mode or IP anonymization to handle opt-outs properly.

Plausible Analytics

Plausible is a privacy-first tool that uses no cookies, collects no personal identifiers, and stores no IP addresses. Since it doesn't collect personal information under CCPA's definition, it's compliant without any additional configuration. No “Do Not Sell” link is needed specifically for Plausible.

Fathom Analytics

Fathom takes a similar approach to Plausible: cookie-free, no personal data collection, and data is never sold or shared. Fathom explicitly states CCPA compliance in its documentation and processes data in a way that avoids triggering the law's obligations.

Matomo

Matomo can be CCPA-compliant, but it depends on configuration. Self-hosted Matomo with IP anonymization and cookie-free tracking enabled is compliant. The cloud version requires more careful setup. Unlike Plausible and Fathom, Matomo supports cookies by default, so you need to actively disable them for full compliance.

Copper Analytics

Copper Analytics is CCPA-compliant by design. It collects no personal information, uses no cookies, stores no IP addresses, and never sells or shares visitor data with anyone. Because no personal information is involved, the CCPA's disclosure, opt-out, and deletion requirements simply don't apply. You get full analytics — including AI crawler tracking and Core Web Vitals — without any compliance burden.

Whether you're using a privacy-first tool or a traditional analytics platform, here's a step-by-step checklist to ensure ccpa analyticscompliance:

Step 1: Audit Your Current Analytics Setup

• Identify every analytics and tracking script on your site (GA4, Meta Pixel, Hotjar, etc.)
• Determine which scripts set cookies or collect personal identifiers
• Review your analytics vendor's data processing agreements
• Check whether any vendor shares data with third parties or uses it for advertising

Step 2: Update Your Privacy Policy

• List every category of personal information you collect through analytics
• Explain the business purpose for each category
• Identify any third parties with whom you share the data
• Describe how consumers can exercise their CCPA rights (access, deletion, opt-out)
• Update the policy at least once every 12 months

Step 3: Implement Opt-Out Mechanisms

• Add a “Do Not Sell or Share My Personal Information” link if applicable
• Honor the Global Privacy Control (GPC) browser signal
• Build a system to suppress analytics tracking for opted-out users
• Don't require users to create an account to opt out

Step 4: Handle Deletion Requests

• Create a process to receive, verify, and fulfill deletion requests within 45 days
• Coordinate with your analytics vendor to delete data from their systems
• Keep records of requests and responses for compliance documentation

Step 5: Or Simply Switch to a Privacy-First Tool

Steps 1 through 4 represent significant ongoing work. The alternative is to eliminate the problem at the source: switch to an analytics tool that doesn't collect personal information. With a tool like Copper Analytics, Plausible, or Fathom, your CCPA analytics obligations shrink dramatically because the data that triggers compliance requirements is never collected.

Copper Analytics was built from the ground up with privacy regulations in mind. Rather than retrofitting compliance onto a data-hungry platform, we designed an analytics tool that simply never creates the compliance problem in the first place.

Here's what makes Copper Analytics different:

• No personal information collected: No IP addresses stored, no device fingerprinting, no user IDs, no browsing profiles. The CCPA's definition of personal information doesn't apply to what we collect.
• No cookies: Our tracking script works without cookies, so there's no cookie consent mechanism to manage and no cookie-based data to opt out of.
• No data selling or sharing: We never sell, share, or exchange visitor data with third parties. Your data stays yours. Period.
• No “Do Not Sell” link needed: Since we don't sell or share personal information, the CCPA's opt-out link requirement doesn't apply to Copper Analytics data.
• No deletion requests to process: We don't store identifiable data, so there's nothing to delete. No 45-day response timelines to manage.
• AI crawler tracking included: See which AI bots crawl your site and how often — privacy-compliant visibility that no other tool provides.
• Core Web Vitals built in: Monitor LCP, CLS, INP, FCP, and TTFB without adding another vendor to your compliance audit.

To learn more about our privacy approach, visit our privacy features page.

The CCPA isn't going away, and its influence is growing. Other states — Virginia, Colorado, Connecticut, Utah, and more — have passed their own privacy laws modeled on similar principles. A federal privacy law remains under discussion. The direction is clear: businesses that collect personal information face an ever-expanding web of compliance obligations.

For website analytics specifically, you have two paths:

• The compliance path: Keep using tools like Google Analytics, but invest in consent management platforms, opt-out mechanisms, deletion request workflows, and regular privacy policy updates. This works, but it's expensive and ongoing.
• The privacy-first path: Switch to an analytics tool that never collects personal information. No consent banners, no opt-out links, no deletion requests. The compliance work disappears because the data that triggers it was never collected.

The best part? Privacy-first analytics tools have matured significantly. You no longer sacrifice meaningful insights by choosing privacy. Tools like Copper Analyticsgive you pageviews, referrers, geolocation, device data, AI crawler tracking, and Core Web Vitals — all without collecting a single piece of personal information.

For more on privacy-first analytics, read our guides on GDPR-compliant analytics, tracking traffic without cookies, and cookie consent banners.