Configure Matomo Analytics for CCPA compliance

Matomo Analytics and Matomo Tag Manager can be configured to ensure full compliance to the California Consumer Privacy Act (CCPA) and other privacy laws worldwide. Below you will learn more about CCPA, whether it applies to your business, and how to use Matomo Analytics in a CCPA-compliant way.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a law that lets California consumers see all of the personal data a company has collected and saved about them. The law also lets people sue the companies that have violated their privacy.

It is intended to enhance privacy rights and consumer protection for residents of California, United States. The CCPA became effective on 1 January 2020, and was subsequently amended, including by the CPRA, effective 1 January 2023.

Key consumer rights under CCPA and CPRA

• The right to know what personal information businesses collect, how it is used, and with whom it is shared.
• The right to delete personal information collected from them (with some exceptions).
• The right to opt out of the sale or sharing of their personal information.
• The right to non-discrimination for exercising their privacy rights.
• The right to correct inaccurate personal information.
• The right to limit the use and disclosure of sensitive personal information.

Businesses subject to the law must comply with these requirements, including responding to consumer requests and providing privacy notices.

When should I care about CCPA compliance?

CCPA/CPRA applies to for-profit businesses that:

1. Collect consumers’ personal information (or have it collected on their behalf);
2. Determine the purposes and means of processing that personal information (i.e., act as controllers or joint controllers);
3. Do business in California; and
4. Satisfy at least one of the following thresholds:
   • Annually buy, sell or share the personal information of 100,000 California consumers or households; or
   • Has annual gross revenues in excess of $25 million; or
   • Earns more than half of its annual revenue from selling California residents’ personal information.

How do I check if my business collected personal information on more than 100,000 California residents?

If you’re already using Matomo Analytics, you can check whether you have collected more than 100,000 visitors from the California region.

In Matomo, select the last year in the calendar, and go to Visitors > Locations. Under the Region report, search for “California”. You can then see how many visits you got from California in the last year. If you got more than 1000,000 visits, you will likely need to comply with CCPA.

Steps for CCPA compliance

• Review and understand what data is being collected, and document internally all of the personal information tracked about your users (as part of the wider requirement to maintain records of data processing activities). Learn more about what data is being collected.

• Specifically, you must understand if you are selling or sharing personal information of California residents’ personal information.

  • Selling refers to disclosure, transfer, or making available of a consumer’s personal information by a business to another business or third party for monetary or other valuable consideration (e.g., selling customer lists to advertisers, or sharing lists with data brokers).
  • Sharing refers to disclosing, making available, or providing a consumer’s personal information to a third party for cross-context behavioral advertising, whether or not money is exchanged (e.g. retargeting, personalized ads, or behavioral tracking).

• Businesses engaging in selling or sharing must:

  • Provide a “Do Not Sell or Share My Personal Information” link in their privacy policy.
  • Offer an opt-out under the “Do Not Sell or Share My Personal Information” requirement.

• The CCPA sets out the following requirements for the CCPA-specific Opt-Out. If you are a business that sells or shares personal information, you must implement an Opt-Out that meets the following criteria:

  • There must be a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows the California resident to submit an opt-out request.
  • There must be no requirement to create an account in order to submit the opt-out request.
  • Maximum response time for opt-out is 15 business days.
  • There are limits on how businesses can identify which personal information is associated with you.
  • Businesses must respect global opt-out requests via user-enabled global privacy control, like the GPC.
  • Businesses cannot sell or share personal information after they receive the opt-out request unless the customer later provides authorisation allowing them to do so again.
  • Businesses must wait at least 12 months before asking data subject to opt back into the sale or sharing of their personal information.
  • There are some exceptions to the right of opt-out (e.g., legal obligations, legal claims or rights, or publicly available information exempt form CCPA).

• Matomo has an opt-out feature which, if implemented on your website’s privacy policy, lets users opt-out from being tracked on your website. You can learn more about adding the Matomo opt-out form in your website here.
  ⚠️ Important note: Remember that this a Matomo Analytics specific opt-out that has effect only in relation to website analytics data that you collect using Matomo. Opting out of Matomo Analytics does not change how you are processing data internally or using other processors.

• Let California residents exercise the right to access their personal data or delete their data upon their request. Learn more about these existing Matomo features. CCPA specifically grants data subjects the following rights:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale or sharing of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.
  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.
• Let users opt-out from being tracked on your website in your privacy policy page. Learn more about adding an opt-out form in your website.
• Consider limiting the amount of information you collect in the first place by tracking users without using cookies. Learn more about enabling cookie-less tracking.
• Consider whether you would want to avoid tracking any personal data.
• Update your privacy policy to explain how you track data with Matomo, how do you use this data, and list the companies or people you share it with. Learn more about updating your privacy policy for web analytics data collection and use.
• Organisations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data. Below we list the most important ones with regards to data collected in Matomo.
• Setup SSL certificate for all your websites and apps.
• Setup SSL certificate for your Matomo server.
• Ensure that data in Matomo interface and API is only accessible to authorised individuals.
• Use Activity Log to keep track of changes made to Matomo entities.

If you have any questions or need help with your Matomo On-Premise setup, contact support – we are always happy to help.

Source: California Consumer Privacy Act (CCPA) | State of California – Department of Justice

Disclaimer: The information provided above is for general informational purposes only and should not be considered legal advice. Please consult your legal team for specific advice and guidance tailored to your needs. If you are interested in our Matomo Cloud, learn more by reading our Matomo Cloud Data Processing Agreement (DPA).