Is Matomo Analytics CCPA compliant?
Matomo Analytics and Matomo Tag Manager ensures full compliance to the California Consumer Privacy Act (CCPA) and other privacy laws worldwide. Below you will learn more about CCPA, whether it applies to your business, and how you can get CCPA compliance for Matomo Analytics.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a law which lets California consumers see all of the personal data a company has collected and saved about them. The law also lets people sue the companies that have violated their privacy.
It is intended to enhance privacy rights and consumer protection for residents of California, United States. The CCPA became effective on January 1, 2020.
California residents worldwide are now provided with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
When should I care about CCPA compliance?
Any company or business that collects consumers’ personal data from California residents should comply with the CCPA, if they also satisfy at least one of the following thresholds:
- Buys, receives, or sells the personal information of 50,000 or more consumers or households; or
- Has annual gross revenues in excess of $25 million; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
How do I check if my business collected personal information on more than 50,000 California residents?
If you’re already using Matomo Analytics, you can check whether you have collected more than 50,000 visitors from the California region. In Matomo, select the last year in the calendar, then go to Visitors > Locations and under the « Region » report, you can search for « California ». You will then see how many visits you got from California in the last year. If you got more than 50,000 visits, you will know you very likely need to comply with CCPA.
To be compliant with CCPA and Matomo Analytics you will need to follow these steps:
- Review and understand what data is being collected, and document internally all of the personal information tracked about your users (as part of the wider requirement to maintain records of data processing activities). Learn more about what data is being collected.
- Let California residents exercise the right to access their personal data or delete their data on their request. Learn more about these existing Matomo features.
- Let users opt-out from being tracked on your website in your privacy policy page. Learn more about adding an opt-out form in your website.
- Consider limiting the amount of information you collect in the first place by tracking users without using cookies. Learn more about enabling cookie-less tracking.
- Consider whether you would want to not track any personal data.
- Update your privacy policy to explain how you track data with Matomo, how do you use this data, and list the companies or people you share it with. Learn more about updating your privacy policy for web analytics data collection and use.
- Organizations are required to « implement and maintain reasonable security procedures and practices » in protecting consumer data. Below we list the most important ones with regards to data collected in Matomo.
- Setup SSL certificate for all your websites and apps.
- Setup SSL certificate for your Matomo server.
- Ensure that data in Matomo interface and API is only accessible to authorized individuals.
- Use Activity Log to keep track of changes done to Matomo entities.
We recommend you work with your legal team to review your CCPA compliance.
If you have any question or if you need help with your Matomo On-Premise setup contact us, we’re always happy to help.
Source used: CCPA (Wikipedia)