On February 4th, Google Analytics removed two standard dimensions from reporting – Service Provider and Network Domain – and replaced them with the dreaded (not set) label. Although there’s been cries of anguish from some analytics companies, my view is that Google has sound reasons to remove the dimensions – and there are ways around many of the limitations. Shortly after Google added the above alert to the hover tip within the Google Analytics interface, data in reports stopped reporting the information. Moving forward (and unless Google reverses course on this decision in the coming days), you’re going to start seeing (not set) under the Service Provider and Network Domain dimensions: What are Service Provider and Network Domain? Every time a visitor is tracked on your website, Google captures the IP address in order to geolocate the user (generating Country, State and City dimensions). It also does a reverse DNS lookup to see which networks this IP address is linked with. Service Provider is either the ISP (for a consumer) or the corporate network (for a business internet user). Network Domain is the main domain by which the traffic was routed (e.g. Verizon, Amazon AWS etc.) So why did Google drop them? There’s been no official announcement from Google, but it’s likely to be a combination of three factors. CCPA Storing of any California consumer’s network details is a violation of the California Consumer Protection Act (CCPA). This is much more specific than previous regulations, and as a California-headquarted company, Google wants to stay safely within the law. [tip]Here's everything Shopify merchants need to know about CCPA compliance[/tip] Fingerprinting Even if the Service Provider itself is not identifiable to any individual, it may well be used to generate a unique fingerprint for an individual user, in combination with other dimensions in Google Analytics (browser version, operating system, screen size, pages visited, etc.). Fingerprinting is user identification by covert means, and as such Google also wants to clamp down on in. Lack of usage In ten years of advising high-growth businesses on Google Analytics setup, I've never seen a good use for these reports. Google tracks what are the most common reports used, and apparently they were already flagged for deprecation based on lack of usage.  How the change affects your Shopify tracking Some analytics companies (and agencies) are worried about this change for a few reasons : Reason 1: Service Provider and Network Domain dimensions helped filter out spam and bot traffic, which meant less legwork for those doing the reporting. It was easier to sniff out bounce rates that looked too high (or low) to be "real". Take the screenshot below — which Service Provider do you think is probably legitimate and which one is probably a bot/spam? In short, most analytics companies would say before this change, it was easy to uncover bots/spam, and now it's not. Reason 2: Some larger stores used Server Provider and Network Domain dimensions as a quick & easy way to filter out internal traffic from monthly reports. And unfortunately, this change has killed these dimensions' ability to filter. Reason 3: Companies such as Leadfeeder and Leadberry used the Network Domain, plus a database of which companies and people used that domain, to offer a list of sales leads who visited your site. They can mostly work around the limitations by getting their clients to push another tracking script on the site, and looking up IP address themselves — which is OK, providing your website visitors are aware you are doing this in your terms and conditions. In other words, if you're filtering your GA views by network provider, it's possible you'll see internal traffic in your reporting this month. And it might not be obvious, since it's mixed in with all of your site traffic. That is, unless you look at the GA data with better tracking. How can you work around this? For those that really need the lost dimensions there are two solutions: Use Google Tag Manager and an IP lookup service to pass network onto Google Analytics as a custom dimension. Use the recently launched ipmeta.io service to do this.* What now? For some stores using Google Analytics, this sudden change will go unnoticed and won't really impact reporting. For stores that rely on these dimensions to filter out bots/spam and internal traffic for more accurate reporting, the loss of these dimensions will have somewhat of a negative impact. Of course, we'll continue to monitor these changes (and any other surprises that Google may have in store). Don't pay too much attention to the initial outcry — every change has a solution. Littledata users can rest easy — with our Google Analytics app for Shopify, your tracking won't be impacted by these dimensions. You'll continue to see accurate data for better reporting. ?   *The current version of ipmeta.io is free and will remain free. The premium version will add more custom dimensions with data on the company behind the visit (if its not an ISP or spider). For example, adding dimensions such as industry codes, company size, revenue, etc. In comparison to similar services, ipmeta.io will be much (about 10x) more affordable to cater to the SMB segment.

The California Consumer Privacy Act (CCPA) is now in effect, and every serious ecommerce site doing business in the USA should take note. So what do you need to know? The CCPA comes on the heels of a year rocked by privacy scandals and data inhibitions (e.g. Facebook and now Google), and California is the first US state to enact a complex online privacy act that appears to be up-to-date with how businesses actually transact online these days. Other states are expected to follow suit. In the words of the California Department of Justice itself: The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes.  We certainly aren't lawyers here at Littledata. But we do help Shopify sites audit their analytics and ensure that no personally identifiable information (PII) is collected by Shopify stores in their Google Analytics setups, including Google Tag Manager (GTM). So while we don't have specific features aimed at CCPA compliance, we do have a number of features designed to help Shopify merchants follow best practices for data collection and reporting. Here's a quick guide to what you need to know about CCPA.   My first dine-in restaurant CCPA notice. Not sure how I feel about it. pic.twitter.com/vU6ZiTCF8o — Jad Boutros (@secplusplus) January 4, 2020 What is CCPA compliance? In short, the CCPA is an attempt at limiting what can be done with consumer data, and making sure that companies don't use it without consumer knowledge. The media has often described the CCPA as California's version of GDPR, the European regulations that went into effect in 2018 (has it been that long already?), but in my view it's actually quite a bit different — both more comprehensive in terms of targeting what's actually done with consumer data after it's been harvested, and more specifically aimed at larger merchants, which in Shopify's case generally means successful DTC brands and others using Shopify Plus. It's clear that the act was written in a state known for both technical innovation and political hardball, though how it will be enforced is an open question. Initially it looks like civil penalties will be limited to $2,500 USD per 'violation' or $7,500 USD per each 'intentional violation'. The act has continued to go through a number of revisions and clarifications, including a number of new modifications posted for review on February 10th 2020. Some of the most interesting, in my view, are attempts at trying to define a 'household' that uses a website. The recent revisions suggest changing this: “Household” means a person or group of people occupying a singledwelling To this: "Household” means a person or group of people who: (1) reside at the same address,(2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier. It makes sense that they're trying to clarify the end users here. But I wonder: are we going to get to a place where devices are 'people' under the law, corporations are 'people' under the law, and people are...ones and zeros? But I digress. You can read the complete law text of the CCPA online, and the California DoJ has also posted a legal overview with all versions of the law. But I've also included links to useful summaries below — the written law itself is pretty confusing if you aren't a lawyer! Who needs to comply? In short, if you're a larger ecommerce site with customers in California, you need to pay special attention to the CCPA. You are subject to the CCPA if you meet one of these conditions: Have an annual gross revenue of more than $25 million USD Annually buy, sell, receive for commercial purposes, or share for commercial purposes the personal information of 50,000 or more California consumers, households, or devices Derive 50% or more of your annual revenue from selling California consumers’ personal information (yikes!) And if you're selling globally, as are an increasing number of our larger customers here at Littledata, remember that you need to pay attention to privacy laws everywhere you do business. So if you have customers in the EU, remember to pay attention to GDPR for ecommerce sites too. CCPA for Shopify Plus Shopify has put together a number of resources to explain how Shopify complies with the CCPA, including a timeline and white paper. Here are some of the most useful links from Shopify itself: CCPA timeline CCPA thresholds Shopify’s position on sale of personal information How CCPA affects you Processing CCPA data requests And Segment too!   A number of Littledata's enterprise users are also using our Segment connection for more accurate Shopify data.   Check out Segment's quick guide to CCPA compliance, including an outline of their privacy portal and an API for user deletion and suppression (to make sure that you honor customer requests about privacy). Again, it's unclear whom they'll be targeting. California is now the world's fifth largest economy, surpassing even the UK, but nobody's sure if the state will be using CCPA to clamp down on successful DTC brands, for example, or if it will be taking a strategic line against larger fish like Facebook and Google (i.e. what happened in 2018 when seven consumer groups filed GDPR complaints against Google in Europe). Confused? You're not alone. The increasing number of cookie popups and disclosures seems to only be confusing consumers, and nobody — including the businesses putting them in place — is interpreting them in a consistent manner. Part of this is being called a 'plague of popups' and (a la GDPR) 'banner blindness'. But even if you aren't doing $20M a year yet, it's worth a read through the law so you can refer to it with your internal team.  Just like how Littledata doesn't fix historic data for your Shopify store — only your data collection going forward — it's essential to be forward-thinking about potential privacy regulations that might be enacted in the future, taking steps today to ensure smooth sailing later on. Google Analytics consultants are a good place to start. Plus, sometimes it just comes down to common sense. When you're the consumer, how do you want your data handled?