A Comprehensive Guide to CCPA (California Consumer Privacy Act) & GDPR Compliance for Shopify Store Owners

As an eCommerce business owner, you’re required to take measures to ensure GDPR and CCPA compliance. In this guide, we’ll provide an outline of CCPA and GDPR compliance, how the regulations differ, and what you need to do to make your Shopify store compliant with both directives.

The General Data Protection Regulation (GDPR) is a regulation of the European Union (EU) that came into effect on May 25, 2018. GDPR replaces the 1995 EU Data Protection Directive. It strengthens EU data protection rules by giving individuals more control over their personal data and establishing new rights for individuals.

GDPR sets out strict rules for how organisations must handle individuals’ data. Organisations that process and store the data of EU citizens must comply with GDPR, regardless of where they are located. GDPR applies to any type of data, including personal data, contact information, and financial data.

Any entity that processes and stores the data of EU citizens must comply with GDPR unless they can demonstrate that they meet certain exceptional conditions. Under GDPR, cookie consent is essential, and websites must obtain explicit consent before using any cookies.

The California Consumer Privacy Act (CCPA) is a law that was passed by the state of California in 2018. The CCPA went into effect on January 1, 2020. The CCPA gives individuals the right to know what personal information is being collected about them, the right to have their personal information deleted, and the right to opt-out of the sale of their personal information.

CCPA requirements apply to any organisation that processes and stores the data of California residents. This includes organisations that are based outside California, as long as they process and store the data of California residents.

So, what is the difference between GDPR and CCPA? GDPR and CCPA differentiate in a number of important ways. Here is a GDPR CCPA comparison:

• GDPR applies to any organisation that processes and stores the data of customers based in the EU, regardless of where the organisation is located. CCPA only applies to organisations that process the data of people who legally reside in the state of California.
• GDPR requires organisations to get explicit consent from individuals before collecting, using or sharing their personal data. CCPA does not require organisations to get consent from individuals before collecting, using, or sharing their personal data but it does provide them with the option to “opt-out”.
• GDPR applies to the data of individuals, whereas CCPA also applies to “extra-personal data” such as information about your household.
• GDPR sets out restrictions on the transfer of data across borders whereas CCPA restricts the sale of personal or household data without consent.
• GDPR and CCPA both have different penalties and notice procedures for organisations that breach the respective laws.
• CCPA only applies to “for-profit” businesses, whereas GDPR has a much wider scope. Businesses, charity organisations, public bodies, and more, must all comply with GDPR laws regardless of their profit-making status.

If you are an eCommerce business owner, it’s important to be aware of both GDPR and CCPA and how they apply to your business. You may need to consult with GDPR experts to ensure that your Shopify store is fully GDPR compliant. To learn more, read our article on the topic – GDPR & Shopify — A Guide For Shopify Store Owners.

If you’re a Shopify merchant that handles the data of California residents, it’s important to understand the main CCPA requirements. Read on to learn about California Consumer Privacy Act compliance and what you need to do to make sure your Shopify store is operating in line with these regulations.

Which Type of Shopify Merchants are Affected?
CCPA only applies to businesses that process the data of California residents. However, the business must meet one or more of the following criteria for CCPA to apply:

• Your business has an annual gross revenue of more than $25 million.
• Your business is engaged in the commercial purchase or sale of over 50,000 California residents’ (or households’) personal data per year.
• Your business generates more than 50% of its annual revenue from the sale of California residents’ personal information.

How do You Determine Your Number of Californian Visitors?
To be a CCPA compliant Shopify store, you need to determine how many California residents visit your eCommerce site each year. As a Shopify merchant, you can easily determine how many of your annual visitors are based in California by following the simple steps below:

1. Log in to your Shopify admin and go to Analytics > Reports > Acquisition.
2. From here you can generate a report titled Sessions by location. This will allow you to see how many sessions (or visits to your store) came from each state.
3. Select the date range that you want to analyse.
4. Click manage filters and apply only to California.

If you’re not sure what your annual revenue is, you can easily get this information if you go to the Analytics tab in your admin dashboard and select the relevant date range.

What are the Penalties for Failure to Comply?
The CCPA sets out fines for businesses that fail to comply with the law. The penalties are as follows:

• $2,500 per violation (if the violation is not intentional)
• $7,500 per violation (if the violation is intentional)

In addition to these fines, businesses that suffer a data breach due to their failure to comply with CCPA could be subject to additional damages of up to $750 per Californian resident whose data was exposed in the breach.

CCPA data protection law stipulates that those businesses who are in breach must be given a 30-day notice period, during which they will have the opportunity to rectify the breach and avoid the fines.

There are several essential steps you should take to ensure you have a CCPA compliant Shopify store as shown below.

1. Include a link to your privacy policy on your store’s homepage.
2. Update your privacy policy to include a CCPA-specific section. It must include some essential information to comply with CCPA including:
   • The name of your business and your contact information.
   • The specific categories of personal information that your business collects and how it will be used.
   • The types of information that you share with third parties.
   • An outline of the rights of California residents under CCPA data privacy regulation.
   • Instructions for how customers can submit a data subject rights request.
   • Information about what data your business sells or a notice that your business does not sell any information.
3. Add a “Do Not Sell My Personal Information” link to your store’s footer. This link should refer them to a page where they can opt-out of the sale of their data. If a customer does choose to opt out, then you must ensure the following:
   • Immediately stop selling their information.
   • Make note of the date of the request and record the steps you took to verify the identity of the individual making the request.
   • Do not request that they opt-in again before 12 months have passed.
   • Provide them with the same service you would provide a customer that did not opt-out.
4. Provide a clear method for customers to contact you if they want to request that you delete their information or provide them with a copy of it. This can either be a toll-free number, email address, or a postal address.

CCPA data protection laws grant the right to data subjects to access their own personal data. Data requests under CCPA are known as “data access requests” or “subject access requests”. These should be handled carefully to ensure that your business is CCPA compliant.
There are two main types of CCPA data requests, and these are as follows:

• Complete access requests – This type of request entitles the individual to a copy of all the information that you have collected about them.
• Complete deletion requests – Also known as the “right to be forgotten”, this type of request entitles the individual to have all their information deleted from your systems.

Regardless of which request you receive, it’s crucial that you verify the identity of the person making the request before you take any action in accordance with CCPA data protection regulations. The best way to do this is by requesting a copy of their driver’s licence or passport and cross-referencing their personal information with the information you have on your system.

Once you have verified their identity, you must fulfil their request within one month. It’s important to note that there is some information the requester will not be entitled to view. This includes any correspondence regarding ongoing legal proceedings, as well as any information that would compromise the trade secrets of your business. If you’re struggling with Shopify CCPA compliance, then you may want to consult with CCPA experts at a California privacy protection agency to ensure that your store is following the correct procedures.

CCPA and GDPR compliance is a complex issue, but it’s one that all businesses need to take seriously. GDPR and CCPA are two of the most important data privacy regulations that Shopify store owners need to be aware of. While it may seem like a lot of work to make your store compliant with both GDPR and CCPA, it’s essential to protect your customers’ data and avoid any hefty fines. By following the steps outlined in this article, you’ll immediately be in a much better position to achieve GDPR and CCPA compliance for your Shopify store.