CCPA and Shopify: What it is and How it Affects my Store

  • Strategy
  • October 9, 2019
  • by Alex O'Byrne & Piers Thorogood
  • 5 minute read

The California Consumer Privacy Act (CCPA) comes in from 2020, raising the bar for US privacy protection. But what does this mean, and how might it affect your Shopify operations?

This post is for educational purposes only. It is general information and a general understanding of the law, not to specific legal advice. Our blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your country or state.

What is CCPA?

The California Consumer Privacy Act of 2018 aims to protect and provide privacy rights to consumers with regards to their personal data. It’s also called AB-375, was passed on September 13th 2018, and becomes effective on January 1st 2020.

What consumer rights are under CCPA?

It’s the Californication of GDPR. Picture a more laidback version of GDPR, where consumers have the right...

  1. To know all data stored about them, free of charge (for 2 lookups a year).
  2. To opt-out of the sale of information and not be discriminated against for doing so.
  3. To ask for posted data to be deleted.
  4. To mandatory opt-in for the sale of children’s information (under 16 years old).
  5. To know the reason for collecting information.
  6. To know the category of third parties with whom data is shared.
  7. To know where data was acquired from.
  8. To sue a company (this is America after all) that collected stolen or breached data.

The Act covers “consumers” who are defined as a “natural person who is a California resident”. Note that the term ‘consumer’ is a bit confusing as the act covers all people, prospective customers, employees and so on, not just actual customers of yours. Unlike GDPR, the law is not ‘extraterritorial’, so it doesn’t cover California residents when they are out of state.

You can refer to the act in full here.

What counts as ‘personal information’?

The law says that “Personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”s

As you’d imagine, there has been intense debate from various lobbies about this law, especially from digital advertisers. The late addition of the word “reasonably” is helpful because it means that some data that strictly speaking is identifiable, may not be classed as such.

There are a lot of loose terms that will be up to the Attorney General of California to define in case law.

Personal information certainly includes:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. As above plus signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies (this is very relevant in e-commerce).
  5. Biometric information.
  6. Internet or other electronic network activity information such as browsing history, search history and information regarding a consumer’s interaction with an Internet web site, application or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory (yes - smell), or similar information.

It does not include information that is public i.e. lawfully available from federal, state, or local government records.

Does it affect all businesses?

It affects any for-profit entity “that does business in the State of California” that...

Has an annual turnover of over $25 million. Buys, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices. Derives 50% or more of its annual revenues from selling consumers’ personal information.

What’s the penalty?

Up to $7,500 for each violation. That means per customer, so it could add up if you have a lot of customers. You can also be sued by your customers if you disclose their data.

I’m an e-commerce business - how will it affect me?

E-commerce businesses collect a lot of private customer information, both during browsing and during purchase.

CCPA means developing new processes for customers to opt-out or even request the deletion of data. Even allowing customers to query what is stored about them could be a major operational challenge for many brands and retailers.

Also it goes without saying that personal information should be secured and encrypted. Newer businesses will be using newer tech stacks that handle this for them. Older businesses may have painful technical changes to make to ensure they are treating customer data with the required care.

I use Shopify - what do I need to do?

Here’s a starting point:

  1. Full data inventory of what data you store and where.
  2. Eliminate redundant or obsolete data.
  3. Ensure opt-out and opt-ins are present for all customers as relevant.
  4. Define processes for the right to delete and data request reports.
  5. Create a shareable guide on how data is stored and why, especially when third parties are involved.
  6. Define and communicate the process for when breaches occur.

We recommend seeking legal advice that is specific to your business.

When does CCPA take effect?

It goes in to effect on January 1, 2020.

The Attorney General will begin enforcing CCPA six months after it goes in to effect.

That doesn’t leave long to get inline, but if you’re already sorted for GDPR there should be minimal changes involved.

We’ll update this post as new best practices emerge.

Subscribe to our newsletter to stay in the loop on all the latest in e-commerce.


Alex O'Byrne

Alex is Co-founder at We Make Websites, the go-to Shopify agency for global commerce. We Make Websites design, develop and optimise e-commerce websites for the fastest growing brands on the planet, with teams in London and New York. Alex is an international speaker on ecommerce, brand and business growth.

Piers Thorogood

Piers is Co-founder at We Make Websites, the go-to Shopify agency for global commerce. We Make Websites design, develop and optimise e-commerce websites for the fastest growing brands on the planet, with teams in London and New York.

Recommended reading

03 April 2018


GDPR: Is Your Shopify Store Front-End Compliant?

10 April 2018


What Does the GDPR Mean for E‑Commerce Businesses?

Popular articles

22 March 2023


Unlocking Global E-commerce: How to Set up Translation for Your Shopify Store

23 February 2023


Shopify Editions Winter 2023: The Biggest Updates

08 February 2023


Elevating your B2B e‑commerce with Shopify B2B

31 January 2023


Shopify Commerce Components - The Future of Enterprise Retail?

20 July 2020


How to Sell Internationally with Shopify

02 November 2020


Migrating from Magento to Shopify Plus

19 October 2021


Headless Commerce Using Shopify Plus

25 September 2020


Why Shopify Plus?

02 March 2020


Biggest Brands on Shopify

22 April 2020


35 Ways to Improve Your E‑Commerce Conversion Rate

01 March 2019


Shopify Plus: Multi-Store vs Multi-Currency

07 April 2022


Brands Selling Internationally on Shopify

09 October 2019


CCPA and Shopify: What it is and How it Affects my Store

14 August 2020


Everything you Need to Know About ADA and Shopify

21 July 2019


101 Best Shopify Stores for Design Inspiration

Be the first to hear about what’s hot in e‑commerce and Shopify Plus. Straight to your inbox.

By providing your email, you agree for us to contact you via email with e‑commerce advice. Your data is stored securely and we never pass it on to third parties.