How to Make Your Shopify Store Compliant with CCPA

Last updated: Aug 09, 2024 · 10 min read · Nikoleta Kokleviciute
How to Make Your Shopify Store Compliant with CCPA
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

CCPA compliance on Shopify means businesses should be transparent about the user data they’re collecting, handle it according to the law, and protect it from unauthorized access. This means having a cookie banner, writing a privacy policy, ensuring security measures, and more.

Keep reading to learn step by step how to make your Shopify store compliant with CCPA. You’ll also find out what the CCPA and the CPRA expansion are and the main requirements

Place a cookie banner on your website in just a few clicks – configure layout and placement, change content, and more with one app

Try TinyCookie today

What is CCPA on Shopify?

California Consumer Privacy Act (CCPA) on Shopify means that business owners are responsible for the collected personal data of their users and need to adopt measures to handle it by following the regulation.

This includes providing users with the right to know what personal data is collected, the right to delete it, and the right to opt out of the collection or selling of their information.

While Shopify is designed to provide your customers transparency in regards to their data, which you can learn more about in their Data Processing Addendum, it doesn’t guarantee CCPA compliance by itself. You need to implement a cookie banner, write a privacy and cookie policy, and ensure data security.

CCPA is applicable to businesses whose site visitors or customers are citizens of California. Even if your business isn’t located in California, you may still get traffic from this state, meaning compliance is still needed.

Does CPRA replace CCPA?

CRPA was created as an extension of CCPA, meaning it expanded the compliance requirements when it came into effect in 2023. Some of the CRPA changes include:

  1. New business categories. Under CPRA, if two businesses in a partnership have at least 40% interest, they will be treated as separate entities and must comply with the regulation.
  2. Right to access. Users can request personal data that was collected over a year ago.
  3. Rights of minors. The CPRA doesn’t allow collecting or selling personal data of minors under 16 unless the business gets consent.
  4. Right to delete. Businesses have to provide information on how long user data is going to be collected, and users have the right to request modification or deletion.
  5. Sensitive user data. Personal information categories are expanded and include sensitive data, such as social security number, race, religious belief, sexual orientation, and more. That’s why businesses must now include a “Limit The Use of My Sensitive Personal Information” button.

Why is CCPA compliance important?

CCPA compliance is crucial for ensuring transparency to your website’s visitors and for preventing fines. Here are all the reasons why CCPA compliance matters:

  • Legal obligation. Under CCPA, users have the right to know what information is collected, delete personal information, or opt out of their data being shared or sold.
  • Prevent fines. The California Attorney General can give your business 30 days to ensure compliance, and if you don’t, your business can face charges up to $7,500.
  • User transparency. Personal data privacy is becoming increasingly important for users around the world, so having a CCPA-compliant store with a cookie consent banner enhances brand trust.
  • User data security. By complying with CCPA, you’re ensuring strong data security measures to prevent user data from getting leaked.

Main CCPA requirements for Shopify merchants

Understanding CCPA compliance is simple if you know the main requirements. So, here’s what you should keep in mind for your Shopify store:

  • Provide an option to withdraw consent. While you don’t have to ask for consent to use cookies under CCPA, you have to provide an option to opt out by using a cookie banner on your website.
  • Allow managing cookie preferences. Merchants must allow users to manage preferences and allow opting out of non-essential cookies.
  • Ensure data security. Under CCPA (amended by the CPRA), businesses that collect the personal data of users must adopt security measures to prevent illegal access, modification, or destruction. Data breaches can result in fines.
  • Provide cookie information. You must provide a list of cookies used on your website together with their purpose and expiration date.
  • Record and store user consent. Shopify merchants must record user consent only if they’re processing the personal data of children.
  • Give an option to delete data. While there are specific exceptions according to GDPR FAQ D.5, website owners have to delete personal data upon user request.

How to make Shopify compliant with CCPA?

Complying with CCPA means setting up a cookie banner and adding legal agreements, such as a privacy policy and cookie policy, to your website. It also requires you to secure the user data that you collect by adopting security tools. So, here’s how to do it all step by step:

Step 1: Set up a cookie banner

To comply with CCPA, you need to set up a cookie banner on your website that would inform users that you collect data and give them a chance to manage preferences or withdraw consent.

Most Shopify CCPA apps for cookie banners work similarly, so setting one up won’t be difficult. Here’s a step-by-step guide on how to do it:

  1. Head to the Shopify App Store, search for a cookie consent banner app, and install it. We recommend TinyCookie.Install TinyCookie from Shopify App Store
  2. Follow the setup wizard and embed the app through the Shopify editor. Click Save.Embed the TinyCookie app on Shopify theme editor
  3. Configure the banner to your preference by going to Shopify Admin > TinyCookie > Configure.Configure cookie banner with TinyCookie by clicking the Configure button
  4. Select the layout and placement you wish and click Save.Configure the layout and placement on TinyIMG and click Save
  5. You can also go to Content Settings and change the content of your banner or cookie preferences. For instance, you can change the reject button text to “Do not sell or share my personal information.”Change the content of cookie banner with TinyCookie
  6. That’s it – your cookie banner is now live.

Step 2: Write a privacy policy

When writing a privacy policy that’s CCPA-compliant, you have to ensure it’s written in plain and simple language that anyone can understand. Plus, it has to be easily accessible – users have the right to know what they’re agreeing to.

Here are the main points you should include in a privacy policy:

  • Effective date. State the date when the policy becomes in effect – this is useful for legal reasons and transparency.
  • Definitions. Clearly state the definitions of the important terms used in the privacy policy to leave nothing to interpretation.
  • Contact information. You must include the contact details of the website owner, representative, or the organization.
  • Data collection reasons. Websites must specify the reason for data collection on a legal basis.
  • Collected personal information. A privacy policy should outline exactly what personal data is collected and how.
  • Data retention period. You should state how long you’re going to keep specific personal data.
  • Data sharing or selling to third parties. Shopify site owners must inform what data is being sold or shared and with what third parties.
  • User rights. A privacy policy should state what rights the user has, such as the right to know, delete, or opt out.
  • Policy updates. Privacy policies sometimes have updates, so you need to provide users with information on how you’re going to inform them about changes.

Step 3: Include a cookie policy

To comply with CCPA, you also must create a cookie policy. While some websites add it to a separate page, you can also include it as a section in the privacy policy.

Whichever approach you choose, you need to know how to write a cookie policy correctly. Here are a few main pointers to help you out:

  1. Definition of “cookie.” You must specify what exactly is a cookie to help users understand what the policy is about.
  2. Information about consent. The cookie policy must include an explanation of what the user is agreeing to when they click the consent button.
  3. List of cookies. Shopify merchants must provide a full list of cookies that are being used, their purpose as well as their expiration date.
  4. Consent withdrawal information. You must explicitly explain that users can withdraw consent at any moment and provide instructions on how to accomplish it.
  5. Effective date. If you’re writing a cookie policy separately from a privacy policy, you need to state when the cookie policy becomes in effect.

However, not everyone knows how to check what cookies your website is using. That’s where a cookie scanner tool comes into play. You can use such tools as TinyCookie to scan your website and get a list of cookies used.

Open Cookie scanner in TinyIMG app and click Scan

All you have to do is go to the Cookie Scanner section in the app and click Scan. You can keep or block whichever non-essential cookies you want.

Step 4: Ensure data security

According to CCPA, businesses must ensure that the collected user data is protected. If they fail to do this, it can result in a civil action to recover damages. Some of the cybersecurity tools you can include are:

  • Employee IDs. If you assign unique codes to each employee, you won’t have to worry about unauthorized access to your system – only your employees will be able to access them.
  • Firewall. They are used to filter traffic, helping you avoid hacker attacks.
  • Antivirus software. Investing in anti-malware tools for all employee devices, especially with real-time protection features, ensures that malware is detected before it can do any harm.

As a Shopify platform user, your website is automatically protected with some measures, which you can explore on the Shopify Security page.

Conclusion

CCPA requires businesses to ensure transparency for their users and include a privacy policy explaining all the information that is being collected and the cookies used. Shopify owners should also adopt a cookie banner to give an option for users to opt out of sharing or selling personal data.

The easiest tool to add a cookie banner is TinyCookie. It lets you configure content or layout and placement settings however you wish. As for the privacy policy, business owners must ensure it’s written in simple language and lists all the information collected as well as its purpose and retention period.

Frequently asked questions

Shopify adopts certain security measures to ensure transparency for your users but it doesn’t automatically guarantee CCPA compliance. You need to set up a cookie banner to let users manage or opt out of data collection and add a privacy policy together with a section regarding cookies.

Only California residents are protected under the CCPA. This refers to regular people, excluding corporations or business entities, who reside in California.

CCPA stands for the California Consumer Privacy Act, which is a privacy regulation meant to protect the data and privacy of California residents.

CCPA request refers to the right of the user to ask businesses what information they collected about you, your devices, and your children.

About the author
Nikoleta Kokleviciute
Nikoleta Kokleviciute
Nikoleta is a Marketing Manager at TinyCookie, an app for GDPR cookie consent for Shopify merchants. Nikoleta loves diving deep into digital marketing, eCommerce, social media trends, and creating content that benefits its readers!