How to Ensure CCPA Compliance & Cookie Consent on Your Shopify Store

Every Shopify business uses consumer data, whether it’s to improve the customer experience or to let them know about special offers.

Privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are designed to give individuals more control over their data. GDPR applies to any organization that processes and stores EU citizens’ data, whereas CCPA is a CA data privacy law and therefore applies specifically to California residents.

Even though the CCPA only covers Californians, it affects Shopify merchants across the US. According to the rule, if your Shopify business has over $25 million in annual revenue, buys/sells/receives personal information of 50,000 or more California residents, households, or devices, or derives 50% or more of its annual income from selling such information, CCPA applies to you.

How the CCPA Affects the Cookie Consent Policy

Cookies are small text files that a website saves on a user’s hard drive to record information about their website visit, such as their preferences and how they use the site. This helps businesses optimize their shopping experience.

Because cookies are “unique identifiers” used to recognize a customer or their device, the information they collate falls under the definition of “personally identifiable information” as defined under the CCPA.

The CCPA imposes several measures for businesses and how they process personal data. Shopify websites use cookies and tracking scripts to capture IP address information, considered personal data under the act. To be CCPA compliant, businesses must first understand their responsibilities as data controllers for managing cookie consent.

CCPA Cookie Requirements

According to the Office of the California Attorney General (“OAG”), the act does not require a cookie banner. It leaves it up to businesses to decide how to deliver a consent notice that conforms with Section 999.305, which stipulates that the notification must be freely accessible to consumers before data collection. In contrast, GDPR has its own eCommerce cookie consent banner requirements.

The CCPA also doesn’t require opt-in consent for cookies but requires that you clearly disclose what information is being collected by cookies and what is being done with the information. It also requires that you provide users with the option to opt-out of the sale of their data. Every page of your online business should also have a link labeled “Do not sell my personal information”, leading to a page that explains Californians’ rights and how to opt-out.

The good thing about Shopify is that it proactively minimizes data collection by relegating non-essential cookies to session cookies typically deleted when visitors close their browser. Only when a consumer consents to data collection will non-essential cookies become persistent and not be erased.

What to Include in a CCPA-Compliant Cookie Disclosure

The CCPA has no specific requirements on cookie banners and their use since it’s not required, but using a cookie banner easily provides visitors access to their cookie consent preferences which aids in CCPA compliance. It can also include the “Do not sell my personal information” requirement.

A cookie banner can include information about the usage of cookies and cookie consent management in compliance with the CCPA, such as:

• • A clear and up-to-date cookie policy for eCommerce websites

• • Information on the name, purpose, and expiration date of each cookie

• • Disclosure of how the company collects, stores, protects, and manages personal information obtained through cookies

• • Opt-out consent management provisions for unnecessary cookies

• • Offering users access to their cookie preferences

Best CCPA Compliance Apps for Shopify

The following Shopify applications can help you manage cookie consent and ensure your website complies with GDPR and CCPA, saving you time and effort:

AVADA Cookie Bar and Banner GDPR

This app simplifies compliance, and the banner is not distracting. It automatically conceals when users provide their permission. Its custom CSS functionality allows you to customize all elements in the pop-up to suit your theme.

Protect Your Customers’ Data and Avoid Penalties

Shopify businesses need to protect their customer’s data as it could lead to serious implications if they don’t. Non-compliance can cost between $2500 for unintentional violations and $7,500 for intentional ones. If you have any concerns about the CCPA, it’s best to consult with a privacy law expert.