Every Shopify business uses consumer data, whether it’s to improve the customer experience or to let them know about special offers.

Privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), are designed to give individuals more control over their data. GDPR applies to any organization that processes and stores EU citizens’ data, whereas CCPA is a CA data privacy law and therefore applies specifically to California residents.

Even though the CCPA only covers Californians, it affects Shopify merchants across the US. According to the rule, if your Shopify business has over $25 million in annual revenue, buys/sells/receives personal information of 50,000 or more California residents, households, or devices, or derives 50% or more of its annual income from selling such information, CCPA applies to you.

Cookies are small text files that a website saves on a user’s hard drive to record information about their website visit, such as their preferences and how they use the site. This helps businesses optimize their shopping experience.

Because cookies are “unique identifiers” used to recognize a customer or their device, the information they collate falls under the definition of “personally identifiable information” as defined under the CCPA.

The CCPA imposes several measures for businesses and how they process personal data. Shopify websites use cookies and tracking scripts to capture IP address information, considered personal data under the act. To be CCPA compliant, businesses must first understand their responsibilities as data controllers for managing cookie consent.

According to the Office of the California Attorney General (“OAG”), the act does not require a cookie banner. It leaves it up to businesses to decide how to deliver a consent notice that conforms with Section 999.305, which stipulates that the notification must be freely accessible to consumers before data collection. In contrast, GDPR has its own eCommerce cookie consent banner requirements.

The CCPA also doesn’t require opt-in consent for cookies but requires that you clearly disclose what information is being collected by cookies and what is being done with the information. It also requires that you provide users with the option to opt-out of the sale of their data. Every page of your online business should also have a link labeled “Do not sell my personal information”, leading to a page that explains Californians’ rights and how to opt-out.

The good thing about Shopify is that it proactively minimizes data collection by relegating non-essential cookies to session cookies typically deleted when visitors close their browser. Only when a consumer consents to data collection will non-essential cookies become persistent and not be erased.

The CCPA has no specific requirements on cookie banners and their use since it’s not required, but using a cookie banner easily provides visitors access to their cookie consent preferences which aids in CCPA compliance. It can also include the “Do not sell my personal information” requirement.

A cookie banner can include information about the usage of cookies and cookie consent management in compliance with the CCPA, such as:

     

      • Information on the name, purpose, and expiration date of each cookie

      • Disclosure of how the company collects, stores, protects, and manages personal information obtained through cookies

      • Opt-out consent management provisions for unnecessary cookies

      • Offering users access to their cookie preferences

    Best CCPA Compliance Apps for Shopify

    The following Shopify applications can help you manage cookie consent and ensure your website complies with GDPR and CCPA, saving you time and effort:

    AVADA Cookie Bar and Banner GDPR

    This app simplifies compliance, and the banner is not distracting. It automatically conceals when users provide their permission. Its custom CSS functionality allows you to customize all elements in the pop-up to suit your theme.

    Protect Your Customers’ Data and Avoid Penalties

    Shopify businesses need to protect their customer’s data as it could lead to serious implications if they don’t. Non-compliance can cost between $2500 for unintentional violations and $7,500 for intentional ones. If you have any concerns about the CCPA, it’s best to consult with a privacy law expert.

    Get a
    Demo
    NOW

    Fill up the form for 20% off on subscriptions!

    First Name
    Last Name
    Company Email Address
    Company URL

    About the Author: Janet Low

    Janet Low, based in Delray Beach, Florida, is a dynamic marketing leader with expertise spanning the USA and Asia Pacific. Renowned for driving brand growth and championing responsible marketing, Janet is dedicated to mentoring professionals and shaping modern marketing landscapes.

    Share This

    Request a demo of our data privacy solution today and take control of your privacy strategy.

    Get a
    Demo
    NOW

    See how our platform ensures compliance and builds trust.

    Discussion