Selling, sharing, and targeted advertising
Sale: Each of the United States (US) state privacy laws require, to the extent applicable, companies to provide clear and conspicuous notice of and allow consumers to opt out of the “sale” of their personal information. In some US states, "sale" is defined broadly to include any transfer or disclosure of personal information for either money or other valuable consideration.
Sharing: In California, the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) also require specific notice and the ability to opt out of the “sharing” of personal information, with “sharing” defined as the disclosure of personal information for “cross-context behavioral advertising” purposes. “Cross-context behavioral advertising," in turn, means “the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
Targeted Advertising: The other four US states permit consumers to opt out of a similar concept of “targeted advertising,” defined as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. Targeted advertising typically does not include first party marketing or contextual advertising or showing ads to consumers based on their request for information or feedback.
You might also be engaged in “targeted advertising,” “sharing,” or “selling” outside of Shopify. It’s up to you to assess your legal obligations and make sure you provide consumers with any required notices and the ability to opt-out of those activities, as applicable.