How CCPA affects you

The following sections describe how the CCPA might affect you and how you run your Shopify store:

Transparency requirements

You should have a privacy policy available on your website that provides the name of your business and your contact information. The CCPA also requires your privacy policy to include the following information:

  • The categories of personal information that are collected and the purposes for which they will be used.
  • The categories of personal information that you share for business purposes.
  • A description of California residents’ rights under the CCPA.
  • Methods by which customers can submit data subject rights requests.
  • A list of personal information or categories of personal information that the business sells or a notice that the business does not sell personal information.

Shopify has a privacy policy generator that will generate a template privacy policy for you. You can also access it from your Shopify admin by going to Settings > Legal > Privacy policy > Create from template.

Opt out of sale

If you sell the personal information of consumers, then as of January 1, 2020, California residents have the following rights:

  • request a list of the categories of their personal information that you sold;
  • request a list of the buyers of that personal information, by category of personal information, over the previous twelve months; and
  • opt out of the sale of their personal information going forward.

In order to allow consumers to opt out, you should have a link on every page of your online storefront labelled Do not sell my personal information. This link can lead to a page that describes the rights of California residents and how to contact you to request the opt-out. As described above, Shopify doesn't believe that you sell personal information to Shopify, so the sale and the opting out of sale takes place outside of Shopify. It should be easy for consumers to contact you to submit their requests.

If a customer opts out of the sale of their personal information, then you need to do the following:

  • Stop selling their information.
  • Keep track of the date of the request and the steps you took to verify the identity of the requester.
  • Wait 12 months before requesting that they opt in again.
  • Don't deny them service or provide them with an inferior product.

Individual rights

The CCPA gives California consumers the right to request that you delete their personal information, and to request that you give them a copy of their personal information. Shopify has built-in features to allow you to do this. For more information on this feature, see Processing CCPA data requests.

Make sure that your customers can contact you to make a request relating to their personal information. Under the CCPA, you might need to allow California residents to contact you by using a toll-free phone number, or by one of the following: mail, email, or other consumer-friendly methods of contacting a business (such as a retail location or an online portal that your business might have for customers). Make sure to include these contact methods in your privacy policy or on your website.

For more on how to create an opt-out link and action requests, download Shopify's CCPA whitepaper (in English).

Ready to start selling with Shopify?

Try it free