Processing CCPA data requests

The CCPA expands on an individual's right to access and delete their personal data. This page includes:

  • How you can use Shopify’s platform to address data requests
  • What you may need to do independently from Shopify if you receive a data request.

Complete access requests

Similar to the GDPR, the CCPA gives California residents the right to request a copy of their personal information. If a customer requests a copy of their personal information, then you should respond to them within 45 days. If that is not possible due to the complexity or number of requests, then you should inform the customer that another 45 days are necessary. If you decide not to fulfill the request, then you should inform the customer why you will not action the request within 45 days.

Steps:

  1. Verify that the identity of the requester matches the customer whose data is being requested.
  2. From your Shopify admin, go to Customers.
  3. Search for the name of the customer.
  4. Under Customer privacy, click Request customer data.

The identifiable personal information stored about that customer will be sent to the store owner's email address.

Your request is then sent to third-party apps you have currently installed on your store. The third party app developers will independently contact you about this request.

You can then combine the information that you receive with any other information you might store about the customer and provide it to the customer. When providing this information, you should explain to the customer what categories and specific pieces of information you had collected.

In preparation for the CCPA, think about the following questions:

  • Are you able to provide all of the required personal information if a customer asks for it?
    Try to plan for a request in advance by maintaining a map of all of the personal information you (or the service providers you use, such as Shopify) store about your customers.
  • Have you considered other service providers that you might use who may have access to your customers’ personal information?
    These could include third-party apps, sales channels, and payment providers.
  • Do you have contact information for all of the third-party services you use that might store your customers’ personal information?

Complete deletion requests

The CCPA also allows California residents to request deletion of their personal information. If you receive a request, you must action it or inform the customer why you will not action the request within 45 days.

Steps:

  1. Verify that the identity of the requester matches the customer whose data is being deleted.
  2. From your Shopify admin, go to Customers.
  3. Search for the name of the customer.
  4. Click Erase personal data.

Your request is then sent to third party apps you have currently installed on your store. The third party app developers will independently action or contact you about this request.

Shopify processes your request after a 10 day buffer period, during which you can cancel the request. To cancel a pending deletion request, email us at privacy@shopify.com, and include your store information and the relevant customer ID.

When you request a deletion, Shopify redacts only identifying personal information (such as name and address). Your anonymized order information remains intact in case you need it for accounting purposes. After the relevant personal information is deleted, you receive a confirmation email.

By default, Shopify doesn't delete personal information if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for deletion is submitted in that time frame, then it will sit pending, and Shopify will action it after the appropriate time has passed. You do not need to submit another request. If you want to override this time delay, then email Shopify at privacy@shopify.com.

In preparing for the CCPA, think about the following questions:

  • Are you storing any customer information on your own personal computers or in hard copy?
  • Are there other third parties that you may need to contact to request they delete a customer's personal information?
  • Are there any local requirements, such as tax laws, that might require you to retain your customers’ personal information even if they request deletion?
    The CCPA doesn't require personal information to be deleted if it's needed for one of the following reasons:
    • complete a transaction or perform a contract
    • detect or protect against security incidents or illegal activity
    • debug or repair functionality of a service
    • exercise free speech, allow another to exercise free speech, or to exercise another right provided for by law
    • engage in peer-reviewed scientific, historical, or statistical research in the public interest if the subjects have provided informed consent
    • enable solely internal uses that are reasonably aligned with the expectations of the customer based on the customer’s relationship with the business
    • comply with a legal obligation.

For more information, download Shopify's CCPA whitepaper (in English).

Ready to start selling with Shopify?

Try it free