Navigating the Legal Landscape: A Shopify Store’s Guide to GDPR and CCPA Compliance

Online stores handle sensitive data and personal information, making it your responsibility as a shop owner to protect your customers’ privacy and provide the necessary tools for them to manage their data.

Essentially, any information that can be considered personal data (such as names, addresses, financial accounts, and credit cards) must be treated with special care and be accessible to its owners. If someone requests the removal of their data, you must comply immediately.

GDPR and CCPA are regulations designed to protect people’s privacy, each applying to online users from different geographical regions. While they share several principles, they are not identical, necessitating a separate examination of each.

What is GDPR and how it affects online users

GDPR stands for General Data Protection Regulation and is a privacy and security law. As a regulation of the European Union (EU) it has to do with people living in the EU, but imposes obligations onto organizations anywhere.

GDPR is a vast regulation that goes far beyond online business but let’s stick to e-commerce. It aims to help online users who live in the EU protect their personal data and their privacy online.

But what can be considered as personal data?
Personal data is any information relating to an identified or identifiable natural living person. For example the name, the identification number and the location of someone are all personal data.
On the contrary, a company is not a natural person and as a result it doesn’t have personal data.

GDPR has four main axes:

  • Lawful basis and transparency
    The data you gather on your online store must be properly defined and justified.
  • Data security
    All the information you access on your e-shop must be protected, encrypted and anonymized/pseudonymized when possible. In the case of a data breach you must have outlined a process in order to notify the authorities.
  • Accountability & governance
    There must be a person in your organisation who is responsible for the compliance with the regulation. If a third party has access to data, the particular fact must be clearly stated and signed by both parties.
  • Privacy rights
    It must be easy for your customers to request the information you have already gathered. Furthermore it must be easy for them to access the data, ask you stop processing them, delete and transfer them to another organisation.

And what happens if you don’t comply with the regulation? Well, there a series of fines. Not all fines are equally critical. The less serious infringements could cost up to €10 million, or 2% of your company’s annual revenue, whichever amount is higher.
The more serious infringements could result in a fine of up to €10 million, or 2% of your company’s annual revenue, whichever amount is higher.

And what is CCPA and why you should care

CCPA stands for California Consumer Privacy Act and is a state law for residents of the state of California in the United States.

The CCPA applies to any business that meets at least one of the following criteria:

  • Has annual gross revenues in excess of $25 million;
  • Buys, receives, or sells the personal information of 100,000 or more consumers or households; or
  • Earns more than half of its annual revenue from selling consumers’ personal information.

Like GDPR, the CCPA has been developed to protect customer privacy. Businesses that collect personal data from their customers must comply with the law and establish policies to manage this data appropriately.

CCPA describes personal information as data that identifies, relates to, or could reasonably be linked with a person or her household. Examples are: name, social security number, email address, records of products purchased, internet browsing history, and fingerprints.

CCPA also uses the term “sensitive personal information”, which is a subset of the previous data set and includes: account logins, financial account, debit or credit cards number, passwords, emails and text messages, biometric data, sexual orientation, and religious beliefs among others.

California residents according to CCPA have the right to:

  • Know
    Everyone must have access to their personal information gathered by a business. Also it must be easy for them to find out the purposes of the usage of information by all the businesses involved including third parties.
  • Delete
    All collected data should be deletable in case the owner asks for it.
  • Opt-out of sharing
    Everyone has the right opt-out of sharing their data (including selling). By the moment someone opts-out all relevant businesses must immediately stop sharing personal information.
  • Correct
    It goes without saying that anyone can ask for corrections of their personal data.
  • Limit use
    People can ask for limited use of their personal data. They can deny for example any use of their sensitive personal information only.

Not complying with the law brings fines which are divided into two categories: the unintentional violation which costs $2500 and the intentional one which costs $7500.

GDPR vs. CCPA: the main differences

Although the scope of the laws is the protection of privacy, they do have some key differences we need to see:

  • As mentioned above GDPR affects EU residents while CCPA people who live in California.
  • They impose different fines.
  • GDPR affords all types of organizations, even non-profit ones. CCPA focuses on businesses.
  • GDPR has a proactive character: it asks for consent before collecting data. CCPA gathers personal data and people can ask later to have them removed.
  • GDPR is strictly personal. CCPA has the potential to collect data from several people (e.g. a family) at once.

If you sell online in the EU and California you need to comply with both laws no matter their common interest and the possible overlaps.

How to comply your Shopify store with GDPR & CCPA

To comply with GDPR and CCPA, follow these essential steps.

Overview the data being collected

You must be always aware of the data collected on your Shopify store. Pay close attention to the third party services such as Google Analytics because they impact on privacy.
We suggest you make a list of all services gathering personal information and note the type/categories of information collected. This way adjusting your settings accordingly is a relatively easier task.

Have a Privacy Policy page

This page must have a unique URL and the relevant link to it typically belongs to the footer of your website. The Privacy Policy page should include among others:

  • Types of personal data collected and methods of storage and access
  • How you are going to use all the sensitive information you collect
  • Whether third-party services can access personal data and how they do it
  • The rights of each individual visitor of your Shopify store according to GDPR and CCPA
  • What happens in a case of a data breach

Use a mechanism that permits customers access their data

Most of these mechanisms come as plugins/add-ons, they are triggered by the moment a website visitor enters the store. In fact they are customizable banners. Each banner includes several options regarding privacy. For example a website visitor may or may not permit tracking her visit by the relevant web analytics software.
While such banners often disturb the audiences they remain indispensable because they let people control the level of privacy they permit. One of the most dependable and at the same time useful and simple is Pandectes GDPR Compliance. It has phenomenal reviews and it can handle all the different aspects regarding online privacy.

Be ready to delete personal data upon request

First of all do have a “Do not sell my data” link visible to all pages where users can opt-out of the sale of their personal information.

If a website visitor (or even a customer) requests the deletion of their personal data you must be able to comply. This refers not only to the store but also to all the third-party mechanisms included in the store e.g. a mailing list or a CRM.
Same for a request asking correcting the available data of a person.

Summing up

Both GDPR and CCPA are designed to enhance online privacy. While they might add some complexity, they are crucial in a world where privacy isn’t always prioritized.

Before launching your Shopify store, it’s essential to comply with both regulations. Begin by understanding their purposes, then take a series of small steps to safeguard your store and your visitors. By the end of the process, you’ll feel more secure and confident, making the effort well worth it. For a detailed guide, check out our Shopify store launch checklist.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Subscribe to our newsletter

Stay informed with our newest announcements and updates delivered straight to your email.