Skip to content

How to Make Your Shopify Store Compliant With CCPA [2023 Update]

Osman Husain 8/23/23 3:30 PM

Table of Contents

This article will walk you through steps to make your Shopify store compliant with the California Consumer Privacy Act (CCPA). 

Don't fear this law. The CCPA is only designed to build trust between companies and Californians by giving consumers more power over their personal data.

Taking advantage of opportunities and complying with laws start with easy steps. Let’s now dive into how you can abide by CCPA in three easy steps.


1. Add a Privacy Policy to Comply With The Right to Know

The CCPA grants consumers the right to know what personal information a business collects about them and how it is used and shared. Hence any Shopify store wishing to be compliant with CCPA must start by building a privacy policy for their Shopify store

And the fact is that Shopify stores collect plenty of information on their customers. These include names, email addresses, shipping addresses, demographic information, and more. The right to know is an integral step in CCPA compliance and stems from a principle of transparency. 


enzuzo privacy policy page


In other words, transparency is the foundation of all other rights, such as the right to deletion under the CCPA, and it is a prerequisite to giving consumers control over their data.

This is why CCPA requires that you, as a Shopify owner, provide a Privacy Policy on your website to inform your customers.



What to include in your Privacy Policy for CCPA Compliance

From your visitors’ first visit to your Shopify store to the checkout and payment page, Shopify store owners collect vast amounts of personal information such as visitors’ IP address, unique device identifiers, geolocation data, and credit card details.

This personal information is used for different purposes such as to complete a sale, to ship products, to share it with third parties to prevent fraud or sell it to advertisers. 

Without being fully informed about what personal information is collected and how it is used, your customers cannot exercise control over their personal information.

Therefore, informing your customers about each category of personal data you collect, how you are going to use the data, who you are going to share it with is important to achieve transparency and help your customers exercise their CCPA rights. 

Here is a list of information you must include in your CCPA Privacy Policy for compliance: 


Categories of personal information you collect: 

While the CCPA refers to 11 categories of personal information including ‘identifiers’(IDs), ‘geolocation data’, ‘protected class information (gender race etc), network activity and biometrics information, it is up to you to become more descriptive in terms of specific pieces of data you collect to achieve full transparency. 

Depending on the level of sensitivity of the data you collect, you may choose to be more specific on what snippets of data you collect to achieve transparency. Instead of merely stating that you collect data on the internet and network activity, for instance, you can describe in more detail that you collect device identifiers of visitors of your Shopify store. 

Keep in mind that there is still no clarity on what those ‘categories’ might be so the CCPA provides a certain degree of flexibility in that regard. 


Purposes for which you will use each category of personal information:

Unlike the GDPR, you do not have to determine a legal basis to justify the collection and use of personal information under the CCPA.  However, you must provide detailed information about for what business purposes you are collecting and using each category of personal information. 

For example, you will have to ask for customers’ mailing addresses in order to fulfill orders, so you can state in your Privacy Policy that the information on the personal address will be used for order fulfillment purposes.


Categories of third parties that you will share personal information with:

To comply with CCPA, it is sufficient for you to refer to the types of third parties you will share personal information with; you do not have to disclose the names of third parties.

For example, suppose you will share financial information with payment processor vendors or fulfillment centers. In that case, it is enough to explain in your Privacy Policy that you will share financial information with ‘’Payment Processors’. You do not have to share the name and contact information of specific processors such as PayPal, Visa or MasterCard.


Description of California consumers’ rights under the CCPA and description of methods by which they can exercise their rights:

Your privacy policy must describe the rights Californian consumers can exercise under the CCPA. These rights include:

  • The right to notice
  • The right to deletion
  • The right to know
  • The right to opt-in (for minors)
  • The right to opt-out
  • The right to non-discrimination

Rights provided to consumers are meaningful to the extent that they can freely and easily exercise them. To comply with the CCPA, you need to specify two different methods for consumers to exercise their right to know and the right to delete their information.

While one of these methods must be a toll-free telephone number, the second method could be a webform, email address, or submission via snail mail.

One exception to this rule is highly relevant for Shopify Store owners: If you are running your business exclusively online, you only need to implement one method for consumers to exercise their rights: A form on your Website.


Categories of personal information you sell or declaration that you do not sell personal information:

If you are selling the personal information of your customers, you need to provide a list of categories of information you will sell.


How to add a Privacy Policy to your Shopify Store 

You can easily and automatically upload your Privacy Policy and display it on your Shopify Store by following these steps:

  1. Go to the Admin Screen page on your Shopify account and under the Settings section, navigate to ‘Legal’.
  2. Insert your Privacy Policy into the text box you will see and then click ‘save’.
  3. Your Privacy Policy will be visible now.

Before you can display your Privacy Policy by following these steps, you need to create a customized Privacy Policy to make sure that you satisfy CCPA standards.

While using Shopify’s Privacy Policy Generator might be a convenient option, you will likely need a more customized Privacy Policy tailored to particular categories of personal information you collect and how you use and share it. Therefore, it might be a better option to work with expert Privacy Policy Generator providers who can help you create custom-built Privacy Policies.


Where to display your Privacy Policy on your Shopify Store

If your Privacy Policy is buried within your website and finding it takes ages, you would be risking violating the CCPA.

Your Privacy Notice should be easily accessible and should be displayed prominently on your Shopify Store. For example, you can choose to put your Privacy Policy in the footer. However, be advised to make the Privacy Policy visible and easy to see for your visitors.


Screen Shot 2021-08-26 at 11.45.56 AM


Glow Recipe has all of their legal store policies within the bottom of the footer under the copyright text. We recommend moving them up to the main footer navigation for even better visibility. 

In addition to displaying your Privacy Policy in a prominent place on your Shopify Store, you also have to provide a link to your Privacy Policy before or at the collection of personal information.

When running your Shopify store, you will collect personal information when your visitors first visit your website, sign up for a newsletter, download content, or check out and make payments. In each of these steps, you must prominently display the link to your Privacy Policy relevant to comply with CCPA requirements.


2: Let Customers Access Their Data

A critical CCPA compliance requirement is for Shopify stores to enable data subject access requests. If a consumer submits such a request, you need to satisfy this request within 45 days. 

When you receive an access request, you have to provide one copy of every piece of personal information you collected about the individual free of charge. For requests for further copies, you can charge your customers. Furthermore, the copy of the personal information you provide must be in a portable and readily usable format so that consumers can comprehend it.


customer data privacy request for shopify


With the Enzuzo: Data Privacy App for Shopify, you can add a customer data request form directly from your privacy policy like LAC swim. 

In addition to the personal information you've collected, you should also provide a copy of the information to third parties you have used, such as payment processors or fraud detection service providers that may have collected personal information.

When you receive an access request, do your best to map all personal information you and your service providers have collected so that you can satisfy consumer requests in compliance with the CCPA.

Now that you have to provide all information you collected to your customers in a readily usable format and within a strict time limit (45 days), let's talk about how you can implement an easy way for your customers to request and get access to their data.

Under the CCPA, you have to provide two methods for your customers to submit their access requests. One is a toll-free number, and the other is either a web form, e-mail, post or request in person.

If you are doing business exclusively online with your Shopify Store, you are subject to a different rule: You must provide a webform on your website for your customers to submit their requests.

When building a contact form to receive access requests, you need to ensure that it is customer-friendly and easily accessible. This will not only help you comply with the CCPA, but it will also establish trust between you and your customers. 

Enzuzo’s personalized privacy policy comes with a built-in access request form right in the policy so customers can quickly request their data. 

According to a recent study by DataGrail, 27% of data subject requests made under the CCPA relate to access requests, and B2C businesses have to be ready to handle around 200 access requests per million customer records per year.

Given the growing volume of access requests, creating a user-friendly access request web form can help compliance with CCPA tremendously. 

Furthermore, almost 80% of consumers report that they are highly concerned over their privacy and building a consumer-centric and easy-to-use web form can go a long way in earning consumers’ trust.


3: Allow Customers to Opt Out of The Sale of Personal Information


Do Not Sell My Personal Information Page


To comply with CCPA, you must create a 'Do-not-sell-my-information' page that explains in simple terms that consumers have the right to opt-out of any personal information transfers and also describe how they can exercise their opt-out rights.

In your 'do-not-sell-my-information' notice, you must also describe the methods to submit opt-out requests in plain language.

If you are running your business exclusively online, it is enough to provide a web form to submit opt-out requests. 

Otherwise, you will need to provide a toll-free number and another method such as email, web form or post to submit requests.

Useful to emphasize once again that alongside your homepage, you should insert the link to your 'do not sell my personal information' page on every page where you collect personal data. 

Suppose you are selling personal information you collected via the checkout page or the signup for a newsletter. In that case, you must put this link on these pages in a visible way to inform your customers.

Putting the 'Do-not-sell-my-personal-information' link next to your Privacy Policy can be an effective compliance solution.


Shopify CCPA Compliance: You Don't Have to Do It Alone

Compliance can be frustrating, expensive, and hard to figure out on your own. If you'd rather not spend thousands of dollars on legal fees, let the compliance experts at Enzuzo help you on your journey. We can assist with onboarding, custom privacy workflows, and a whole lot more at a fraction of the price. Book a demo today to explore the power of our platform.

Book a Free Demo


Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.