Make your Shopify Store CCPA Compliant in 3 Steps

Ali Talip Pınarbaşı 8/26/21 11:51 AM

One of the greatest tools out there, bringing entrepreneurs’ dreams to reality by helping them start without writing a single line of code or spending vast sums of money on building a platform from scratch, is, without doubt, Shopify. California Consumer Privacy Act (CCPA), which came into force last year, introduced new requirements that any Shopify store should be aware of.

This article will walk you through three easy steps you implement for California Consumer Privacy Act Compliance on Shopify Store.

Before we start, let’s clarify one thing: CCPA is not an obstacle to small businesses or an extra cost. It is a piece of law designed to build trust between companies and Californians by giving consumers more power over their personal data.

In other words, CCPA compliance is a for your Shopify business because it bolsters your effort to earn customer trust and boost your brand value.

Taking advantage of opportunities and complying with laws start with easy steps. Let’s now dive into how you can abide by CCPA in three easy steps.

 

Step One: Add a Privacy Policy for Transparency

Transparency: The bedrock of all consumer data privacy rights

CCPA aims to empower consumers by giving them more control over their personal information.

Consumers cannot exercise their rights without knowing what data is collected about them by whom and how it is used.

Think about the credit card details you collect from your customers on your Shopify store. If you do not inform your customers about how you share their data with third parties for fraud prevention, your customers would be unable to object to sharing their data, or they would not be able to request the deletion of their data.

enzuzo privacy policy page

In other words, transparency is the foundation of all other rights, such as the right to deletion under the CCPA, and it is a prerequisite to giving consumers control over their data.

This is why CCPA requires that you, as a Shopify owner, provide a Privacy Policy on your website to inform your customers.

Following the CCPA, Shopify itself also requires that you add a Privacy Policy to your website.

 

What to include in your Privacy Policy for CCPA Compliance

From your visitors’ first visit to your Shopify store to the checkout and payment page, you collect vast amounts of personal information such as your visitors’ IP address, unique device identifier, their geolocation and their credit card details.

You then use this personal information for different purposes such as to complete the sale, to ship products, to share it with third parties to prevent fraud or sell it to advertisers. 

Without being fully informed about what personal information is collected and how it is used, your customers cannot exercise control over their personal information.

Therefore, informing your customers about each category of personal data you collect, how you are going to use the data, who you are going to share it with is important to achieve transparency and help your customers exercise their CCPA rights. 

To achieve this, CCPA introduces the requirement of informing customers about all data collection and processing activities in great detail before or at the collection. 

Here is a list of information you must include in your CCPA Privacy Policy for compliance: 

Categories of personal information you collect: 

You need to provide categories of personal information you collect from Californian consumers. 

While the CCPA refers to 11 categories of personal information including ‘identifiers’(IDs), ‘geolocation data’, ‘protected class information (gender race etc), network activity and biometrics information, it is up to you to become more descriptive in terms of specific pieces of data you collect to achieve full transparency. 

Depending on the level of sensitivity of data you collect, you may choose to be more specific on what snippets of data you collect to achieve transparency. Instead of merely stating that you collect data on the internet and network activity, for instance, you can describe in more detail that you collect device identifiers of visitors of your Shopify store. 

Keep in mind that there is still no clarity on what those ‘categories’ might be so the CCPA provides a certain degree of flexibility in that regard. 

Purposes for which you will use each category of personal information:

Unlike the GDPR, you do not have to determine a legal basis to justify the collection and use of personal information under the CCPA.  However, you must provide detailed information about for what business purposes you are collecting and using each category of personal information. 

For example, you will have to ask for customers’ mailing addresses in order to fulfill orders, so you can state in your Privacy Policy that the information on the personal address will be used for order fulfillment purposes.

Categories of third parties that you will share personal information with:

To comply with CCPA, it is sufficient for you to refer to the types of third parties you will share personal information with; you do not have to disclose the names of third parties.

For example, suppose you will share financial information with payment processor vendors or fulfillment centers. In that case, it is enough to explain in your Privacy Policy that you will share financial information with ‘’Payment Processors’. You do not have to share the name and contact information of specific processors such as PayPal, Visa or MasterCard.

Description of California consumers’ rights under the CCPA and description of methods by which they can exercise their rights:

You also need to describe the rights Californian consumers can exercise under the CCPA. These rights include:

  • The right to notice
  • The right to deletion
  • The right to know
  • The right to opt-in (for minors)
  • The right to opt-out
  • The right to non-discrimination

Rights provided to consumers are meaningful to the extent that they can freely and easily exercise them. To comply with the CCPA, you need to specify two different methods for consumers to exercise their right to know and the right to delete their information.

Photo by RODNAE Productions from Pexels

While one of these methods must be a toll-free telephone number, the second method could be web-form, email, post or submission in person.

One exception to this rule is highly relevant for Shopify Store owners: If you are running your business exclusively online, you only need to implement one method for consumers to exercise their rights: A form on your Website.

Categories of personal information you sell or declaration that you do not sell personal information:

If you are selling the personal information of your customers, you need to provide a list of categories of information you will sell.

 

How to add a Privacy Policy to your Shopify Store 

You can easily and automatically upload your Privacy Policy and display it on your Shopify Store by following these steps:

  1. Go to the Admin Screen page on your Shopify account and under the Settings section, navigate to ‘Legal’.
  2. Insert your Privacy Policy into the text box you will see and then click ‘save’.
  3. Your Privacy Policy will be visible now.

Before you can display your Privacy Policy by following these steps, you need to create a customized Privacy Policy to make sure that you satisfy CCPA standards.

While using Shopify’s Privacy Policy Generator might be a convenient option, you will likely need a more customized Privacy Policy tailored to particular categories of personal information you collect and how you use and share it. Therefore, it might be a better option to work with expert Privacy Policy Generator providers who can help you create custom-built Privacy Policies.

Where to display your Privacy Policy on your Shopify Store

If your Privacy Policy is buried within your website and finding it takes ages, you would be risking violating the CCPA.

Your Privacy Notice should be easily accessible and should be displayed prominently on your Shopify Store. For example, you can choose to put your Privacy Policy in the footer. However, be advised to make the Privacy Policy visible and easy to see for your visitors.

Screen Shot 2021-08-26 at 11.45.56 AM

Glow Recipe has all of their legal store policies within the bottom of the footer under the copyright text. We recommend moving them up to the main footer navigation for even better visibility. 

In addition to displaying your Privacy Policy in a prominent place on your Shopify Store, you also have to provide a link to your Privacy Policy before or at the collection of personal information.

When running your Shopify store, you will collect personal information when your visitors first visit your website, sign up for a newsletter, download content, or check out and make payments. In each of these steps, you must prominently display the link to your Privacy Policy relevant to comply with CCPA requirements. 

Step 2: Provide an easy way for customers to request access to their data

CCPA provides consumers with the right to access to a copy of their personal information held by businesses. If a consumer submits such a request, you need to satisfy this request within 45 days. 

When you receive an access request, you have to provide one copy of every piece of personal information you collected about the individual free of charge. For requests for further copies, you can charge your customers. Furthermore, the copy of the personal information you provide must be in a portable and readily usable format so that consumers can comprehend it.

customer data privacy request for shopify

With the Enzuzo: Data Privacy App for Shopify, you can add a customer data request form directly from your privacy policy like LAC swim

In addition to the personal information you've collected, you should also provide a copy of the information to third parties you have used, such as payment processors or fraud detection service providers that may have collected personal information.

When you receive an access request, do your best to map all personal information you and your service providers have collected so that you can satisfy consumer requests in compliance with the CCPA.

Now that you have to provide all information you collected to your customers in a readily usable format and within a strict time limit (45 days), let's talk about how you can implement an easy way for your customers to request and get access to their data.

Under the CCPA, you have to provide two methods for your customers to submit their access requests. One is a toll-free number, and the other is either a web form, e-mail, post or request in person.

If you are doing business exclusively online with your Shopify Store, you are subject to a different rule: You must provide a webform on your website for your customers to submit their requests.

When building a contact form to receive access requests, you need to ensure that it is customer-friendly and easily accessible. This will not only help you comply with the CCPA, but it will also establish trust between you and your customers. 

Enzuzo’s personalized privacy policy comes with a built-in access request form right in the policy so customers can quickly request their data. 

Enzuzo Privacy Policy

According to a recent study by DataGrail, 27% of data subject requests made under the CCPA relate to access requests, and B2C businesses have to be ready to handle around 200 access requests per million customer records per year.

Given the growing volume of access requests, creating a user-friendly access request web form can help compliance with CCPA tremendously. 

Furthermore, almost 80% of consumers report that they are highly concerned over their privacy and building a consumer-centric and easy-to-use web form can go a long way in earning consumers’ trust.

 

Step 3: Make it easy for customers to opt-out of sale

Suppose you are selling the personal information of California residents. In that case, you need to inform your customers of the opt-out opportunity so that they can easily exercise their right to opt-out of sale under the CCPA.

Do Not Sell My Personal Information Page

To comply with CCPA, you must create a 'Do-not-sell-my-information' page that explains in simple terms that consumers have the right to opt-out and also describe how they can exercise their opt-out rights.

After you create this page, you need to incorporate it both into your homepage and any page where you collect personal information to notify your customers.

In your 'do-not-sell-my-information' notice, you must also describe the methods to submit opt-out requests in plain language.

If you are running your business exclusively online, it is enough to provide a web form to submit opt-out requests. 

Otherwise, you will need to provide a toll-free number and another method such as email, web form or post to submit requests.

Useful to emphasize once again that alongside your homepage, you should insert the link to your 'do not sell my personal information' page on every page where you collect personal data. 

Suppose you are selling personal information you collected via the checkout page or the signup for a newsletter. In that case, you must put this link on these pages in a visible way to inform your customers.

Putting the 'Do-not-sell-my-personal-information' link next to your Privacy Policy can be an effective compliance solution.