One of the greatest tools out there, bringing entrepreneurs’ dreams to reality by helping them start without writing a single line of code or spending vast sums of money on building a platform from scratch, is, without doubt, Shopify. California Consumer Privacy Act (CCPA), which came into force last year, introduced new requirements that any Shopify store should be aware of.
This article will walk you through three easy steps you implement for California Consumer Privacy Act Compliance on Shopify Store.
Before we start, let’s clarify one thing: CCPA is not an obstacle to small businesses or an extra cost. It is a piece of law designed to build trust between companies and Californians by giving consumers more power over their personal data.
In other words, CCPA compliance is a for your Shopify business because it bolsters your effort to earn customer trust and boost your brand value.
Taking advantage of opportunities and complying with laws start with easy steps. Let’s now dive into how you can abide by CCPA in three easy steps.
CCPA aims to empower consumers by giving them more control over their personal information.
Consumers cannot exercise their rights without knowing what data is collected about them by whom and how it is used.
Think about the credit card details you collect from your customers on your Shopify store. If you do not inform your customers about how you share their data with third parties for fraud prevention, your customers would be unable to object to sharing their data, or they would not be able to request the deletion of their data.
In other words, transparency is the foundation of all other rights, such as the right to deletion under the CCPA, and it is a prerequisite to giving consumers control over their data.
From your visitors’ first visit to your Shopify store to the checkout and payment page, you collect vast amounts of personal information such as your visitors’ IP address, unique device identifier, their geolocation and their credit card details.
You then use this personal information for different purposes such as to complete the sale, to ship products, to share it with third parties to prevent fraud or sell it to advertisers.
Without being fully informed about what personal information is collected and how it is used, your customers cannot exercise control over their personal information.
Therefore, informing your customers about each category of personal data you collect, how you are going to use the data, who you are going to share it with is important to achieve transparency and help your customers exercise their CCPA rights.
To achieve this, CCPA introduces the requirement of informing customers about all data collection and processing activities in great detail before or at the collection.
You need to provide categories of personal information you collect from Californian consumers.
While the CCPA refers to 11 categories of personal information including ‘identifiers’(IDs), ‘geolocation data’, ‘protected class information (gender race etc), network activity and biometrics information, it is up to you to become more descriptive in terms of specific pieces of data you collect to achieve full transparency.
Depending on the level of sensitivity of data you collect, you may choose to be more specific on what snippets of data you collect to achieve transparency. Instead of merely stating that you collect data on the internet and network activity, for instance, you can describe in more detail that you collect device identifiers of visitors of your Shopify store.
Keep in mind that there is still no clarity on what those ‘categories’ might be so the CCPA provides a certain degree of flexibility in that regard.
Unlike the GDPR, you do not have to determine a legal basis to justify the collection and use of personal information under the CCPA. However, you must provide detailed information about for what business purposes you are collecting and using each category of personal information.
To comply with CCPA, it is sufficient for you to refer to the types of third parties you will share personal information with; you do not have to disclose the names of third parties.
You also need to describe the rights Californian consumers can exercise under the CCPA. These rights include:
Rights provided to consumers are meaningful to the extent that they can freely and easily exercise them. To comply with the CCPA, you need to specify two different methods for consumers to exercise their right to know and the right to delete their information.
While one of these methods must be a toll-free telephone number, the second method could be web-form, email, post or submission in person.
One exception to this rule is highly relevant for Shopify Store owners: If you are running your business exclusively online, you only need to implement one method for consumers to exercise their rights: A form on your Website.
If you are selling the personal information of your customers, you need to provide a list of categories of information you will sell.
Glow Recipe has all of their legal store policies within the bottom of the footer under the copyright text. We recommend moving them up to the main footer navigation for even better visibility.
CCPA provides consumers with the right to access to a copy of their personal information held by businesses. If a consumer submits such a request, you need to satisfy this request within 45 days.
When you receive an access request, you have to provide one copy of every piece of personal information you collected about the individual free of charge. For requests for further copies, you can charge your customers. Furthermore, the copy of the personal information you provide must be in a portable and readily usable format so that consumers can comprehend it.
In addition to the personal information you've collected, you should also provide a copy of the information to third parties you have used, such as payment processors or fraud detection service providers that may have collected personal information.
When you receive an access request, do your best to map all personal information you and your service providers have collected so that you can satisfy consumer requests in compliance with the CCPA.
Now that you have to provide all information you collected to your customers in a readily usable format and within a strict time limit (45 days), let's talk about how you can implement an easy way for your customers to request and get access to their data.
Under the CCPA, you have to provide two methods for your customers to submit their access requests. One is a toll-free number, and the other is either a web form, e-mail, post or request in person.
If you are doing business exclusively online with your Shopify Store, you are subject to a different rule: You must provide a webform on your website for your customers to submit their requests.
When building a contact form to receive access requests, you need to ensure that it is customer-friendly and easily accessible. This will not only help you comply with the CCPA, but it will also establish trust between you and your customers.
According to a recent study by DataGrail, 27% of data subject requests made under the CCPA relate to access requests, and B2C businesses have to be ready to handle around 200 access requests per million customer records per year.
Given the growing volume of access requests, creating a user-friendly access request web form can help compliance with CCPA tremendously.
Furthermore, almost 80% of consumers report that they are highly concerned over their privacy and building a consumer-centric and easy-to-use web form can go a long way in earning consumers’ trust.
Suppose you are selling the personal information of California residents. In that case, you need to inform your customers of the opt-out opportunity so that they can easily exercise their right to opt-out of sale under the CCPA.
To comply with CCPA, you must create a 'Do-not-sell-my-information' page that explains in simple terms that consumers have the right to opt-out and also describe how they can exercise their opt-out rights.
After you create this page, you need to incorporate it both into your homepage and any page where you collect personal information to notify your customers.
In your 'do-not-sell-my-information' notice, you must also describe the methods to submit opt-out requests in plain language.
If you are running your business exclusively online, it is enough to provide a web form to submit opt-out requests.
Otherwise, you will need to provide a toll-free number and another method such as email, web form or post to submit requests.
Useful to emphasize once again that alongside your homepage, you should insert the link to your 'do not sell my personal information' page on every page where you collect personal data.
Suppose you are selling personal information you collected via the checkout page or the signup for a newsletter. In that case, you must put this link on these pages in a visible way to inform your customers.