Table of Contents
This article will walk you through steps to make your Shopify store compliant with the California Consumer Privacy Act (CCPA).
Don't fear this law. The CCPA is only designed to build trust between companies and Californians by giving consumers more power over their personal data.
Taking advantage of opportunities and complying with laws start with easy steps. Let’s now dive into how you can abide by CCPA in three easy steps.
And the fact is that Shopify stores collect plenty of information on their customers. These include names, email addresses, shipping addresses, demographic information, and more. The right to know is an integral step in CCPA compliance and stems from a principle of transparency.
In other words, transparency is the foundation of all other rights, such as the right to deletion under the CCPA, and it is a prerequisite to giving consumers control over their data.
From your visitors’ first visit to your Shopify store to the checkout and payment page, Shopify store owners collect vast amounts of personal information such as visitors’ IP address, unique device identifiers, geolocation data, and credit card details.
This personal information is used for different purposes such as to complete a sale, to ship products, to share it with third parties to prevent fraud or sell it to advertisers.
Without being fully informed about what personal information is collected and how it is used, your customers cannot exercise control over their personal information.
Therefore, informing your customers about each category of personal data you collect, how you are going to use the data, who you are going to share it with is important to achieve transparency and help your customers exercise their CCPA rights.
Categories of personal information you collect:
While the CCPA refers to 11 categories of personal information including ‘identifiers’(IDs), ‘geolocation data’, ‘protected class information (gender race etc), network activity and biometrics information, it is up to you to become more descriptive in terms of specific pieces of data you collect to achieve full transparency.
Depending on the level of sensitivity of the data you collect, you may choose to be more specific on what snippets of data you collect to achieve transparency. Instead of merely stating that you collect data on the internet and network activity, for instance, you can describe in more detail that you collect device identifiers of visitors of your Shopify store.
Keep in mind that there is still no clarity on what those ‘categories’ might be so the CCPA provides a certain degree of flexibility in that regard.
Purposes for which you will use each category of personal information:
Unlike the GDPR, you do not have to determine a legal basis to justify the collection and use of personal information under the CCPA. However, you must provide detailed information about for what business purposes you are collecting and using each category of personal information.
Categories of third parties that you will share personal information with:
To comply with CCPA, it is sufficient for you to refer to the types of third parties you will share personal information with; you do not have to disclose the names of third parties.
Description of California consumers’ rights under the CCPA and description of methods by which they can exercise their rights:
- The right to notice
- The right to deletion
- The right to know
- The right to opt-in (for minors)
- The right to opt-out
- The right to non-discrimination
Rights provided to consumers are meaningful to the extent that they can freely and easily exercise them. To comply with the CCPA, you need to specify two different methods for consumers to exercise their right to know and the right to delete their information.
While one of these methods must be a toll-free telephone number, the second method could be a webform, email address, or submission via snail mail.
One exception to this rule is highly relevant for Shopify Store owners: If you are running your business exclusively online, you only need to implement one method for consumers to exercise their rights: A form on your Website.
Categories of personal information you sell or declaration that you do not sell personal information:
If you are selling the personal information of your customers, you need to provide a list of categories of information you will sell.
- Go to the Admin Screen page on your Shopify account and under the Settings section, navigate to ‘Legal’.
Glow Recipe has all of their legal store policies within the bottom of the footer under the copyright text. We recommend moving them up to the main footer navigation for even better visibility.
2: Let Customers Access Their Data
A critical CCPA compliance requirement is for Shopify stores to enable data subject access requests. If a consumer submits such a request, you need to satisfy this request within 45 days.
When you receive an access request, you have to provide one copy of every piece of personal information you collected about the individual free of charge. For requests for further copies, you can charge your customers. Furthermore, the copy of the personal information you provide must be in a portable and readily usable format so that consumers can comprehend it.
In addition to the personal information you've collected, you should also provide a copy of the information to third parties you have used, such as payment processors or fraud detection service providers that may have collected personal information.
When you receive an access request, do your best to map all personal information you and your service providers have collected so that you can satisfy consumer requests in compliance with the CCPA.
Now that you have to provide all information you collected to your customers in a readily usable format and within a strict time limit (45 days), let's talk about how you can implement an easy way for your customers to request and get access to their data.
Under the CCPA, you have to provide two methods for your customers to submit their access requests. One is a toll-free number, and the other is either a web form, e-mail, post or request in person.
If you are doing business exclusively online with your Shopify Store, you are subject to a different rule: You must provide a webform on your website for your customers to submit their requests.
When building a contact form to receive access requests, you need to ensure that it is customer-friendly and easily accessible. This will not only help you comply with the CCPA, but it will also establish trust between you and your customers.
According to a recent study by DataGrail, 27% of data subject requests made under the CCPA relate to access requests, and B2C businesses have to be ready to handle around 200 access requests per million customer records per year.
Given the growing volume of access requests, creating a user-friendly access request web form can help compliance with CCPA tremendously.
Furthermore, almost 80% of consumers report that they are highly concerned over their privacy and building a consumer-centric and easy-to-use web form can go a long way in earning consumers’ trust.
3: Allow Customers to Opt Out of The Sale of Personal Information
To comply with CCPA, you must create a 'Do-not-sell-my-information' page that explains in simple terms that consumers have the right to opt-out of any personal information transfers and also describe how they can exercise their opt-out rights.
In your 'do-not-sell-my-information' notice, you must also describe the methods to submit opt-out requests in plain language.
If you are running your business exclusively online, it is enough to provide a web form to submit opt-out requests.
Otherwise, you will need to provide a toll-free number and another method such as email, web form or post to submit requests.
Useful to emphasize once again that alongside your homepage, you should insert the link to your 'do not sell my personal information' page on every page where you collect personal data.
Suppose you are selling personal information you collected via the checkout page or the signup for a newsletter. In that case, you must put this link on these pages in a visible way to inform your customers.
Shopify CCPA Compliance: You Don't Have to Do It Alone
Compliance can be frustrating, expensive, and hard to figure out on your own. If you'd rather not spend thousands of dollars on legal fees, let the compliance experts at Enzuzo help you on your journey. We can assist with onboarding, custom privacy workflows, and a whole lot more at a fraction of the price. Book a demo today to explore the power of our platform.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.