All posts
·8 min read

Shopify CCPA / CPRA compliance: what California buyers require from your store

Selling to California shoppers? CCPA and the 2023 CPRA amendment require a 'Do Not Sell or Share' link, opt-out signals, and a specific privacy notice. Here's how to get it right on Shopify.

ccpacprashopifycompliance

If you ship to California — and almost every Shopify store does — the California Consumer Privacy Act (CCPA) and its 2023 amendment, the California Privacy Rights Act (CPRA), apply to you. The thresholds are lower than most merchants realise, and the enforcement risk is higher than GDPR's right now: California's new Privacy Protection Agency (CPPA) took over enforcement in 2023 and has been aggressively pursuing small and mid-market ecommerce.

This guide covers the specific things a Shopify store has to do, the differences from GDPR (they are not interchangeable), and how to ship a defensible setup in under an hour.

Are you in scope?

You're subject to CCPA/CPRA if you're a for-profit business that does business in California and meets at least one of these thresholds:

  1. Annual gross revenue over $25M (regardless of California-specific revenue), OR
  2. Buy, sell, or share the personal information of 100,000+ California consumers or households per year, OR
  3. Earn 50%+ of revenue from selling or sharing California consumers' personal information.

For most Shopify merchants, threshold #2 is the binding one. "Personal information" includes IP addresses and tracking cookies, and the threshold is calculated cumulatively across the year. A store with 280 daily California sessions hits 100k in a year. If you're running paid ads with any California targeting, you're almost certainly above the threshold even at modest volume.

CPRA also created a new category called "sensitive personal information" (SPI) which includes precise geolocation, race/ethnicity inference, and biometric data — most stores aren't deliberately collecting SPI, but ad networks sometimes are on your behalf, which is a separate disclosure problem.

CCPA vs GDPR: the key differences

GDPRCCPA / CPRA
DefaultOpt-in before trackingOpt-out allowed (with disclosure)
Banner required?YesFooter link or banner — link is more common
Required linkNone specific"Do Not Sell or Share My Personal Information"
Right of erasureYes (Art. 17)Yes (CCPA §1798.105)
PenaltiesUp to 4% of revenue$2,500–$7,500 per violation
ChildrenSpecific consent for U16Opt-in required for U16, parental consent for U13

The biggest practical difference: CCPA permits opt-out, which means you don't have to block trackers by default. You just need to give California users a way to opt out and honour it.

This is why a single "global" cookie banner often doesn't fit either regime well. A GDPR-style "default deny + Accept" banner is overkill for California, but a CCPA-style "Do Not Sell" link is non-compliant for the EU.

What Shopify provides out of the box

Shopify's CCPA story is thinner than its GDPR story. You get:

  • GDPR webhooks reused for CCPA — the same customers/data_request and customers/redact webhooks fire for CCPA-style requests. Apps that handle GDPR delete requests automatically handle CCPA delete requests.
  • A CCPA-aware Customer Privacy APIwindow.Shopify.customerPrivacy exposes saleOfDataAllowed and related signals.

You do not get:

  • A "Do Not Sell or Share" link in the footer. You have to add it.
  • Global Privacy Control (GPC) signal handling. CPRA requires you to honour the GPC browser signal as a valid opt-out — which means client-side detection of navigator.globalPrivacyControl === true.
  • A way to detect California visitors specifically (you need geo-IP).

The four things every Shopify store selling to California needs

CPRA renamed "Do Not Sell" to "Do Not Sell or Share" — the "share" part covers behavioural advertising, which most stores do (Meta Pixel, Google Ads remarketing, TikTok Pixel). The link must be:

  • Conspicuous on every page (footer is acceptable).
  • Take users to a page or modal where they can exercise the opt-out.
  • Honour the choice immediately and persistently.
  • Submitted with no more than two steps.

Two-step rule: if users have to fill in an email AND verify it AND solve a captcha, that's too many steps. The Attorney General's office has fined businesses over needlessly long opt-out flows.

2. Honour the Global Privacy Control (GPC) browser signal

Since 2023, CPRA explicitly requires honouring GPC — a browser-level signal (DuckDuckGo, Brave, Firefox extensions) that automatically opts the user out of sale/share. Implementation is simple:

if (typeof navigator !== "undefined" && navigator.globalPrivacyControl === true) {
  // Treat this visitor as having opted out, before they interact with the banner.
  setSaleOfDataAllowed(false);
  applyOptOutToTrackers();
}

Most Shopify cookie banners (including Shopify's stock toggle) do not implement GPC. Consentico does, automatically.

3. A privacy notice that says specifically what you collect, sell, and share

CPRA Section 1798.100 requires a "privacy notice at collection." On a Shopify store, that's your privacy policy. It must contain:

  1. Categories of personal information collected (e.g., identifiers, commercial info, internet activity).
  2. Purposes for each category.
  3. Whether each category is sold or shared — and to whom.
  4. Retention periods for each category.
  5. A link to the "Do Not Sell or Share" page.
  6. Consumer rights under CCPA (right to know, delete, correct, opt-out, limit use of sensitive info).
  7. A two-method contact for exercising rights (web form + email is the common combo).

The categories are standardised — California publishes the list. Use the published terms verbatim; don't paraphrase.

CPRA enforcement actions have specifically asked businesses to demonstrate that opt-out preferences were applied. If a California user clicks "Do Not Sell or Share" and a year later your remarketing list still includes them, that's a violation.

A consent log captures:

  • Visitor identifier (anonymous — hashed IP is enough)
  • Timestamp
  • The exact preference (sale/share allowed: true/false)
  • Whether GPC was active
  • Region (CA, EU, etc.)
  • Banner version that was displayed

Consentico's consent log captures all of this and is exportable as CSV. Most other Shopify-targeted CMPs only log positive consents (GDPR opt-ins), which leaves a CCPA evidence gap.

The "service provider" exception (and why it matters)

CCPA distinguishes between selling/sharing data and giving it to a service provider. A service provider:

  • Is contractually restricted to using the data only to perform services for you.
  • Cannot use the data for its own purposes.
  • Cannot share or sell it onward.

Shopify itself is a service provider (the "Shopify Data Processing Addendum" makes this explicit). Klaviyo, Gorgias, your shipping label printer — typically service providers.

Meta, Google, TikTok are NOT service providers under CCPA. They use the data they receive to improve their own ad targeting and audience modeling for other businesses. That's "sharing" under CPRA. Hence the rebrand from "sale" to "sale or share."

This is why the "Do Not Sell or Share" toggle has to actually stop your Meta Pixel from firing for that visitor — not just stop it from sending order data, but stop it from receiving anything that lets Meta build a profile.

A pragmatic CCPA checklist

  • Determine if you're in scope (most Shopify stores selling to CA are; check threshold #2).
  • Add a footer "Do Not Sell or Share My Personal Information" link on every page.
  • Implement an opt-out flow that completes in two steps or fewer.
  • Honour GPC browser signals automatically.
  • Update your privacy policy to use CPRA-compliant categories and disclosures.
  • Log all opt-out events with timestamp, identifier, region, GPC state.
  • Verify Meta Pixel, Google Ads, TikTok stop receiving data for opted-out visitors.
  • Provide a two-method contact for CCPA rights requests.
  • If you have under-16 visitors: implement age screening for ad-tracking opt-in.

Running CCPA + GDPR on the same store

Most Shopify merchants serve both regions. The clean architecture is:

  1. Geo-detect the visitor server-side (or as early as possible client-side).
  2. EU/UK/EEA visitors: show the GDPR banner with default-deny.
  3. California visitors: show the CCPA-style notice with a "Do Not Sell or Share" link, default to allowed but honour GPC.
  4. Everyone else: no banner; defaults match your business decision.

Consentico's geo-targeting handles this automatically — pick the regions and the right banner shows for each.

What happens if you don't comply

Real recent CCPA enforcement actions:

  • Sephora (2022): $1.2M settlement for not honouring opt-out signals and not disclosing data sales.
  • DoorDash (2024): $375k fine for sharing customer data without proper notice.
  • Tilting Point Media (2024): $500k for failing to disclose minor-targeted advertising.

The CPPA also has a 30-day cure period for first-time violations of "minor" issues. Don't rely on it: the "minor issue" definition is narrow and most enforcement actions don't qualify.

Summary

CCPA/CPRA compliance for Shopify merchants is genuinely simpler than GDPR — you can use opt-out instead of opt-in — but the things you do have to do are very specific. Get the "Do Not Sell or Share" link, the GPC honouring, and the privacy policy categories right and you're 95% covered.

The big risk for Shopify stores is using a GDPR-only CMP that doesn't have a CCPA-compliant footer link and doesn't honour GPC. If your current banner doesn't have an explicit "Do Not Sell or Share" mode, you're under-protected.

Install Consentico to ship a working CCPA + GDPR setup in under five minutes — geo-targeted, GPC-aware, and consent-logged.

Related reading