California Consumer Privacy Act — the first US state-level privacy law, in force since January 2020. Expanded by the California Privacy Rights Act (CPRA) in January 2023.
For Shopify merchants selling to California, CCPA/CPRA requires:
- A "Do Not Sell or Share My Personal Information" link visible on every page (typically in the footer).
- Honouring the Global Privacy Control (GPC) browser signal as a valid opt-out.
- A privacy policy in CPRA's standard format with specific category disclosures.
- Opt-in consent for collection of "sensitive personal information" or data of users under 16.
CCPA permits opt-out (unlike GDPR's opt-in default) — visitors can be tracked by default, but must be given a clear way to opt out, and the opt-out must be honoured immediately.
Penalties: $2,500 per violation, $7,500 for intentional violations or violations involving minors.