Shopify privacy law · California
Shopify cookie consent in California
California requires a 'Do Not Sell or Share' link, GPC honouring, and a CCPA-aware privacy notice for any Shopify store with 100k+ California sessions per year.
Governing law: California Consumer Privacy Act (CCPA) + California Privacy Rights Act (CPRA)
Enforcement reality
The California Privacy Protection Agency (CPPA) took over enforcement from the Attorney General in July 2023 and has been aggressive against mid-market ecommerce. The 30-day cure period for first-time violations was eliminated for many infractions in 2024. Enforcement actions have explicitly cited failure to honour Global Privacy Control (GPC), insufficient 'Do Not Sell or Share' link visibility, and overly long opt-out flows.
Regulator: California Privacy Protection Agency (CPPA)
Recent enforcement actions
- Sephora·2022·$1.2M
Failure to honour opt-out signals; not disclosing data sales
- DoorDash·2024·$375K
Sharing customer data without proper notice
- Tilting Point Media·2024·$500K
Failing to disclose minor-targeted advertising
What Shopify merchants must do in California
- Conspicuous 'Do Not Sell or Share My Personal Information' link on every page
- Honour the Global Privacy Control (GPC) browser signal as a valid opt-out
- Two-step (or fewer) opt-out flow
- Privacy notice listing categories of personal information collected, sold, and shared
- Right-to-delete request handling within 45 days (extendable to 90)
- No sale or share of under-16s' data without opt-in (under-13s require parental consent)
How Consentico handles California
Consentico's geo-targeting detects California visitors at the edge and applies the right banner — opt-in posture for California-style opt-out rules, with Google Consent Mode v2 signals and a per-decision audit log. The banner survives Shopify theme switches and uninstalls cleanly.
Related concepts
- CCPACalifornia's privacy law, expanded in 2023 by the CPRA. Requires a 'Do Not Sell or Share' link and honouring of GPC for California residents.
- Do Not Sell or ShareRequired CCPA/CPRA opt-out link visible on every page of a California-targeting site. Renamed from 'Do Not Sell' in 2023.
- Global Privacy ControlBrowser-level signal that automatically opts users out of data sale or sharing. CPRA requires Californian-targeting sites to honour it.
Compliant in California — in five minutes.
Free for stores under 5,000 banner views per month. No code, no theme edits.