The European Union's (EU) General Data Protection Regulation (GDPR) set the stage for subsequent privacy regulations, most notably the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The GDPR took effect in May 2018, establishing strict new rules for handling personal data. GDPR applies to any company↗ that processes the data of EU citizens, regardless of where the company is based. In terms of CCPA vs CPRA↗, the CCPA was signed in 2018 closely after the GDPR was passed and went into effect in January 2020. The CPRA is an expansion of the CCPA that was approved by California voters in November 2020. It strengthens the CCPA in several key ways, including expanding the definition of personal information and extending the law’s reach to cover more businesses. Below we discuss the differences between these privacy laws in more detail. General Data Protection Regulation (GDPR) The GDPR is currently the most comprehensive regulation on consumer data privacy. As such, it's considered the global gold standard. The regulation sets out strict rules on how personal data must be collected, used, and protected.
Scope
The GDPR compliance↗ applies to for-profit and nonprofit organizations (such as government bodies) that handle the personal data of EU data subjects—therefore GDPR also affects non-EU businesses↗. The GDPR applies to almost all types of personal data, unlike the CCPA and CPRA which are limited to certain forms of personal information.
Consumer Rights
The GDPR also protects a variety of rights that all customers have. These include the right to
- know
- deletion
- data rectification
- access
- control data processing
- object to data portability
Enforcement Agency
The Information Commissioner's Office (ICO) became the primary enforcement body for GDPR after it went into effect across the EU in May 2018. Even though the United Kingdom (UK) decided to leave the EU in 2019, it was announced that ICO would still enforce GDPR laws across the UK. However, individual EU member states also have their own data protection authorities that can levy fines.
Penalties
Non-compliance with the regulation and any data breaches↗ could result in fines of up to €20 million or 4% of the company's annual global turnover, whichever is greater. California Consumer Privacy Act (CCPA) The CCPA was a watershed moment for data privacy and protection. It was the first piece of legislation that gave consumers in California (and by extension the US) many of the same rights found in the GDPR.
Scope
Only for-profit businesses are affected by the CCPA. CCPA compliance requires cookie consent↗ to let their users know when data is being collected from them, sold, or otherwise shared.
Consumer Rights
Consumers are entitled to certain rights under the CCPA, including the right to
- opt-out of data sales
- be informed about data collection
- have collected data disclosed
- have collected data deleted
- receive equal services without discrimination
Enforcement Agency
The CCPA is regulated by the California Office of the Attorney General (OAG). The OAG has the authority to set fines and penalties for entities that don't uphold CCPA rules.
Penalties
The CCPA's penalties are tiered, therefore companies can be fined more if they knowingly violate the law or if they fail to comply with an enforcement order:
- $2,500 for unintentional violations
- $7,500 for intentional violations
- $100 - $750 in damages per incident of breach, filed in civil court
California Privacy Rights Act (CPRA) CPRA, in a nutshell, is a more comprehensive version of the CCPA. It adds several important components to the CCPA's rules.
Scope
The CCPA previously stated that a business is an entity that buys, sells, or shares the personal information of 50,000 consumers. However, the CPRA has increased this number to 100,000. The CPRA also modified the CCPA's definition of a business deriving 50% or more of its annual revenue from selling consumers' personal information to include the term "sharing".
Consumer Rights
The CPRA gives consumers additional control over how businesses meet CPRA data retention requirements↗. As such, companies must have a prominent banner on their website titled "Limit the Use of My Sensitive Personal Information" with a link to a page that allows consumers to do so.
Enforcement Agency
The CPRA created a new authority, the California Privacy Protection Agency (CPPA), whose sole purpose is to investigate and enforce violations of the law.
Penalties
The same penalties that are outlined under the CCPA will apply, with an additional fine of $7,500 if the privacy rights of a minor are violated. Businesses can avoid fines by correcting issues within 30 days after being notified of a violation. Conclusion The CPRA takes effect in 2023 and it will be interesting to see how it affects businesses in California and beyond. In the meantime, companies should ensure they comply with the CCPA and GDPR, as well as any other data privacy laws that may apply to them, such as CCPA vs LGPD↗ and CCPA vs PIPEDA↗.
How These Laws Affect Your Shopify or BigCommerce Store
If you run a direct-to-consumer (DTC) brand on Shopify or BigCommerce, you're likely collecting customer data across multiple touchpoints: checkout forms, email signup popups, analytics trackers, and advertising pixels. Each of these triggers different privacy obligations depending on where your customers are located.
Your Shopify store automatically collects IP addresses, browsing behavior, and device information. Under GDPR, you need explicit consent before dropping tracking pixels like Meta Pixel or Google Analytics on European visitors. Under CCPA and CPRA, California customers have the right to know what data you're collecting and to opt out of its sale.
The practical challenge: a single customer might fall under multiple regulations simultaneously. A visitor from Germany gets GDPR protections. A California resident gets CCPA/CPRA rights. Your store needs to respect the strictest rule that applies to each visitor.
This means your cookie banner can't be a one-size-fits-all solution. You need geolocation-based consent flows that ask different questions to different visitors. You also need to document your data flows—where customer information goes after checkout (email service providers like Klaviyo, customer data platforms, payment processors). If you can't clearly explain why you're collecting something, you probably shouldn't be collecting it.
Many eCommerce brands underestimate how CCPA and CPRA apply to them. You don't need to be "selling" data in the traditional sense for these laws to apply. Sharing customer lists with Facebook for lookalike audiences counts as a "sale" under California law. Your email marketing platform integrations? Also covered.
Cookie Banners and Consent Management on eCommerce Sites
A cookie banner is not optional—it's the foundation of legal data collection. But the quality of your banner matters enormously.
Under GDPR, your cookie banner must obtain affirmative, informed consent before any non-essential cookies fire. This means the default cannot be "accept all." Users must be able to reject tracking as easily as they accept it. Buttons should be equally sized and equally prominent.
CCPA and CPRA don't technically require cookie banners the same way GDPR does, but they do require clear disclosure about data collection and sharing. California law also mandates a "Do Not Sell or Share My Personal Information" link on your homepage that must be easy to find.
Here's where it gets complicated for eCommerce: Shopify and similar platforms pre-install scripts and integrations that fire cookies automatically. You're responsible for managing consent before those scripts load, not after. Turning off Google Analytics in your Shopify admin isn't enough if the Meta Pixel still fires.
Your banner should:
- Clearly identify which cookies are essential (payment processing, fraud prevention) versus optional (analytics, advertising)
- Allow granular consent—visitors shouldn't have to accept all tracking just to browse your store
- Update when privacy practices change
- Respect user choices across all your properties (your website, mobile app if you have one, checkout pages)
For DTC brands using Klaviyo or similar email platforms, remember that adding someone to your email list through a form requires consent. Under GDPR, that consent must be documented. Under CCPA, customers can request to know why their data is being used for marketing.
Data Subject Access Requests (DSARs) and Customer Privacy Questions
When a customer emails asking "What data do you have on me?" or "Delete my information," that's a data subject access request (DSAR). Under GDPR, you have 30 days to respond. Under CCPA and CPRA, you have 45 days (extendable to 90 days). Miss that deadline and you're automatically non-compliant.
DSARs are more common than most eCommerce brands expect. A customer might request their data after reading privacy news, or before they close their account, or because they're just curious. Your team needs a process to handle these requests quickly.
Here's what you need to compile when a DSAR comes in:
- All personal data stored in your customer database (name, email, phone, purchase history, IP address)
- Data held by third parties (your email platform, payment processor, analytics tool, fulfillment partner)
- Logs showing when that data was collected and why
- Any data shared with advertising platforms or marketing partners
Many eCommerce brands discover during their first DSAR that they don't actually know where all their customer data lives. Your Shopify store keeps purchase records. Klaviyo has email engagement data. Your payment processor has billing addresses and card tokenization data. Your ad platform has behavioral targeting profiles. Compiling a complete picture takes time and coordination across teams.
California law also allows customers to authorize agents (like privacy advocates or lawyers) to submit DSARs on their behalf. You must verify the agent's authority, but you can't simply refuse requests from third parties.
If a DSAR comes in and you can't respond within the legal timeframe, you're exposed to enforcement action and potential fines. Some brands delegate DSAR handling to their legal team, but that slows response times. Others build internal workflows where customer service flags privacy requests immediately so they reach the right stakeholder.
State and International Privacy Laws Beyond CCPA and GDPR
The regulatory landscape is expanding rapidly. If you sell to customers outside California and the EU, you likely have other obligations brewing.
Virginia, Colorado, Connecticut, and Utah have all passed privacy laws similar in structure to CCPA. Virginia's Consumer Data Protection Act (VCDPA), Colorado's Colorado Privacy Act (CPA), and others take effect between 2023 and 2025. While they're less stringent than GDPR or CPRA—they focus more on opt-out rights than opt-in consent—they still require you to disclose data practices and honor consumer requests.
The pattern is clear: more states will pass privacy laws. At least a dozen additional states are considering privacy legislation modeled on CCPA or CPRA. For DTC brands, this means you can't simply follow CCPA rules and assume you're covered nationwide.
Outside North America, Canada's PIPEDA, Brazil's LGPD, and the UK's GDPR (post-Brexit) all apply to companies processing data from those regions. Australia's Privacy Act is also tightening. If your Shopify store ships internationally or markets across borders, you're likely subject to multiple regimes.
The practical challenge is that these laws have slightly different definitions of personal data, different consent mechanisms, and different enforcement bodies. What counts as a "sale" under CPRA might not count as data sharing under LGPD. Explicit consent required by GDPR might not be required by Virginia's VCDPA. Building a compliance strategy that accounts for all applicable laws — not just the most prominent ones — is the safest path forward for DTC brands operating across borders.