PieEye For CCPA/CPRA Quick and Easy CPRA Compliance. On January 1, 2023, the California Privacy Rights Act (CPRA) comes into effect.
What is CCPA/CPRA?
The California Privacy Rights Act (CPRA) builds upon and expands the California Consumer Privacy Act (CCPA), which came into effect in 2020. The CPRA grants California residents new rights with respect to their personal information, including the right to opt-out of the sale of their personal information and the right to request that their personal information be deleted. The CPRA also requires businesses to implement additional safeguards to protect the personal information of California residents and to provide greater transparency about their data collection and usage practices.
Does CPRA apply to me?
The CPRA applies to businesses that collect personal information from California residents and meet certain criteria, such as having annual gross revenues in excess of $25 million or buying, receiving, selling, or sharing the personal information of 50,000 or more consumers, households, or devices per year. However, even if you fall outside of these criteria, your consumers are still expecting your compliance.
Frequently Asked Questions
PieEye provides all of the correlation and machine learning approaches that automatically establish how identifiable data relates to a California consumer’s identity. PieEye’s machine learning approach automatically establishes how identifiable data relates to a California consumer’s identity. There is no need to determine which data are names, or addresses or emails. PieEye will then identify which data sets should be deleted in response to a request, enable targeted workflows and monitor whether additional data needs to be processed in future. Yes. There is no heavy lifting to implement your CPRA workflow as our templates are based on best practices and built by privacy experts. PieEye will integrate with any cookie compliance vendor, of which there are many. Yes. We will get you up and running quickly with our simplified webinars and product training. There is a step-by-step implementation with pre-configured CPRA workflows and best practices. Yes. We allow consumers to attach evidence when submitting a request to verify their identity and proof of residence. We also leverage various identity verification approaches, including a simple email or phone verification, existing user login portals, or security questions. There are 4 steps in the DSR workflow for DSR compliance:
- Intake the consumer’s request via the PieEye customized forms to determine if a consumer resides in California
- Validate the requestor’s identity
- Fulfill requests via PieEye’s integrated workflows to find and retrieve consumer data
- Communicate the request has been completed to the consumer with PieEye’s CPRA templates and a secure messaging portal.
See how PieEye handles this
Book a 10-minute demo to see CPRA compliance, consent management, and DSR workflows in your stack.
Book a demo →How CPRA Impacts Your Ecommerce Data Stack
Your Shopify store, email marketing platform (like Klaviyo), and advertising tools (Meta Pixel, Google Analytics) all collect consumer data. Under CPRA, you're responsible for understanding what each tool does with that data and ensuring you can fulfill deletion requests across all of them.
When a California customer submits a data subject access request (DSAR), you need to locate their information not just in your CRM, but everywhere it flows. That means your payment processor, your analytics account, your email lists, and your ad platform records. Many eCommerce brands discover during their first DSAR that they don't actually know where all their customer data lives—or how to delete it permanently without breaking their marketing workflows.
The CPRA requires you to document these data flows. Create a simple spreadsheet listing every tool you use that touches customer data: your shopping cart, your email service, your SMS platform, your chat tool, your analytics. Note which of these tools will delete data when you ask them to, and which ones require manual requests. This audit becomes your roadmap for responding to requests quickly and staying compliant.
If you use third-party service providers (your payment processor, shipping software, CRM platform), CPRA requires you to have contracts in place that hold them accountable for handling data correctly. Most major platforms have updated their terms, but it's worth checking your current agreements to confirm they address CPRA deletion obligations.
The Right to Opt-Out vs. the Right to Delete
Many eCommerce brands confuse these two CPRA rights, and the distinction matters for how you respond.
Opt-out of the sale or sharing of data means the customer does not want their information used for targeted advertising or sold to third parties. On your site, you need a clear "Do Not Sell or Share My Personal Information" link (California requires this language). Once a customer opts out, you can still use their data for the transaction they requested and for internal analytics—you just cannot sell it or use it to fuel retargeting campaigns on Meta or Google.
Right to delete means the customer wants all their personal information removed from your systems. You cannot use it for anything, though you can keep transaction records for accounting and tax purposes. Deletion requests are more disruptive to your operations because they require you to actively scrub data from your marketing lists, your CRM, and anywhere else it appears.
Practically speaking, you need two separate workflows. An opt-out request is faster to fulfill—it's mostly a database flag. A deletion request requires coordination across multiple tools and typically takes longer. Make sure your DSAR intake form clearly asks the customer which right they're exercising, because the timeline and process differ.
Managing Consent on Your Shopify or BigCommerce Store
Your website is where CPRA compliance begins. Shopify and BigCommerce don't automatically make you CPRA-ready—you need to add your own consent mechanism.
A cookie banner or preference center should disclose what data you collect, why you collect it, and who has access to it. This is not about aesthetic design; it's about giving customers real information before you place tracking pixels, load analytics scripts, or inject cookies into their browser.
For eCommerce, be specific about which tools you're using. Instead of vague language like "analytics partners," say: "We use Google Analytics to understand how customers navigate our site" or "We use Meta Pixel to show you ads for products you viewed." Customers can then make informed decisions.
If a customer opts out of sale or sharing, disable your Meta Pixel and Google Ads remarketing tags for that user. If you use server-side tracking (a more privacy-friendly approach), you'll need to exclude opted-out users from your audience syncs to Meta and Google. This requires engineering work, but it's becoming table stakes for compliant eCommerce brands.
BigCommerce and Shopify both offer app integrations for consent management, but the out-of-the-box solutions are often minimal. A dedicated consent platform gives you granular control over what tracking fires based on user choices, and generates an audit trail proving you honored customer preferences.
Timelines and Common Delays in DSAR Fulfillment
CPRA gives you 45 days to respond to a valid DSAR (extendable to 90 days in complex cases). Many brands miss this deadline simply because they don't have a process in place.
The clock starts from the moment you receive the request. You need to verify the customer's identity within that 45-day window—if verification takes two weeks, you have 33 days left to locate and prepare the data. This is tight if you're doing it manually across multiple systems.
Common bottlenecks: waiting for a third-party vendor to respond to your data request, discovering that your backup systems still contain the customer's information (requiring a second deletion pass), or realizing your analytics tools retain data longer than you thought. Plan for these delays by building your DSR process now, while you don't have a queue of requests waiting.