The 2018 California Consumer Privacy Act↗ (CCPA) is the first U.S. data privacy law to focus on consumers. A year after it took effect, California approved the California Privacy Rights Act↗ (CPRA), an expansion on the original, providing Californians with additional rights and restrictions over how businesses handle their data. Businesses should be aware of the changes in the CPRA to stay compliant when it goes into force in 2023 and enjoy the benefits of privacy laws for eCommerce↗. However, before proceeding further, remember not to be confused between data security vs. data privacy. California Consumer Privacy Act (CCPA) The CCPA was signed in 2018 and came into effect on January 1, 2020. It was enforced by the Office of the Attorney General until the CPRA was created. It's a state-wide data privacy legislation that necessitates eCommerce data privacy consent management↗. It acts as an eCommerce data privacy guide↗, regulating how businesses handle the personal information (PI) of California residents and protecting this information against third-party sales or disclosure. Section 1798.140 of the CCPA defines the sale of PI as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration." The CCPA also grants residents of California (consumers) the right to access, modify, or delete their data. If a business shares a name, service mark, or trademark with another CCPA-covered entity, both must comply. A business that violates the CCPA might face fines of up to $7,500 per violation or $750 per person whose data was compromised. You might compare it to the EU’s GDPR, but the difference between GDPR and CCPA↗ is that the GDPR reprimands firms proactively, whereas the CCPA is reactive. California Privacy Rights Act (CPRA) California voters enacted CPRA on November 3, 2020, updating several provisions in the CCPA and introducing new rights. CPRA amendments take effect on January 1, 2023, with enforcement slated for July. Some of the most notable changes are the transition of enforcement to the new California Privacy Protection Agency↗, a $7,500 punishment for minors' data infractions, and the "limit the use of my personal information" link requirement. Additionally, it limits data collection, storage, and use. Businesses cannot retain personal or sensitive information "longer than is necessary for that disclosed purpose". There are also new restrictions on data sharing that allow consumers to opt-out of behavioral advertising. Which Rights Are Granted to Consumers Under CCPA & CPRA? The CCPA grants the citizens of the Golden State the following rights:
- The right to know what personal information a business is collecting about them and how it's being used and shared
- The right to ask that any personal information collected from them is deleted
- The right to opt-out of the sale of their personal information to third parties
- The right to nondiscrimination for exercising their CCPA rights
Meanwhile, the new rights under the CPRA include:
- Right to Correct Information. Consumers can ask businesses to rectify incorrect personal information. Covered businesses must notify consumers of this new right and take "commercially reasonable efforts" to update their PI upon request.
- Right to Limit Sensitive Personal Information. There is a new "sensitive personal information" subcategory that allows consumers to limit the use and disclosure of sensitive information to those required to perform the services or deliver the goods only.
- Right to Access Information About Automated Decision-Making. Consumers can ask about the basis behind automated decision-making and the expected outcome of processes.
- Right to Opt-Out of Automated Decision-Making Technology. Consumers can choose not to have certain information taken into account by automated decision-making technology.
It also expands consumer rights as specified in the CCPA, such as:
- Right to Know. Requests for personal information can go beyond the CCPA's 12-month look-back period for data collected from January 1, 2022, onwards.
- Right to Opt-Out. The opt-out provision will now cover both the sale and "sharing" of personal information.
- Right to Delete. Businesses that receive a consumer deletion request must notify any third parties who bought or acquired the customer's personal information, with some exceptions.
- Right to Data Portability. Customers can request that businesses transmit their PI to another organization if technically viable.
- Opt-In Rights for Minors. Businesses must wait a year before asking again if a minor (under 16 years old) refuses to supply their PI.
CCPA & CPRA Compliance Criteria The CCPA applies to any for-profit organization operating anywhere in the world that buys, sells, and receives the personal information of more than 50,000 California residents each year, makes more than $25 million in yearly gross sales, or gets more than half of its annual income from doing so. The CPRA applies similar standards as the CCPA, the key difference being that the threshold has been raised from 50,000 to 100,000. Businesses Must Start Taking Appropriate Steps Every company that does business with Californians will be affected by the CPRA, irrespective of whether it is located in the United States or in any other part of the world. Businesses should start taking appropriate steps toward meeting CPRA data retention requirements↗ to prevent penalties and fines when it comes into effect on January 1, 2023.
How CCPA & CPRA Impact Your Shopify Store's Data Practices
Your eCommerce platform collects customer data at every touchpoint — checkout, account creation, email signup, and browsing behavior. Under CCPA and CPRA, you're responsible for every piece of information you gather, even if a third-party app collects it on your behalf.
If you use Shopify, you're already collecting names, addresses, phone numbers, and purchase history. That's personal information. If you also run pixel-based advertising through Meta or Google, you're sharing behavioral data with those platforms — which counts as "sharing" under CPRA. Your customers now have the right to opt out of this sharing, and you must honor that request within 45 days.
This means your Shopify dashboard needs to track which customers have opted out of data sales and sharing. Many brands miss this: they assume Shopify handles it automatically, but you're the data controller. You must implement logic that prevents opted-out customers from being included in your Meta Pixel retargeting audiences or your Google Analytics segments used for ad targeting.
Additionally, if a customer requests deletion, you must delete their data from your core systems and notify any third parties you've shared it with — including your email service (Klaviyo, Mailchimp), your analytics platform, and your ad networks. Failure to do this can trigger fines.
Start by auditing which apps and integrations have access to customer data in your Shopify store. Document what data flows where. This inventory becomes your compliance foundation.
Cookie Banners and Consent Management on eCommerce Sites
If your store is accessible to California residents, you need a cookie banner — but not just any banner. CPRA requires that your banner clearly disclose what data you're collecting and for what purpose.
Many eCommerce brands use generic cookie banners that simply ask "Do you accept cookies?" This isn't CPRA-compliant. Your banner must specifically mention:
- Google Analytics tracking
- Facebook Pixel or other advertising pixels
- Email capture and marketing automation
- Third-party vendor access to customer data
California consumers expect granular control. A compliant banner lets visitors accept analytics but reject marketing cookies, for example. Many brands use a standard Shopify theme, but its default cookie banner may not meet full CPRA requirements without additional configuration.
Beyond the banner, you need a way to honor opt-out requests. When a customer clicks "Do not sell or share my data," that preference must persist across sessions and sync with your martech stack. If you're using Klaviyo for email, your consent tool should communicate to Klaviyo that this customer has opted out, preventing them from being added to behavioral segments.
One practical step: map your current cookie usage. Which cookies are essential (checkout, login) and which are optional (retargeting, analytics)? Only essential cookies should fire without consent. Optional cookies need explicit opt-in.
Data Subject Access Requests (DSARs) — Preparing Your Infrastructure
CPRA gives customers the "Right to Know" — they can request all personal information your business has collected about them. You have 45 days to respond. For a mid-market eCommerce brand, this can be overwhelming if you don't have systems in place.
A DSAR from one customer requires you to search multiple databases: your Shopify store, your email platform (Klaviyo), your analytics backend, your CRM, and potentially your ad platform's custom audience files. Manually pulling this data is error-prone and time-consuming.
Start building a DSAR workflow now. Document which systems hold customer data and how to export it. Some platforms make this easier than others — Shopify has basic export features, but Klaviyo requires manual work or API access to pull full customer profiles. Google doesn't give you direct access to the data it holds; customers must request it directly from Google.
Create a template response that lists all the data you've collected about the customer (purchase history, email interactions, browsing data, tags, segments, etc.). Be transparent. If you've been tracking a customer through your Meta Pixel for six months, tell them that.
Failing to respond to a DSAR in 45 days triggers automatic penalties, so this isn't optional. Fines for non-compliance under CPRA can reach $7,500 per intentional violation.
Opting Out of Behavioral Advertising and Your Ad Strategy
Under CPRA, customers can opt out of "behavioral advertising" — meaning you can't use their data to show them targeted ads based on their browsing or purchase behavior. This directly impacts your DTC marketing playbook.
If you rely heavily on Meta Pixel retargeting, Google Ads dynamic remarketing, or lookalike audiences built from your customer list, you need a strategy for honoring opt-outs. When a customer selects "Limit the Use of My Data," you should not:
- Add them to a retargeting audience
- Use their data to build lookalike audiences
- Track their behavior across your site for ad purposes
- Share their email with Meta or Google for matching
This doesn't mean you can't email them or show them standard (non-behavioral) ads. It means your targeting becomes less sophisticated for that customer.
For your brand, this likely means your ROAS on retargeting campaigns will decline slightly as opt-out rates grow. Plan for this. You might need to shift budget toward first-party channels like email, SMS, and organic search — which don't depend on behavioral data sharing.
The silver lining: brands that make opting out seamless often build customer trust, which can improve lifetime value even if immediate conversion rates dip.