The California Consumer Privacy Act↗ (CCPA) is a state law that regulates how businesses handle personal information. While the United States has yet to implement a national data privacy and security law, California paved the way for states to create their own consumer privacy regulations when it enacted the CCPA in 2018. The Canadian Personal Information Protection and Electronic Documents Act↗ (PIPEDA) is Canada’s national data privacy law. PIPEDA lists the ground rules for how businesses must handle personal information in the course of commercial activities. While it precedes CCPA, PIPEDA’s provisions on privacy aren't as stringent and clear-cut. However, if approved, new legislation introduced by Canada's federal government would fortify the country's privacy laws. Both CCPA and PIPEDA are designed to protect consumers by giving them control over their personal data, but there are some key differences. We discuss the top 5 differences below to help act as a guide to eCommerce data privacy↗.
- Scope of Obligation
CCPA
CCPA covers for-profit businesses that collect personal information from California residents and fulfill at least one of the following criteria:
- Gross annual revenue greater than $25 million
- Buys, sells, or shares personal information of 50,000 or more consumers, devices, or households annually
- 50% or more of their revenue is accrued from selling consumer information
CCPA compliance↗ applies to the following:
- Businesses that control or are controlled by a covered business
- Businesses with the same name, service mark, branding, or trademark as a covered business
- Service providers and third parties that use personal information provided by a covered business
PIPEDA
PIPEDA applies to commercial enterprises in the Canadian private sector that collect, use, or disclose personal information during commercial activity. Under PIPEDA, commercial activity↗ refers to "any particular transaction, act, or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists." PIPEDA applies to the entire country, with a few exceptions for provinces where another data protection law exists. PIPEDA is also applicable:
- If the organization's operations have a connection to Canada. Such organizations can be considered Canadian even if they're located outside of Canada.
- To nonprofits, small businesses, and charities that may also be engaged in commercial activities
- To businesses located in Canada that handle personal information from other provinces or countries as part of their commercial activities
- Consumer Rights
Right to Data Portability
CCPA If a consumer asks for their personal information that's available with a business, the business must provide it in an accessible format so they can easily move it to another entity if needed. PIPEDA Unlike CCPA, PIPEDA does not give consumers the right to transfer their data.
Right to Deletion
CCPA The CCPA gives consumers the right to instruct a business to delete any personal information collected about them (with some exceptions). When receiving such a request, businesses must ensure their service providers also delete the relevant data. PIPEDA Under PIPEDA, consumers do not have the same right to erasure as they do under CCPA.
Right to Correction
CCPA Consumers don't have a legal right to edit incorrect or incomplete personal information collected about them. PIPEDA Under PIPEDA, individuals have the authority to request that information about them be corrected if they can show that it's inaccurate or incomplete. 3. Data Processing & Storage
CCPA
There's no limit to the amount of data businesses can store under CCPA.
PIPEDA
PIPEDA dictates that personal information should only be kept for as long as it's needed to complete the task for which it was collected. 4. Enforcement of Penalties
CCPA
CCPA enforces fines of $2,500 per unintentional violation and up to $7,500 per intentional violation. Businesses have a 30-day grace period in which they can fix any identified violations before being fined.
PIPEDA
The maximum penalty for a PIPEDA violation is 100,000 Canadian dollars. 5. Obligation to Respond to Rights Requests
CCPA
If a consumer rights complaint is delivered to the business, it must respond within 45 days with a verifiable consumer rights request. In certain circumstances, this period may be extended by 45 or 90 days. In case of non-compliance, businesses must inform customers of the reasons for their inaction.
PIPEDA
Under PIPEDA, organizations must respond to rights requests within 30 days of receiving them. Conclusion This article isn't a comprehensive account of the differences between CCPA and PIPEDA, but rather acts as a guide. Additional research and consultation with a third-party expert are advised, because you want to avoid any violations and penalties. More information will also elaborate on other regions' data privacy laws, such as CCPA vs LGPD↗ and CCPA and CPRA vs GDPR↗, which are just as important to understand.
How CCPA and PIPEDA Affect Your Shopify Store's Data Collection
If you run a Shopify store that sells to both US and Canadian customers, you need to understand which law applies to each transaction. Your store automatically falls under CCPA if you have California customers and meet any of the revenue or data-sale thresholds. For Canadian customers, PIPEDA applies regardless of your company size — even small DTC brands must comply.
This creates a practical problem: your Shopify checkout collects the same customer data for both groups, but the rules differ. A California customer can demand you delete their data; a Canadian customer can demand you correct it. You can't have two separate systems running on the same store.
The safest approach is to implement the stricter standard across your entire operation. This means adopting CCPA's deletion rights and data portability rules for all customers, not just Californians. It's more work upfront, but it eliminates the risk of accidentally violating PIPEDA when you're focused on CCPA compliance.
Your Shopify apps and integrations complicate this further. If you use Klaviyo for email marketing, Google Analytics for traffic tracking, or Meta Pixel for ads, each tool processes customer data differently. You need to know which laws apply to each tool and ensure your service agreements (Shopify's terms, Klaviyo's terms, etc.) actually permit the data flows you're using. Many brands skip this step and discover violations only when a customer files a rights request.
Service Provider Requirements: What You Need from Your Tech Stack
CCPA explicitly requires you to control how your service providers handle customer data. When you use Shopify, Klaviyo, Recharge, or any third-party app, that vendor is acting as your service provider (or potentially as a separate data controller). You're legally responsible for ensuring they follow your privacy obligations.
Under CCPA, you must have a written contract with each service provider that specifies they can only use customer data on your behalf and must delete it upon request. If a customer asks you to delete their data, you need to delete it everywhere — including in Klaviyo, Google Analytics, and any other platform where it lives. If your service provider refuses or delays, you could still face fines.
PIPEDA has less prescriptive language around service providers, but the principle is similar: you're accountable for how third parties handle personal information on your behalf. This means you need to audit your tech stack regularly.
Create a data inventory: list every tool that touches customer data (email platform, CRM, analytics, retargeting pixels, review platforms, shipping integrators). For each one, confirm:
- Does the vendor's terms allow data deletion and portability?
- Can you access and export customer data if a DSAR arrives?
- How long do they retain data if you don't manually delete it?
- Do they sub-process data to other vendors?
If a vendor can't meet your requirements, you may need to switch platforms or negotiate stricter terms. This is especially critical for email marketing and ad retargeting, where data residual is common.
Rights Requests and Your Support Team: The Practical Workflow
A rights request — also called a Data Subject Access Request (DSAR) or consumer rights request — isn't abstract legal speak. It's a real email that lands in your support inbox asking for deletion, portability, or correction. Your team needs a process to handle it.
Under CCPA, you have 45 days to respond. Under PIPEDA, you have 30 days. Missing these deadlines results in violations, even if you're working hard behind the scenes. You need a documented workflow.
Set up a simple process: when a customer emails requesting their data, flag it immediately and route it to one person (your privacy lead or a compliance checklist). That person must:
- Verify the customer's identity (don't just trust the email address)
- Pull their data from Shopify, your email platform, and analytics tools
- Compile it in a readable format (usually a PDF or spreadsheet)
- Send it within your legal deadline
- Document that you responded and what you sent
For deletion requests, the process is more complex. You must delete from Shopify, but also from Klaviyo, Google Analytics, Meta's systems, and any other platform. Google Analytics doesn't have a true deletion feature (it only anonymizes), so you need to understand what "deletion" means for each tool.
Keep records of every request and your response. If a regulator audits you, they'll ask for proof you handled requests on time. A simple spreadsheet tracking request date, customer name, what was requested, and your response date is sufficient — but it must be accurate.
The Role of Cookie Consent and Privacy Policies in CCPA vs. PIPEDA Compliance
Your cookie banner and privacy policy are your first line of defense, but they work differently under CCPA and PIPEDA. Many eCommerce brands treat them as a single solution, which creates gaps.
Under CCPA, a cookie banner must allow customers to opt out of the sale of their personal information. Critically, "sale" includes sharing data with ad platforms like Meta and Google for retargeting, even if you're not receiving payment. Many brands think a generic "Accept" button satisfies this, but CCPA requires an explicit "Do Not Sell My Personal Information" link or button that's equally prominent to Accept.
Your privacy policy must disclose what data you collect, why, and how long you keep it. It must also explain consumer rights (deletion, portability, non-discrimination). Under CCPA, you must update this policy at least annually and within 60 days of any material change.
PIPEDA's requirements are similar but less prescriptive. You need a privacy policy, but PIPEDA doesn't mandate a specific format or structure. However, you must be transparent about data collection, and you should prominently display how customers can request access or correction.
The practical difference: a CCPA-compliant cookie banner may not fully satisfy PIPEDA, and vice versa. A banner that discloses "Sale of Personal Information" is CCPA-focused but doesn't address PIPEDA's correction rights or data retention limits.
Your approach should be to layer requirements. Use a cookie consent platform (sometimes called a CMP) that lets you:
- Display different messages based on customer location
- Provide granular controls (Analytics, Marketing, Essential)
- Log consent for audit purposes
- Sync consent signals to your email and ad platforms
This way, a California visitor sees CCPA-compliant messaging, and a Canadian visitor sees PIPEDA-focused messaging — all from the same Shopify store.