StoreComplyStoreComply
Start free
CCPA··7 min read

CCPA Privacy Policy Requirements for Ecommerce

CCPA and CPRA privacy policy requirements for online stores. Learn required disclosures, consumer rights, Do Not Sell links, and Shopify compliance tips.

California's privacy laws—the CCPA and its successor CPRA—set specific requirements for how ecommerce businesses must disclose data practices to California residents. If your online store meets revenue or data-processing thresholds and serves California customers, your privacy policy needs more than generic boilerplate. It must include particular disclosures, honor consumer rights, and provide clear opt-out mechanisms.

Who Must Comply with CCPA/CPRA

CCPA applies to for-profit businesses that do business in California and meet any one of three thresholds: annual gross revenue over $25 million, buy or sell personal information of 100,000 or more California consumers or households per year, or derive 50% or more of annual revenue from selling or sharing personal information. Many growing ecommerce brands hit the 100,000-consumer threshold before they expect it.

CPRA updates

The CPRA expanded CCPA with new categories like 'sharing' personal information for cross-context behavioral advertising. Even if you do not sell data in the traditional sense, sharing data with ad networks may trigger opt-out requirements.

Required Privacy Policy Disclosures

Your privacy policy must describe your data practices in plain language. California regulators expect specific sections that go beyond what a minimal GDPR-focused policy might include.

  1. Categories of personal information collected in the past 12 months
  2. Categories of sources from which information is collected
  3. Business or commercial purposes for collecting each category
  4. Categories of third parties with whom information is shared
  5. Whether you sell or share personal information and the categories involved
  6. Retention periods or criteria for determining how long data is kept
  7. Rights available to California consumers and how to exercise them

California Consumer Rights You Must Honor

California residents have the right to know what personal information you collect, request deletion, correct inaccurate data, opt out of sale or sharing, limit use of sensitive personal information, and not face discrimination for exercising these rights. Your privacy policy must explain each right and provide at least two methods to submit requests—typically an email address and a web form.

  • Right to know: disclose categories and specific pieces of personal information collected
  • Right to delete: remove personal information with certain exceptions for transactions and security
  • Right to correct: fix inaccurate personal information you maintain
  • Right to opt out of sale/sharing: stop sharing data with ad partners for behavioral advertising
  • Right to limit: restrict use of sensitive personal information like precise geolocation

The 'Do Not Sell or Share' Requirement

If you use Meta Pixel, Google Ads remarketing, or data brokers, you likely 'share' personal information under CPRA definitions. You must provide a clear 'Do Not Sell or Share My Personal Information' link on your homepage and honor opt-out requests within 45 days. Many Shopify merchants add this link to the footer alongside their privacy policy.

Implementing opt-out on Shopify and WooCommerce

  1. Add a footer link labeled 'Do Not Sell or Share My Personal Information'
  2. Create a simple form or use a compliance tool to process opt-out requests
  3. Configure your ad platforms to respect Global Privacy Control (GPC) signals where supported
  4. Stop sharing opted-out users' data with third-party advertisers
  5. Document requests and responses for your compliance records

Writing a CCPA-Compliant Privacy Policy

Start with an honest inventory of what your store collects: account details, purchase history, device identifiers from cookies, and data passed to email and ad platforms. Map each data category to your business purpose. Compliance tools like StoreComply generate CCPA-specific policy sections based on your actual integrations, which reduces the risk of missing a required disclosure.

CCPA vs. GDPR: What Ecommerce Merchants Need to Know

GDPR focuses on lawful basis and opt-in consent for cookies. CCPA emphasizes transparency and opt-out rights for data sales and sharing. Stores serving both markets need policies and technical measures that satisfy both frameworks. A single privacy policy can cover both if it includes all required sections for each jurisdiction.

Frequently asked questions

Does CCPA apply to small Shopify stores?
It applies if you meet any of the three thresholds—most commonly the 100,000 California consumers/households per year threshold for data processing. High-traffic stores and those using extensive tracking reach this faster than expected.
Do I need a separate CCPA privacy policy?
You can include CCPA disclosures in your main privacy policy under a 'California Residents' section. It must contain all required elements rather than a generic statement about compliance.
What counts as 'selling' data under CCPA?
Selling includes exchanging personal information for monetary or other valuable consideration. Sharing data with ad networks for cross-context behavioral advertising is treated as 'sharing' and triggers opt-out rights even without a direct payment.
How quickly must I respond to CCPA requests?
You must acknowledge requests within 10 business days and fulfill them within 45 calendar days, with a possible 45-day extension if you notify the consumer.

Skip the template hunt

StoreComply generates privacy, terms & cookie policies, blocks GA/Meta until consent, and includes a cookie scanner — from $19/mo.

Generate my policies free →Cookie banner & blocking

No credit card required to preview

Related guides