CCPA Ready · Shopify

US state privacy (CCPA/CPRA) for Shopify sellers: do the rules apply to you?

CCPA/CPRA (California) plus 10+ newer state laws require a privacy notice, a "Do Not Sell or Share" link, honoring opt-out signals, and consumer data rights. Check yours.

In force US rules Shopify

How US state privacy (CCPA/CPRA) works on Shopify

Shopify gives you the storefront and checkout, but legal compliance is on you, the merchant — Shopify's own terms make that explicit. The platform ships some tools (a cookie-banner and customer-privacy API, a hosted PCI-compliant checkout), but switching them on and configuring them correctly is your job, not Shopify's.

📦 On Shopify: Shopify merchants write their own policies, flows and disclosures, so US federal and state rules land directly on you, not on Shopify.

Does this apply to you?

This rule applies to Shopify sellers who sell to or collect data from consumers in California or other US states. Sell to US consumers? California + new state laws require a privacy notice, opt-out, and a 'Do Not Sell' link. Not sure? The free checker tells you in about a minute — no signup.

The Shopify checklist

Whatever the platform handles, you still need to be able to answer "yes" to each of these — these are the points Shopify sellers most often get caught on:

Published privacy notice, reviewed in the last 12 months?
Do you sell or 'share' personal info (incl. ad cookies)?
Do you honor opt-out preference signals (GPC)?
Can consumers request access/deletion/correction?
Do you disclose data categories + purposes?
Discounts in exchange for data (loyalty)?
Do you avoid penalizing users who exercise rights?

What's at stake

⚠️ Exposure: $2,500/violation — $7,500 if intentional or a minor · Status: In force. On Shopify, that's on top of any account suspension for breaking platform policy.

Compare the penalty for every rule →

Common questions

Do I have to handle uS state privacy (CCPA/CPRA) myself on Shopify, or does Shopify cover it?

Shopify gives you the storefront, but uS state privacy (CCPA/CPRA) compliance is the seller's responsibility — the platform doesn't do it for you. The free checker shows exactly where you stand in about a minute.

Does CCPA apply to my business?

California's CCPA/CPRA applies above certain thresholds (revenue, data volume, or selling data), and 10+ other states have similar laws. If you sell to US consumers and collect personal data or use targeted ads, you likely need a notice and opt-out.

What is a 'Do Not Sell or Share' link?

A clear, account-free link (often "Your Privacy Choices") letting consumers opt out of the sale or sharing of their personal information — including cross-context behavioural advertising cookies.

What is GPC and do I have to honor it?

Global Privacy Control is a browser opt-out signal. Under CPRA and several state laws you must treat it as a valid opt-out of sale/sharing.

The source

RuleGoose checks this against the California CCPA/CPRA + US state privacy laws. Read it yourself: California AG — CCPA →

Check your Shopify store against US state privacy (CCPA/CPRA) — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the CCPA Ready checker →

or get one RuleGoose Score across every rule your Shopify store has to meet.

The full Shopify picture

US state privacy (CCPA/CPRA) is one of several rules a Shopify store has to meet. See the full Shopify compliance checklist →, or read the platform-neutral US state privacy (CCPA/CPRA) guide.

Same rule, other platforms

US state privacy (CCPA/CPRA) on WooCommerce →

Informational only, not legal advice, and not affiliated with California or the FTC or Shopify. Last reviewed 2026-06-30.