CCPA Ready · WooCommerce

US state privacy (CCPA/CPRA) for WooCommerce sellers: do the rules apply to you?

CCPA/CPRA (California) plus 10+ newer state laws require a privacy notice, a "Do Not Sell or Share" link, honoring opt-out signals, and consumer data rights. Check yours.

In force US rules WooCommerce

How US state privacy (CCPA/CPRA) works on WooCommerce

WooCommerce is self-hosted, so almost nothing is handled for you — you own the stack, the data, and therefore the compliance. That's more control and more responsibility than a hosted marketplace.

📦 On WooCommerce: Self-hosting means US privacy, marketing and auto-renewal rules apply to you directly, and the configuration (consent, disclosures, cancel flow) is entirely yours.

Does this apply to you?

This rule applies to WooCommerce sellers who sell to or collect data from consumers in California or other US states. Sell to US consumers? California + new state laws require a privacy notice, opt-out, and a 'Do Not Sell' link. Not sure? The free checker tells you in about a minute — no signup.

The WooCommerce checklist

Whatever the platform handles, you still need to be able to answer "yes" to each of these — these are the points WooCommerce sellers most often get caught on:

Published privacy notice, reviewed in the last 12 months?
Do you sell or 'share' personal info (incl. ad cookies)?
Do you honor opt-out preference signals (GPC)?
Can consumers request access/deletion/correction?
Do you disclose data categories + purposes?
Discounts in exchange for data (loyalty)?
Do you avoid penalizing users who exercise rights?

What's at stake

⚠️ Exposure: $2,500/violation — $7,500 if intentional or a minor · Status: In force. On WooCommerce, that's on top of any account suspension for breaking platform policy.

Compare the penalty for every rule →

Common questions

Do I have to handle uS state privacy (CCPA/CPRA) myself on WooCommerce, or does WooCommerce cover it?

WooCommerce gives you the storefront, but uS state privacy (CCPA/CPRA) compliance is the seller's responsibility — the platform doesn't do it for you. The free checker shows exactly where you stand in about a minute.

Does CCPA apply to my business?

California's CCPA/CPRA applies above certain thresholds (revenue, data volume, or selling data), and 10+ other states have similar laws. If you sell to US consumers and collect personal data or use targeted ads, you likely need a notice and opt-out.

What is a 'Do Not Sell or Share' link?

A clear, account-free link (often "Your Privacy Choices") letting consumers opt out of the sale or sharing of their personal information — including cross-context behavioural advertising cookies.

What is GPC and do I have to honor it?

Global Privacy Control is a browser opt-out signal. Under CPRA and several state laws you must treat it as a valid opt-out of sale/sharing.

The source

RuleGoose checks this against the California CCPA/CPRA + US state privacy laws. Read it yourself: California AG — CCPA →

Check your WooCommerce store against US state privacy (CCPA/CPRA) — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the CCPA Ready checker →

or get one RuleGoose Score across every rule your WooCommerce store has to meet.

The full WooCommerce picture

US state privacy (CCPA/CPRA) is one of several rules a WooCommerce store has to meet. See the full WooCommerce compliance checklist →, or read the platform-neutral US state privacy (CCPA/CPRA) guide.

Same rule, other platforms

US state privacy (CCPA/CPRA) on Shopify →

Informational only, not legal advice, and not affiliated with California or the FTC or WooCommerce. Last reviewed 2026-06-30.