California Consumer Privacy Act (CCPA)

CCPA stands for the California Consumer Privacy Act. It is a data privacy law enacted in California in 2018 that gives California residents specific rights over the personal information businesses collect about them.

The CCPA was later strengthened by Proposition 24, also known as the California Privacy Rights Act (CPRA), which California voters passed in November 2020. The updated law took effect on January 1, 2023, and added new consumer rights and created the California Privacy Protection Agency (CPPA) to enforce it.

CCPA in Detail

According to the California Privacy Protection Agency, the CCPA applies to for-profit businesses that do business in California and meet at least one of the following thresholds:

• Annual revenue threshold. The business has gross annual revenues of $26.625 million or more (effective January 1, 2025).
• Data volume threshold. The business buys, sells, or shares the personal information of 100,000 or more California residents or households per year.
• Revenue from data threshold. The business derives 50% or more of its annual revenue from selling or sharing California residents’ personal information.

These thresholds mean that most small eCommerce stores are not directly subject to CCPA compliance requirements. However, stores that grow significantly in scale, use data brokers, or sell customer data to third parties may trigger one of these thresholds and become subject to the law.

Consumer Rights Under CCPA

California residents have several enforceable rights under the CCPA, as outlined by the California Attorney General’s office:

• The right to know. Consumers can ask what personal information a business has collected about them, where it came from, how it is used, and who it has been shared with or sold to.
• The right to delete. Consumers can request that a business delete the personal information it has collected, with some exceptions for data needed to complete transactions or meet legal obligations.
• The right to opt out. Consumers can direct a business to stop selling or sharing their personal information. Businesses must include a “Do Not Sell or Share My Personal Information” link on their website.
• The right to correct. Added by the CPRA in 2023, this allows consumers to request corrections to inaccurate personal information.
• The right to non-discrimination. Businesses cannot penalize consumers (through higher prices, reduced service, or other means) for exercising their CCPA rights.

These rights give California consumers meaningful control over how their data is used, and require businesses to have processes in place to respond to those requests within specific timeframes.

CCPA vs. GDPR

CCPA and GDPR are both data privacy laws, but they work differently in one fundamental way: the consent model.

GDPR uses an opt-in model. Non-essential data collection (like advertising cookies) requires explicit permission from the user before it begins. If a user does not actively consent, the data cannot be collected.

CCPA uses an opt-out model. Data collection and sharing can happen by default, but consumers must be given a clear way to say no. A business can collect and use data until the consumer exercises their right to opt out.

GDPR also applies to any organization worldwide that processes data of EU residents, regardless of business size. CCPA applies only to for-profit businesses meeting specific size thresholds.

Why Is CCPA Important for eCommerce Sellers?

CCPA matters for eCommerce sellers because California is the most populous US state and a major consumer market. Even sellers based outside California must comply if they meet the relevant thresholds and collect data from California residents.

In practice, CCPA compliance for most eCommerce stores involves adding a “Do Not Sell or Share My Personal Information” link to the website footer, maintaining a clear privacy policy that discloses data collection practices, and having a process for responding to consumer data requests within 45 days.

For Shopify sellers, Shopify’s infrastructure supports CCPA compliance, but sellers are responsible for ensuring any third-party apps and marketing tools they use also handle California consumer data appropriately.

Frequently Asked Questions

Does CCPA apply to my small Shopify store?

CCPA likely does not apply to your small Shopify store if your annual gross revenue is below $26.625 million, you buy/sell/share data for fewer than 100,000 California residents per year, and you don’t derive 50% or more of revenue from selling data. However, the 100,000-consumer threshold counts cookies and device IDs, not just customers — a store averaging ~275 daily California visitors using Google Analytics or Meta Pixel could cross this threshold without realizing it. Most very early-stage stores fall below all three thresholds, but it’s worth revisiting as you grow and scale your ad tracking.

What is the difference between CCPA and CPRA?

CCPA and CPRA differ in that the CCPA is the original California Consumer Privacy Act passed in 2018, while the CPRA (California Privacy Rights Act) is Proposition 24, approved by California voters in 2020, which amended and strengthened the CCPA. The CPRA added new consumer rights, including the right to correct inaccurate data and the right to limit the use of sensitive personal information. It also established the California Privacy Protection Agency (CPPA) as the dedicated enforcement body. The two are often discussed together because the CPRA was built directly on the CCPA framework.

What is the “Do Not Sell” link required by CCPA?

The “Do Not Sell or Share My Personal Information” link required by CCPA is a mandatory opt-out mechanism that must be prominently placed on a business’s website, typically in the footer. It allows California consumers to direct the business to stop selling or sharing their personal information with third parties. Businesses subject to CCPA must honor these requests and cannot charge consumers more or provide reduced service as a result of them exercising this right.