Shopify and CCPA Compliance
Shopify is a giant in the world of eCommerce; a powerful and flexible platform, it serves as the technical foundation for millions of online stores. With the passage of the California Consumer Privacy Act (CCPA), many small and medium-sized businesses (SMBs) were left scrambling to try to become compliant with the new data privacy law. Because SMBs are the core of Shopify’s customer base, it launched a set of new features and a dedicated privacy app to ostensibly help those businesses meet their obligations.
Unfortunately, Shopify’s CCPA tools fall short of meeting CCPA requirements. Here are a few of the major issues:
No Customized Privacy Notices
A major part of CCPA compliance involves making detailed disclosures on how your business collects, uses, and shares data. This privacy notice is the most visible evidence of compliance, but Shopify cannot produce one for you. This is because doing so would require a deep understanding of how your business works, not just boilerplate text.
Ineffective Opt-Out Tool
Businesses that sell personal information must post a “Do Not Sell” link on their site and provide an opt-out mechanism. Shopify’s Customer Privacy App claims to help businesses meet this requirement, but does little more than generate generic text for an opt-out page.This is unfortunate because most eCommerce businesses do in fact sell personal information, even if they don’t realize it. Without an actual opt-out mechanism customized to your business’s practices, this generic page will likely only annoy or anger your customers.
Installed Apps Do Not Act on Deletion Requests
The CCPA gives consumers the right to request the deletion of their data. Shopify provides an easy way to delete customers via their dashboard and passes along this request to all of your installed third-party apps. The reality, however, is that very few vendors actually respond to deletion requests received from Shopify. Your business is responsible for handling those requests, not Shopify; if you tell a consumer that you deleted their data but didn’t really do it, you may be exposing your business to legal jeopardy. Furthermore, Shopify’s deletion process only applies to apps installed in your store, while the CCPA applies to all vendors that handle personal information.
In essence, Shopify’s CCPA features are like a model home with nice kitchen and bathroom fixtures but no plumbing in the walls—they look great but they don’t do anything. Real CCPA compliance can’t simply be “switched on.” It requires a thorough understanding of your business’s data practices, and potentially making some changes to those practices.
You can still become CCPA compliant on your own, however. TrueVault Polaris is a software solution that breaks down the complexities of data privacy laws into an intuitive question-and-answer process. Designed by attorneys, Polaris gives SMBs the tools they need to get compliant in as little as a few hours. Contact our team today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo