In the end, which CCPA and GDPR app should I be using?

Solved
CluelessA
Excursionist
21 0 5

I received an email from Shopify saying that I should install the new app "Customer Privacy" to comply with the CCPA.


I saw someone complain the reviews that the app doesn't give an option to "opt out" which to my understanding is part of the new regulation, it seems no apps include this unless we pay. I really don't want to pay a monthly fee for this, it's simply not a service that requires maintenance, is just a banner, I'd be more open to pay a reasonable one time fee. I'd even try to do the code myself if I can find the resources (haven't done a deep search of how to just yet).


I downloaded one called Kooke that at least looks ok and doesn't disappear until the person clicks the agree button. But on my Preferences --> Customer Privacy it still shows that "my current CCPA" is expiring. Screenshot.

So I don't know what to do, I'm trying to solve both the CCPA and the GDPR at the same time, another thing I don't understand is if these apps have any actual effect on the information that is collected on my site, or only the Customer Privacy section is the one who governs that.

Does anyone have any insight or suggestions? Should I install the Shopify one while keeping Kooke? or erase it?

Please help

Accepted Solutions (2)

Accepted Solutions
Andrew
Shopify Staff
Shopify Staff
1416 145 258

This is an accepted solution.

Hi,

Hyde here from Shopify. Fantastic question!

While I can provide you with general information about the California Consumer Privacy Act (CCPA), it is no substitute for legal advice.

First of all: if your website is available to California residents or you are involved in the sale of California residents’ personal information, then this law likely applies to you. What you need to consider is whether you sell personal information and need to offer your customers opt-out of sale, and any apps that we contact you about are merely suggestions to help you fulfil your responsibilities. 

Your duties are to:

  • Be transparent about your data collection practices

Here is some useful information on how you can be transparent about your data processing. Shopify has a privacy policy generator that will generate a template privacy policy for you. You can access it from your Shopify admin by going to Settings > Legal > Privacy policy > Create from template. This is free and means you, therefore, do not need an app.

  • Allow consumers to opt-out of sale (if you sell data)

In order to allow consumers to opt out, you should have a link on every page of your online storefront labeled Do not sell my personal information. This link can lead to a page you create that describes the rights of California residents and how to contact you to request the opt-out. Again, it's free and does not require the use of an app!

  • Delete or provide access to consumer information upon request

Here is how you can process CCPA requests. It details how you can use Shopify’s platform to address data requests, and what you may need to do independently from Shopify if you receive a data request.

In short: Shopify believes strongly in protecting personal information and understands that doing so is critical to help you preserve the trust and confidence of your customers. Shopify has designed its platform to allow merchants to operate anywhere in the world. CCPA-compliant features are built into Shopify's platform, including features to enable you to offer your customers transparency into and control over their personal information.

Shopify believes in making it easy for you to use our platform in a manner that complies with privacy and data protection laws like the CCPA. For more information, please see our CCPA help docs and whitepaper.

I hope this helps! All the best, Hyde.

 

Andrew | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

Andrew
Shopify Staff
Shopify Staff
1416 145 258

This is an accepted solution.

@CluelessA I just wanted to get back to you on this point to clarify that when using our free Customer Privacy app you can now:

  • Generate a “Do Not Sell My Information” link to add to your storefront.
  • Generate a beautiful buyer-friendly page on your storefront that allows visitors from California to opt of the sale of their data.
  • Comply with California regulations.

So using this app, you can create an opt-out sale banner with ease. I'd ignore what the reviews have to say and try it out for yourself! As to whether or not you need an opt-out button or not for certain, that is definitely something I recommend that you double-check with a relevant authority on the matter. As far as I understand it however if you are based outside of California you do not need to adopt CCPA compliance. If you are based in California, and there's even the slightest possibility that you are selling personal data (through the use of third-party apps, etc) then you do. 

Given the legality of the issue, you will absolutely need to talk to an expert on the subject. -Hyde

Andrew | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

Replies 9 (9)
Andrew
Shopify Staff
Shopify Staff
1416 145 258

This is an accepted solution.

Hi,

Hyde here from Shopify. Fantastic question!

While I can provide you with general information about the California Consumer Privacy Act (CCPA), it is no substitute for legal advice.

First of all: if your website is available to California residents or you are involved in the sale of California residents’ personal information, then this law likely applies to you. What you need to consider is whether you sell personal information and need to offer your customers opt-out of sale, and any apps that we contact you about are merely suggestions to help you fulfil your responsibilities. 

Your duties are to:

  • Be transparent about your data collection practices

Here is some useful information on how you can be transparent about your data processing. Shopify has a privacy policy generator that will generate a template privacy policy for you. You can access it from your Shopify admin by going to Settings > Legal > Privacy policy > Create from template. This is free and means you, therefore, do not need an app.

  • Allow consumers to opt-out of sale (if you sell data)

In order to allow consumers to opt out, you should have a link on every page of your online storefront labeled Do not sell my personal information. This link can lead to a page you create that describes the rights of California residents and how to contact you to request the opt-out. Again, it's free and does not require the use of an app!

  • Delete or provide access to consumer information upon request

Here is how you can process CCPA requests. It details how you can use Shopify’s platform to address data requests, and what you may need to do independently from Shopify if you receive a data request.

In short: Shopify believes strongly in protecting personal information and understands that doing so is critical to help you preserve the trust and confidence of your customers. Shopify has designed its platform to allow merchants to operate anywhere in the world. CCPA-compliant features are built into Shopify's platform, including features to enable you to offer your customers transparency into and control over their personal information.

Shopify believes in making it easy for you to use our platform in a manner that complies with privacy and data protection laws like the CCPA. For more information, please see our CCPA help docs and whitepaper.

I hope this helps! All the best, Hyde.

 

Andrew | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

CluelessA
Excursionist
21 0 5

Hi Hyde,

Thank you for your response, I already have my policies in place. If I understand you correctly, I only need to have an "Opt Out" button/option if I sell personal information, which I'm not interested in doing. Thank you for clarifying that.

As for the question regarding the apps, and what it looks like its expiring although I have that other app installed, I guess I better contact customer service directly with those questions. Thank you

 

Scartify
New Member
6 0 0

Try our app, will fit your needs:

Announcify is crafted to help merchants boost their sales with our announcements app and to announce sales that draw your visitors attention and engages them to subscribe, announce important announcements, shipping cost and estimated delivery.

  • Free Shipping Bar Internet shoppers want their items as fast as possible. They are far more likely to buy something if they know upfront the shipping costs and estimated delivery time.

  • Countdown Announcements Display countdowns to your customers to a known/Specific event.

  • Capture Email Subscribers Maximize your Ads spend by capturing email subscribers and save them as customers.

  • Works with Any Theme Works right out of the box with any theme, and looks amazing!

  • Click here:
    https://apps.shopify.com/announcify-app
If you see that this solved your problem please hit "Accept as Solution" and like!
You need any help or want to build a store? https://www.scartify.com or email us: contact@scartify.com
Andrew
Shopify Staff
Shopify Staff
1416 145 258

This is an accepted solution.

@CluelessA I just wanted to get back to you on this point to clarify that when using our free Customer Privacy app you can now:

  • Generate a “Do Not Sell My Information” link to add to your storefront.
  • Generate a beautiful buyer-friendly page on your storefront that allows visitors from California to opt of the sale of their data.
  • Comply with California regulations.

So using this app, you can create an opt-out sale banner with ease. I'd ignore what the reviews have to say and try it out for yourself! As to whether or not you need an opt-out button or not for certain, that is definitely something I recommend that you double-check with a relevant authority on the matter. As far as I understand it however if you are based outside of California you do not need to adopt CCPA compliance. If you are based in California, and there's even the slightest possibility that you are selling personal data (through the use of third-party apps, etc) then you do. 

Given the legality of the issue, you will absolutely need to talk to an expert on the subject. -Hyde

Andrew | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

CluelessA
Excursionist
21 0 5

Wow, you are right.

Those reviews are very misleading!!!!! I'll make a review too to try to remedy it.

I just wish I could customize the colors and fonts to fit my page, but the Dark theme can do the job in the meantime.

Thank you!

AlphaBen
New Member
2 0 0

@Andrew I'm also not a lawyer, but I have consulted with a legal team to get some clarification on these points.

I just want to clarify a couple points here and refer anyone who comes across this thread to Shopify's clarification of CCPA for Shopify customers.  The most important counterpoint here is that you do not need to be a California company in order to comply with CCPA.  The requirements of the California law are very specific and Shopify has done a fine job clarifying their stance (i.e. among others if you have at least 50,000 website visitors from California regardless of where your business is located then CCPA applies to you).  In theory you're only required to show the Do Not Sell links/pages to CA visitors, but the language around how that determination is made is somewhat subjective.

I believe the Shopify Customer Privacy app gets such low reviews specifically because while it provides a way to "opt out" via the new Customer Privacy API it's lacking a way (a form, perhaps) to simultaneously link the request to an identifiable person such that the request can be handled by the Shopify merchant.  In other words the page generated by the app nicely includes some Javascript to update these privacy preferences via the Privacy API (window.Shopify), but as far as I can tell these settings/preferences aren't cached/queued anywhere (either in the app or associated with the visitor in some other way) that we - as merchants - can act on to ensure that we process the Do Not Sell requests for that visitor. 

Consequently there's no way for us - as merchants - to act on the requests that a visitor may have taken on the Do Not Sell page created from the Shopify Customer Privacy app.  It may the case that these settings are preserved and honored by Shopify in some way/shape/form behind the scenes, but Shopify has clearly stated that they don't consider a merchant using their platform to constitute a ... of information, which means that it's up to the merchant to self assess on whether or not they're selling that customer information in some other way (via some other vendor, for example) and to act accordingly on requests to Do Not Sell.  Therefore it seems to me that the app is....incomplete in that sense.

Also note that "sell" in the context of "Do Not Sell" for CCPA doesn't mean that you need to sell customer data for money for this to apply; it could simply mean that you exchange customer data for services, which is a pretty broad definition best left to the lawyers to help define.

On a related note there are some decent cookie consent and CCPA data management apps in the app store, but I haven't found a good one yet specifically for handling the Do Not Sell opt out for CCPA.

Curious to hear if anyone out there has yet linked up the preferences set by the Shopify Customer Privacy app (via the Shopify Customer Privacy API)  to some system for ensuring that they can handle the request properly for that user to ensure that they're not actually selling that user's information to a 3rd party (independent of how we're defining "sell").

Hope that helps!

Ben

CluelessA
Excursionist
21 0 5

Thank you @AlphaBen , I wish I could take away that thing that says "Accepted Solution", when I installed the app, I was overwhelmed and just saw the text of the page, there is a part that says something like "to opt out follow this link", because I was in a hurry with other million things, I assumed there was a link on that text, just yesterday I saw the page again (this time from the website) and realized there was no link...

Because I have no clue what else to do I changed that part to "contact me" instead, all this is so very strange... this app is like a cardboard storefront decoration in a theme park, but there is just a brick-wall at the other side of the door, the whole thing is just for show. Actually putting that on the review.

goldenlines
Tourist
3 0 1

Hi. I realized there is no opt out link too. So what is the solution. This is so confusing!

Pandectes
Shopify Partner
19 0 3

Feel free to try our app GDPR Compliance Center which applies to CCPA as well. From our experience with more than 22.000 merchants such an app needs to provide more options to them and not just a banner. Stores are using many third party apps/scripts and the control of them is not an easy task. Also managing DSR (data subject requests) is not fully automated from Shopify and there are tools like our app that can help you do the job easier.