With 11 state privacy laws now in effect and more coming, e-commerce stores face a patchwork of requirements — and enforcement is ramping up fast.
Your privacy policy is missing 3 core CCPA disclosures. Data collection and third-party sharing sections need the most work.
The California Consumer Privacy Act (CCPA), amended by the CPRA, gives California residents the right to know what personal information businesses collect, the right to delete it, the right to opt out of its sale, and the right to non-discrimination for exercising these rights.
But it's not just California anymore. Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, and Virginia all have comprehensive privacy laws. Each has slightly different requirements, thresholds, and enforcement mechanisms.
For e-commerce stores, this means you need a privacy policy that actually matches your data practices, a cookie consent mechanism, a 'Do Not Sell My Personal Information' link, a process for handling consumer data requests, and proper disclosures about tracking pixels and analytics.
Privacy enforcement comes from multiple directions — AG offices, advocacy groups, and increasingly, private litigation:
Privacy advocacy groups and AG offices use automated tools to scan websites for missing privacy policies, non-functional opt-out links, and unauthorized tracking pixels.
A single consumer complaint to the AG can trigger an investigation. Common complaints: no response to data deletion request, no opt-out mechanism, or continued tracking after opt-out.
Some states require a 30-day cure period. You receive a letter identifying violations and a deadline to fix them. Failure to cure leads to enforcement action.
CCPA allows statutory damages of $100–$750 per consumer per incident in data breach cases. AG enforcement can impose fines of $2,500 per violation ($7,500 for intentional violations).
Don't wait for the demand letter.
SuitProof scans your store for these exact vulnerabilities before attorneys do.
Scan My StoreE-commerce retailer fined for failing to honor opt-out requests and lacking a compliant privacy policy.
DTC fashion brand settled class action alleging unauthorized sale of customer data to third-party advertisers without proper disclosure.
Texas AG enforcement action against e-commerce brand for inadequate data processing disclosures under new state law.
Colorado enforcement after investigation found no consent mechanism for cookies and tracking pixels.
Prevention costs less than a settlement.
Join the waitlist and scan your store for free.
Common privacy compliance gaps in e-commerce stores:
SuitProof automatically scans your Shopify store for these exact risks. Get on the waitlist for early access and a free compliance scan.
Analyzes your privacy policy against current CCPA/CPRA requirements and flags missing disclosures.
Detects all tracking pixels, cookies, and third-party scripts on your site and checks consent mechanisms.
Maps your data practices against requirements in all 11+ states with privacy laws.
New Shopify apps and theme changes can add tracking scripts. Ongoing monitoring catches new compliance gaps.
Free during beta · No credit card required
Most compliance gaps are quick fixes — the hard part is knowing they exist. Run your first scan in five minutes and launch with confidence.