free guides:

The Menu

37. Data Privacy, GDPR, CCPA, OH MY!

37. Data Privacy, GDPR, CCPA, OH MY!

Not sure about your responsibilities as a website owner when it comes to data privacy? Confused by all the acronyms and how to comply? In this mini-episode we’re covering the two main privacy laws and how they apply to you. 

Note: I am not a privacy professional or a lawyer and this is purely informational, not legal advice. It’s important for you to do your own research, due diligence, and hire a professional to support you.

This week, my goal is to make sure this important topic is on your radar. I’m not a privacy professional, and I don’t have all the answers.

Truth be told, the extent of my experience implementing the requirements is limited to gathering all the necessary information for a privacy professional and a legal team to craft the necessary documents. 

But, I have noticed there isn’t a lot of conversation around this, so I want to make sure everyone knows it’s a thing. While you may not be required to comply today, based on the size of your business, it’s still something you need to keep your eye on. The more digital our world becomes, the more rules and regulations that will keep popping up. 


So what does that mean?

This episode is here to bring this topic to light and encourage you to do your own research and due diligence. If you have already done your own research,  you know where you stand and you are keeping up with all the changes, awesome — I’ll see you in the next episode. 

If you have no idea what I’m talking about or haven’t given this a second thought, keep listening.

10 things your privacy policy should include 

You should already know that you need to have a privacy policy on your website. This privacy policy tells your website visitors: 

  1. What information you collect about them
  2. How it’s collected
  3. Why It’s collected
  4. How the information is used
  5. Who will have access to it
  6. How the website visitor can opt-out of having this information collected about them
  7. How they can review or update the information
  8. What measures you’re taking to protect that information
  9. The effective date of the policy
  10. Who to contact about the policy

New laws are coming into effect and the standard is changing 

For a long time, that was the standard, but… in the last few years, two big laws went into effect that took things to the next level. First was GDPR in the EU, and then CCPA in California. 

Side note: in our most recent election, there was a ballot measure to expand the privacy laws in California called the CCPR, which did pass. This is on top of the CCPA laws. I don’t know many details about it, but know that more requirements are coming. 

While these two look and sound similar to each other there are some differences between them. Just because you’re compliant with one, doesn’t necessarily mean that you’re compliant with the other. And of course, which ones you have to comply with depend on where your customers are and other thresholds for who is responsible to comply. 

Compliance depends on where your customers are, not where you are

Just because you don’t live in the EU, doesn’t mean you don’t have to comply with GDPR. If you sell to customers there, you do. The same is true for CCPA in California. 

Just like the requirements for collecting sales tax that I talked about in last week’s episode, there are thresholds for who is required to comply with the CCPA. 

3 conditions for complying with the CCPA 

If you meet at least one of the three conditions, you are required to comply. They are: 

  1. You have annual gross revenues of 25 million
  2. Buy, receive, sell or share personal information for commercial purposes of 50,000 or more consumers, households or devices annually, or 
  3. Receive half or more of annual revenues from selling consumers’ personal information, 

Now, it’s unlikely if you’re listening to the podcast that you’re doing 25 million a year in revenue. If you are, ahhhmazing, please message me so I can bring you on as a guest to the show. And as an eCommerce business it’s not likely you’re receiving more than half of your annual revenue from selling information. 

But requirement #2 — 50,000 consumers, households, or devices — that device piece is what gets tricky. A device is defined as any physical object that can connect to the internet. So that can be a desktop computer, a laptop, or a cell phone — all of which would count as a separate device.

But then again, CCPA only protects California residents. 

With all that said, it’s likely that you’re not technically required to comply. 

GDPR is based on intent, not threshold 

With GDPR, compliance doesn’t have a threshold. It’s based on intent. Because GDPR protects consumers located in the EU,  everyone who offers goods and services to customers to data subjects in the EU, whether or not it’s connected to a payment, is required to comply.

Are you likely to get fined for not complying? 

Now, as a small business doing a few hundred thousand, or a few million dollars a year, are you likely to be prosecuted and fined for not complying? No, probably not. Enforcement is happening with big tech giants like Facebook, Google, and WhatsApp. 

So why are we talking about this? 

Because the rules and regulations of data privacy are changing rapidly, and they will continue to do so as more and more businesses move online. So far, the rules being implemented in the U.S. are at the state level, but it’s possible that will change. Ultimately, I want you to be aware and as prepared as possible. 

Consumers are becoming more and more aware of their privacy on the internet. More and more breaches by from the big guys, means consumers are becoming more weary. And knowing that you give a shit about them, their data and their privacy is just one way you can instill confidence with your consumers and set your business up for future success. 

So what should you do today? 

First thing, do our own research because I’m not a privacy professional (had to get that disclaimer in there!)

Secondly, make sure you have a solid privacy policy in place at a minimum. 

Get a consultation with a privacy professional who can help you figure out when and if you might need to be compliant. The IAPP, the International Association of Privacy Professionals is a non-profit organization that helps define, promote, and improve the privacy profession globally. 

Stay in the know. Just like states enacted new laws to recoup lost sales tax at the rise online sales, it’s likely that they may pop up with their own privacy rules. Sooner rather than later it may even reach a federal level. 

Listen to the Episode

Episodes Mentioned

Episode 36: How To Charge Sales Tax for Your eCommerce Business 

Additional Resources

GDPR for US Based Companies

CCPA – California Consumer Privacy Act

Writing a Privacy Policy for Your Small Business

Writing a GDPR Compliant Privacy Notice

International Association of Privacy Professionals

Hey, I'm Jessica

I support scrappy female entrepreneurs with actionable steps & strategies to grow and scale the traffic, sales & profit in their eCommerce businesses. 

Recent Posts

eCommerce Badassery FREE Resource Library

Resource Library

Tools & Resources

Every freebie I’ve ever created… all in ONE place. Grow your traffic, sales & profit! 


You May Also Like

The Lounge


A monthly membership for eCommerce business owners. Know exactly what to do next in your business based on your data, boost sales with our marketing blueprints, up level your skills in analytics, ads, SEO, email and more. Get direct access to your hosts and a community of other product-based business owners. It’s basically the best damn place on the Internet for eCommerce entrepreneurs. 


About Our Audience

  • eCommerce business owners selling a physical product on their own website (Shopify + Klaviyo users)
  • Soloprenuers or less than 25 on their team
  • All revenue ranges, up to multi 7-figures
  • Mostly female

Who We're Looking For

  • Subject matter experts in eCommerce & Physical Product Marketing (ex. Social Media, Public Relations, Website Conversion, Copywriters)
  • Apps or SaaS platforms that can share marketing strategies that work even without their product.

Who We're NOT Looking For

  • Strategies to build ONLY a marketplace business
  • Strategies for building service-based businesses or SaaS Platforms
  • Agency owners who only work with large budget businesses
  • Service providers for coaches or consultants