Academy ›
Module 09 — Legal, Tax & Business Setup
Privacy Regulations (GDPR, CCPA, and Beyond)
9 min · text · Beginner
Your customer fills in their email at checkout. They tick a box agreeing to your privacy policy. They pay. Three years later, that email is in your Klaviyo, your Stripe, your Shopify, your email backups, and your accountant's CSV exports. The Privacy Act says your customer has rights over that data. The privacy principles say what you must disclose, how you must store, and what happens if there is a breach. Most dropshippers under $3M revenue are technically below the formal Privacy Act threshold — but the consumer protection regulator and privacy regulator enforce the principles regardless of size when serious harm is at stake. Today: the privacy obligations every dropshipper has, and the policy that complies.
Who the Privacy Act applies to
The privacy legislation applies to:
- Businesses above the threshold (varies by jurisdiction). Mandatory full compliance with all 13 privacy principles.
- Businesses handling sensitive information (health records, biometric, etc.). Also fully covered.
- Businesses doing direct marketing. Partial coverage — privacy principles 7 (direct marketing) applies.
- All businesses subject to data breach notification requirements if a breach is likely to cause serious harm.
For most dropshippers under $3M with a standard Shopify store, formal Privacy Act coverage is partial. But the privacy regulator increasingly enforces privacy principle principles even on smaller businesses when consumer harm is real, particularly around data breaches and direct marketing.
The realistic stance: comply with the Privacy Act fully regardless of size. The cost is low; the protection is real.
The 13 privacy principles — what matters for ecommerce
Of the 13 privacy principles, six matter most for an ecommerce store:
- Principle 1 — Open and transparent management. You must have a privacy policy that is publicly accessible.
- Principle 3 — Collection of solicited personal information. Only collect what you need; not more.
- Principle 5 — Notification of collection. Tell customers what data you collect, why, and what you'll do with it.
- Principle 6 — Use or disclosure. Only use data for the purposes disclosed in your collection notice.
- Principle 7 — Direct marketing. Customers must opt-in (or be given clear opt-out) for marketing communications. Compliance with the anti-spam legislation also applies.
- Principle 11 — Security. Take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access.
The privacy policy on your store needs to describe how each of these is handled. Most Shopify-generated privacy policies cover this, but specifically for compliance in your target markets, you should confirm.
What your privacy policy must disclose
A compliant privacy policy includes:
- Identity and contact details of your business (LLC/Ltd name, business registration number, contact email).
- Categories of personal information collected (name, email, address, phone, payment, browser data, etc.).
- How you collect it (web form, Shopify checkout, email signup, third-party app).
- Why you collect it (order processing, marketing, customer service, legal compliance).
- Who you disclose it to (Shopify, payment processors, fulfilment partners, marketing platforms — name them).
- Whether data goes overseas (typically yes — Shopify is US-based, AliExpress is China-based; disclose).
- How customers can access or correct their data (process for opt-out, deletion, data export).
- Complaints process (how to file a privacy complaint, privacy regulator contact details).
- Last updated date.
A short, plain-language version should also be linked from your checkout flow (most Shopify checkouts now include this).
data breach notification
If a data breach occurs that is likely to cause serious harm to affected individuals:
- You must notify affected individuals as soon as practicable.
- You must notify the privacy regulator .
- You must take reasonable steps to remediate (password resets, credit monitoring offers, etc.).
Failing to notify can result in significant penalties (significant penalties for serious or repeated breaches). The threshold for notification is "likely to result in serious harm" — leaked emails alone usually don't qualify; leaked payment details or health information almost certainly do.
For dropshippers using Shopify, Stripe, and Klaviyo: the platforms handle most security obligations. Your obligation is good account hygiene (strong passwords, 2FA, restricted access), monitoring for suspicious activity, and having a breach response plan if it happens.
!Customer privacy form on a Shopify checkout page with consent checkbox The privacy disclosure on your checkout is a 2-line link, but the policy behind it must be substantive. Photo: Unsplash / Towfiqu Barbhuiya.
The anti-spam legislation
Beyond privacy, most jurisdictions have dedicated email/SMS marketing rules. Three requirements:
- Consent. You can only send marketing emails/SMS to people who consented (express or inferred from a relationship).
- Identification. Every marketing message must clearly identify you (your business name).
- Unsubscribe. Every message must have a working, easy unsubscribe.
Klaviyo, Mailchimp, Omnisend all handle the technical compliance. Your obligation is to use double opt-in for new email signups (best practice) and never buy email lists.
GDPR and other international privacy laws
If you sell to EU customers, GDPR applies. If you sell to California customers, CCPA applies. If you sell to UK customers, UK GDPR applies. Each has slightly different requirements, but the core principles are the same.
For most dropshippers, a privacy policy that complies with the GDPR (the strictest of the major regimes) covers all bases. Most Shopify-generated privacy templates now cover GDPR.
The 30-minute compliance audit
Run this on your store today:
- Privacy policy linked from footer? Yes/no.
- Privacy policy linked from checkout? Yes/no.
- Privacy policy mentions all data categories you actually collect? Yes/no.
- Privacy policy mentions all third parties you share with (Shopify, Stripe, Klaviyo, AliExpress, etc.)? Yes/no.
- Privacy policy mentions data going overseas? Yes/no.
- Privacy policy includes a contact email for privacy queries? Yes/no.
- Marketing emails have a clear unsubscribe link? Yes/no.
- Customer data is stored securely (Shopify default + 2FA on your admin)? Yes/no.
A score of 8/8 takes most stores 60-90 minutes of policy editing. Most stores audit at 4-5/8 on first check.
Why this matters
Privacy compliance is invisible until a breach happens or a customer complaint hits the privacy regulator. Then it is the difference between $5,000 of remediation work and