Which State Privacy Laws Apply to My Shopify Store?

If your Shopify store ships to customers across the United States, you are likely subject to between 3 and 5 state privacy laws right now — and the number grows as new states pass legislation. The laws that apply to your store depend on your annual revenue, how many consumer records you process per state, and whether you profit from selling customer data. You do not need to be located in a state for that state's law to apply to you: what matters is where your customers are.

The Short Answer: Most National Shopify Stores Are In Scope

If your Shopify store ships nationally and processes data from consumers in California, Texas, Virginia, Colorado, or Connecticut — which most e-commerce stores do — you are almost certainly subject to at least one state privacy law, and probably more. Texas TDPSA and Virginia VCDPA have no annual revenue threshold, meaning even a small store can be in scope based on consumer count alone.

Which State Privacy Laws Currently Cover E-Commerce Businesses?

Twenty US states have enacted comprehensive consumer privacy laws. Not all of them apply to most small businesses — but more do than most Shopify merchants expect.

Key takeaway: Most state privacy laws use OR logic — you only need to meet one threshold. And most have no revenue minimum at all.

Does Texas TDPSA Apply to My Shopify Store?

Texas TDPSA is the law that catches the most Shopify merchants off guard because it has no annual revenue threshold. If your Shopify store processes personal data from 100,000 or more Texas consumers in a calendar year, TDPSA applies to you regardless of your store's revenue.

Texas is the second most populous state. A Shopify store with national distribution that processes even a modest volume of transactions will often cross the 100,000 consumer threshold for Texas alone. "Processing" includes collecting email addresses, tracking browsing behavior, and storing purchase history — not just completing transactions.

Does My Store Process 100,000 Texas Consumers?

A practical way to estimate: if your store has more than 350,000 annual sessions from US visitors and at least 10% come from Texas (close to Texas's share of US population), you are likely processing data from 35,000+ Texas consumers per year. At that scale, TDPSA scope is a real question worth calculating precisely.

Does CCPA Apply to My Shopify Store?

California CCPA/CPRA applies if your business meets ANY ONE of three thresholds:

• $25 million or more in annual gross revenue
• Processes personal data of 100,000 or more California consumers annually
• Derives 50% or more of annual revenue from selling California consumer data

Unlike Texas TDPSA, CCPA does have a revenue threshold. However, the consumer count threshold (100,000) is reachable for many mid-size Shopify stores selling nationally. California represents roughly 12% of the US population — a store with 1 million annual unique US visitors likely processes data from over 100,000 California consumers.

Does Connecticut CTDPA Apply to My Shopify Store?

Connecticut amended its threshold in 2023, dropping from 100,000 consumers to 35,000 consumers annually. With no revenue threshold and a 35,000 consumer count, CTDPA is one of the broadest state laws for mid-size Shopify merchants. If your store has meaningful Connecticut traffic, run the numbers.

What Do These Laws Actually Require Shopify Stores to Do?

The core requirements across most state privacy laws overlap significantly:

1. Privacy policy updates Your privacy policy must disclose: what personal data you collect, the purposes for processing it, whether you sell or share it, and how consumers can exercise their rights. A standard Shopify privacy policy generated by a policy tool likely needs updating to meet current state law requirements.

2. Opt-out mechanisms Most state laws require a clear "Do Not Sell or Share My Personal Information" link on your site. Some states — Colorado, California, Connecticut — require you to honor the Global Privacy Control (GPC) browser signal automatically.

3. Consumer rights processes You must have a working process to respond to consumer requests to access, correct, delete, or export their data. Response timelines vary by law: 45 days (CCPA), 45 days (TDPSA), 45 days (VCDPA). You need a documented process before you receive your first request.

4. Sensitive data handling Most state laws require opt-in consent before processing sensitive data categories: precise geolocation, health information, racial or ethnic origin, financial information. If your store collects any of these, check law-specific requirements carefully.

5. Data security All state laws require "reasonable" data security measures appropriate to the type and volume of data you process. This is not specifically defined — but it means documented security practices, not just assuming Shopify's platform handles it.

The Most Important Thing Most Shopify Merchants Get Wrong

Most Shopify merchants assume their state privacy law exposure is limited to California and CCPA. Texas TDPSA, Virginia VCDPA, and Colorado CPA have no revenue threshold — which means they apply based purely on how many consumers from that state your store processes data from, regardless of your store's size or revenue.

The practical implication: a $2 million/year Shopify store with national distribution may be subject to TDPSA (Texas), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), OCPA (Oregon), and CCPA/CPRA (California) simultaneously. That's six state privacy laws. Most stores in this situation don't know it.

How to Determine Which Laws Apply to Your Specific Store

The variables that determine your scope:

• Annual revenue (matters for California, Utah, Tennessee, Florida)
• Consumer counts by state (matters for all laws — total records processed, not just transactions)
• Percentage of revenue from data sales (matters for secondary thresholds)

To calculate your consumer count: pull your Shopify analytics for the past 12 months and look at unique customer records by state. Add email subscribers, abandoned cart captures, and anyone who created an account — these are all "consumers" whose data you process under most state definitions.

Check Which Laws Apply to Your Store Right Now

Purview's free compliance quiz takes 5 minutes. Answer 8 questions about your store — we'll tell you exactly which state privacy laws apply to you based on your revenue, consumer counts, and operating geography.

Take the free compliance quiz →

Frequently Asked Questions

Do state privacy laws apply to Shopify stores outside the US?

Generally no — US state privacy laws apply to the personal data of consumers who are residents of that state, regardless of where the business is located. If you are based outside the US but sell to US consumers, you may still be in scope. Most international Shopify merchants focus first on CCPA for California customers.

Does having a privacy policy mean I'm compliant?

No. A privacy policy is a disclosure document — one compliance requirement among many. Compliance also requires opt-out mechanisms, consumer rights processes, and data security measures. A policy generated by a template tool may not cover the specific requirements of each applicable state law.

Do I have to comply with all applicable state laws at the same time?

Yes. If three state privacy laws apply to your Shopify store, you must comply with all three simultaneously. Where requirements conflict (different response timelines, different opt-out mechanisms), follow the more stringent requirement.

What happens if I don't comply?

Enforcement varies by state. California's CPPA can impose fines up to $7,500 per intentional violation. Texas AG can seek $7,500 per violation. Most states provide a cure period (30-60 days) after receiving a notice of violation. Private consumers can also file complaints that trigger AG investigations.

How often do state privacy laws change?

Frequently. Connecticut dropped its consumer threshold in 2023. New laws passed in Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, and Rhode Island in 2024-2025. Purview monitors all 20 state laws and alerts users when thresholds or requirements change.

My store is very small — do I really need to worry about this?

If your store processes data from more than 35,000 consumers in Connecticut, Delaware, or New Hampshire — with no revenue minimum — you are potentially in scope. "Small" doesn't exempt you from laws with no revenue threshold.

This content is for informational purposes only and does not constitute legal advice. Consult a qualified privacy attorney for advice specific to your business situation.