Customer Data Privacy Laws for Online Business

The Current Privacy Law Landscape

The United States has no single federal privacy law covering all consumer data. Instead, privacy is regulated through a combination of sector-specific federal laws (HIPAA for health data, COPPA for children's data, GLBA for financial data) and increasingly comprehensive state laws. California led with the CCPA in 2020, amended by the CPRA in 2023. Virginia, Colorado, Connecticut, and Utah followed with their own laws in 2023. Indiana, Iowa, Montana, Oregon, Tennessee, and Texas enacted privacy laws effective in 2024 and 2025. More states continue to add legislation each year.

Each state law has slightly different thresholds, definitions, and consumer rights, but the core principles are consistent: businesses must disclose what data they collect and why, consumers have the right to know, access, delete, and correct their personal data, consumers can opt out of the sale or sharing of their data, and businesses must implement reasonable security measures to protect personal data. If you build your privacy practices around the CCPA's requirements, which are the most comprehensive, you will be substantially compliant with most other state laws.

The FTC also enforces data privacy through its authority over unfair and deceptive trade practices. Even in states without comprehensive privacy laws, the FTC can take action against businesses that fail to follow their own privacy policies, deceive consumers about their data practices, or fail to implement reasonable data security measures. The FTC has brought enforcement actions resulting in millions of dollars in fines against companies ranging from tech giants to small online retailers.

What Counts as Personal Data

Personal data under modern privacy laws is much broader than names and credit card numbers. The CCPA defines personal information as any information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." In practical terms, this includes obvious identifiers like names, email addresses, phone numbers, and physical addresses. But it also includes IP addresses, device identifiers, cookie data, browsing history on your site, purchase history, geolocation data, inferences drawn about the consumer (such as predicted preferences or purchasing power), and any data that could be used to identify a household even if not tied to a specific name.

For ecommerce businesses, the breadth of this definition means that virtually every piece of data your website collects qualifies as personal information. Google Analytics tracks IP addresses and browsing behavior. Your email marketing platform stores email addresses and engagement history. Your ecommerce platform stores order history, addresses, and payment data. Facebook Pixel tracks browsing behavior and ties it to a Facebook identity. Every one of these data streams falls under privacy law regulation.

Some data categories receive heightened protection. Sensitive personal information under the CCPA includes Social Security numbers, financial account numbers, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health information, and the contents of a consumer's mail, email, and text messages. If you collect any sensitive data, additional restrictions apply, including the right for consumers to limit its use and stricter consent requirements.

Data Collection Best Practices

Collect only what you need. The principle of data minimization, collecting the minimum data necessary for a specific purpose, is a legal requirement under the GDPR and a best practice under U.S. law. Audit every form field, every tracking script, and every data point your business collects and ask whether you actually use it. If your checkout form asks for a phone number but you never call customers, remove the field. If you have analytics tracking every click but only look at page views and conversion rates, reduce your tracking scope. Less data means less liability in a breach and less compliance overhead.

Be transparent about collection. Your privacy policy must accurately describe what you collect, but transparency goes beyond the privacy policy. Display clear notices at the point of collection. When someone signs up for your email list, tell them what they will receive and how often. When your cookie banner appears, explain what each category of cookies does in plain language. Customers who understand and consent to your data practices are less likely to complain, file regulatory complaints, or feel deceived.

Establish retention schedules. Do not keep data forever "just in case." Define how long you retain each category of data based on business need and legal requirements. Order data might be retained for seven years for tax compliance. Email subscriber data might be retained until the subscriber unsubscribes plus 30 days to process the request. Analytics data might be retained for 26 months. Abandoned cart data might be retained for 90 days. Document these retention periods in your privacy policy and implement automated deletion processes to enforce them.

Secure data appropriately. Every state with a comprehensive privacy law requires "reasonable security measures" to protect personal data. While no law defines exactly what "reasonable" means, the standard practice for ecommerce businesses includes SSL/TLS encryption for all data in transit, encryption for stored sensitive data (payment information, account credentials), strong access controls limiting who can view customer data, regular security updates for your ecommerce platform and plugins, unique passwords and two-factor authentication for admin accounts, and regular backups stored securely. If you use Shopify, most of these measures are handled by the platform. If you self-host on WooCommerce or another platform, the security responsibility falls on you.

Consumer Rights and How to Handle Requests

Under the CCPA and similar state laws, consumers have the right to know what personal information you have collected about them and how you use it, the right to access their data (receive a copy), the right to delete their personal information, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of their data, the right to limit the use of sensitive personal information, and the right to non-discrimination for exercising these rights (you cannot charge higher prices or provide worse service to consumers who exercise their privacy rights).

You must provide at least two methods for consumers to submit requests, such as a toll-free phone number and a website address (email address or web form). After receiving a request, you must verify the consumer's identity before fulfilling it. Verification typically involves matching the requester's information against the data you already have. For account holders, requiring them to log in is sufficient verification. For non-account holders, matching at least two data points (name plus email, email plus order number) provides reasonable verification.

You have 45 days to respond to a consumer request, with a possible 45-day extension for complex requests if you notify the consumer within the initial period. For deletion requests, you must delete the data and direct any service providers who received the data to delete their copies as well. For access requests, you must provide the data in a portable, readily usable format (such as a downloadable CSV file or a structured data export).

Certain exemptions allow you to retain data despite a deletion request. You can retain data necessary to complete a transaction, detect security incidents, comply with legal obligations (such as tax records), or exercise free speech. If an exemption applies, explain to the consumer which data you are retaining and the legal basis for retention.

Data Breach Response

Every state in the United States has a data breach notification law. While the specifics vary, the general requirement is that you must notify affected individuals and, in many states, the state attorney general when a breach of personal information occurs. Notification deadlines range from 30 to 60 days after discovery of the breach in most states, with some states requiring notification "without unreasonable delay."

A data breach for notification purposes typically means unauthorized access to or acquisition of unencrypted personal information that compromises the security, confidentiality, or integrity of the data. The types of data that trigger notification vary by state, but generally include name combined with Social Security number, driver's license number, financial account number, or health information. Some states have expanded their breach notification triggers to include email addresses combined with passwords, biometric data, and online account credentials.

Your breach response plan should include immediate steps (contain the breach, assess the scope, preserve evidence), short-term steps (determine notification obligations, draft notification letters, engage forensic investigators if needed), and long-term steps (remediate the vulnerability, review and improve security measures, monitor for ongoing effects). If the breach involves payment card data, you must also notify the payment card brands (Visa, Mastercard) through your payment processor, which may trigger a PCI forensic investigation.

The cost of a data breach for a small business averages $120,000 to $150,000 when you factor in forensic investigation ($10,000 to $50,000), legal fees ($5,000 to $25,000), customer notification and credit monitoring ($1 to $3 per affected customer), and lost business from damaged reputation. Cyber liability insurance covers many of these costs, with premiums for small ecommerce businesses typically running $500 to $2,000 per year. For any business storing significant amounts of customer data, this insurance is worth the investment.

Third-Party Data Sharing

Modern ecommerce operations involve sharing customer data with numerous third parties: payment processors, shipping carriers, email marketing platforms, analytics providers, advertising networks, customer service tools, and review platforms. Each sharing relationship creates legal obligations under privacy law and practical risks if the third party mishandles the data.

Under the CCPA, sharing data with third parties for targeted advertising qualifies as "selling" or "sharing" personal information even if no money changes hands. If you use Facebook Pixel to create retargeting audiences, Google Analytics data for ad targeting, or any other mechanism that shares customer data with an advertising platform, you must disclose this in your privacy policy and provide a "Do Not Sell or Share My Personal Information" link. Consumers who click this link must be opted out of data sharing with advertising partners.

For service providers (companies that process data on your behalf and only use it for the purposes you specify), the CCPA requires a written contract specifying the business purpose, prohibiting the service provider from using the data for their own purposes, and requiring them to comply with the law. Most major SaaS companies include these provisions in their terms of service, but review the terms to confirm. For smaller or less established service providers, you may need to add a data processing addendum to your contract.

Audit your data sharing annually. List every third party that receives customer data, what data they receive, and why. Remove integrations you no longer use, since defunct plugins and abandoned tool connections can become security vulnerabilities. Review each remaining integration to confirm the data sharing is still necessary, properly disclosed in your privacy policy, and covered by appropriate contractual terms.