Most DTC operators I meet assume GDPR is "the European one, so we have a geofence" and CCPA is "California's version of GDPR, but softer." Both assumptions are wrong in different ways, and the errors compound into a real gap when the tracking stack ships ad events before a consent record exists.
This post walks through the short answer, the fuller mechanism, and the six specific gdpr ccpa dtc gaps I keep finding on Shopify stacks when I run an audit. None of the gaps require a lawyer to fix. They require knowing what the laws actually ask for and then matching that to what your store and your tag manager are actually doing in production.
The short answer
If you accept orders from the EU or the UK, GDPR applies to you even if your company is incorporated in Delaware. If you accept orders from California residents and either cross the revenue threshold or share data with third parties for cross-context behavioral advertising, CCPA and its CPRA amendments apply to you. Most DTC brands at scale are subject to both.
- Do you accept orders from EU/UK visitors?
- Do you accept orders from California residents?
- Annual revenue above $25M or processing >100k CA records?
- Do you send purchase data to Meta, TikTok, or Google for ad targeting?
The geofence assumption is the first trap. GDPR attaches to data subjects located in the EU at the moment they interact with you, not to where your company is based or where your servers sit. A California-headquartered Shopify brand with a single EU visitor on its site is in scope for that visitor's data. The practical reality: unless you actively block EU/UK traffic at the edge, you are in scope.
The fuller answer
GDPR and CCPA ask related questions in different registers. GDPR leads with lawful basis. You must have one of six grounds for processing personal data (consent, contract, legal obligation, vital interests, public task, legitimate interests), and you must be able to show which one you relied on for which purpose. Consent has to be freely given, specific, informed, and demonstrable. Article 7 is explicit that the burden of proof is on you.
CCPA leads with rights and disclosures. Residents of California can ask what you collected about them, ask for it to be deleted, opt out of its "sale" or "sharing," and cannot be punished for exercising those rights. CPRA (the 2023 amendment) added the concept of "sharing" for cross-context behavioral advertising specifically, which is the clause that drags modern server-side ad infrastructure into scope.
The practical overlap is that both regimes want you to be able to answer three questions on demand: what did you collect, what are you doing with it, and who else has it. A DTC Shopify stack with pixels, a customer data platform, a transactional email provider, a subscription app, a review app, and server-side CAPI is touching all three questions and usually cannot answer any of them cleanly.
The nuanced answer - six gaps on DTC Shopify stacks
I ran a tracking rebuild on a Shopify DTC brand where the ecommerce team had assumed the cookie banner was the entire compliance story. The banner loaded, the customer clicked, and the shop kept running. Behind the banner, seven pixels were firing on pageview regardless of click, two tags were copying email addresses to a warehouse, and the server-side container was forwarding order data to three ad platforms with no record of which orders had consented to what. The rebuild fixed six specific gaps I see over and over.
Gap 1: consent mode fires pixels before consent
The default Shopify pixel manager and most GTM setups fire pixels on page load and "listen" for consent state. If the consent check fails, the pixel either downgrades to anonymized mode (Google Consent Mode v2) or stops firing. The trap: most pixels are already running by the time a user clicks accept or reject. The request has left the browser. Google Consent Mode handles some of this gracefully; most other pixels do not. I covered the timing mechanics in the stack audit methodology I run pre-retainer, where consent-to-fire-time is one of the 14 checks.
Gap 2: CCPA "sale" includes server-side data sharing you called "analytics"
The CPRA amended CCPA to include "sharing" for cross-context behavioral advertising as a regulated activity separate from "sale." A DTC brand sending purchase events to Meta CAPI or TikTok's Events API is sharing personal information for cross-context behavioral advertising, full stop. That triggers the "Do Not Sell or Share My Personal Information" link requirement and the obligation to honor the Global Privacy Control signal. A lot of DTC operators I talk to think CAPI is "server-side, so it's exempt." It is not.
Gap 3: no data-subject request workflow
Both regimes give users the right to ask what you have about them and the right to delete it. GDPR calls these access and erasure; CCPA calls them know and delete. Shopify itself exposes some of this through the customer data request admin flow, but the request typically does not reach the rest of the stack: Klaviyo, your reviews app, your CDP, your warehouse, your email service provider. A clean workflow routes a request to every system that holds the user's data and produces a confirmation that each system executed. Most DTC brands I audit do not have this workflow; they have an intern copying the Shopify admin output into an email.
Gap 4: consent records are state, not events
This is the same gap I wrote about in the consent-capture-as-event patterns post for regulated intake flows, and it applies equally to DTC. A boolean on a customer profile cannot answer "which version of the policy did they agree to on March 12" when the legal team asks in May. Event-sourced consent, where every interaction writes an immutable row with the hash of the exact policy text, is the only model that survives the audit. Shopify customer profiles do not do this natively; you either add the capture layer yourself or use a consent management platform that exports event history.
Gap 5: third-party apps sharing data without a DPA
Shopify's app ecosystem is wide. Every install that touches customer or order data is a processor/service-provider relationship that should have a data processing addendum (DPA under GDPR) or a service-provider agreement (under CCPA). Most DTC brands install apps without reading the terms. A year later, a data-subject request means contacting twelve apps, several of which have been deprecated, acquired, or changed terms. The pre-merge checklist I use for evaluating vendor risk is the same one in the BAA evaluation patterns post; the top questions are vertical-agnostic.
Gap 6: cookie banner is UI theater, not evidence
Consent management platforms produce pretty banners. Few of them produce the evidentiary records regulators actually ask for: the exact banner version shown, the exact consent state at the moment of interaction, the user agent, the timezone, the IP range if relevant. When the legal team asks "can you show me what this user consented to on June 4," the answer needs to be a row, not a screenshot of the banner design system.
Related questions I get from DTC operators
If you want the server-side CAPI mechanics that underpin gap 2, the event_id dedup patterns for Shopify cover how the forwards actually work in production. If you are building regulated intake on top of DTC commerce, the regulated DTC healthcare hub covers the commerce-clinical boundary that sits above all of these privacy questions.
For operators who want the tracking-side diagnostics run against a structured rubric, the DTC Stack Audit is the productized version of what I do before accepting a retainer. It surfaces the timing gaps, the pixel-before-consent leaks, and the reconciliation failures that compound with the regulatory gaps above. The tracking rebuild that produced most of the pattern in this post is documented in the Shopify DTC tracking gap case study.
“A DTC brand sending purchase events to Meta CAPI or TikTok's Events API is sharing personal information for cross-context behavioral advertising, full stop.”
FAQ
Do I need a GDPR representative in the EU if I only ship there occasionally?
If your processing of EU data subjects is regular or includes special-category data, Article 27 requires a representative in the EU. For most DTC brands shipping occasionally to the EU, the honest path is either appoint a representative or block EU traffic at the edge. The middle ground (ship without a representative, hope nobody complains) is where enforcement risk lives.
Does CCPA apply to my Shopify brand if I'm under the $25M revenue threshold?
The revenue threshold is one of three triggers. The other two are processing data of 100,000 or more California residents per year, or earning 50% or more of revenue from selling or sharing personal information. Most DTC brands that use cross-context behavioral advertising will hit the 100,000-resident threshold before they hit the revenue one.
Is Global Privacy Control the same as CCPA's 'Do Not Sell' link?
They are related but distinct. CCPA requires a "Do Not Sell or Share My Personal Information" link that a user can click to opt out. CPRA requires businesses to honor the Global Privacy Control signal, which is a browser-level signal the user can set once that applies across every site. You need to honor both. Most tag managers can read the GPC header; fewer translate it into an actual opt-out on server-side forwards.
If I'm using Shopify's native customer privacy banner, am I covered?
The native banner covers the front-end pixel behavior reasonably well for CCPA in jurisdictions where banners are the expectation. It does not, by itself, handle GDPR's affirmative-consent requirement for non-necessary cookies, the evidentiary record of what the user saw, or the propagation of opt-outs to server-side containers and third-party apps. Treat the native banner as a component, not the complete solution.
Are transactional emails covered by GDPR or CCPA?
Transactional emails (order confirmations, shipping notifications) are typically covered by the contract lawful basis under GDPR and the exception for providing a product or service under CCPA. Marketing emails are not. The gap I see most often is marketing emails routed through the same transactional provider with no clear consent distinction, which turns the whole stream into a marketing stream from a regulator's view.
How long do I need to keep consent records?
GDPR does not specify a retention period, but the evidentiary standard in Article 7 effectively requires retention for as long as you continue processing on that consent basis, plus a reasonable window after. Most DTC brands default to retaining consent records for the life of the customer relationship plus the shorter of six years or the applicable statute of limitations. CCPA similarly expects retention matching your business need for demonstration.
Sources and specifics
- GDPR references: Regulation (EU) 2016/679, Articles 6 (lawful basis), 7 (consent), 15 (access), 17 (erasure), 27 (representatives).
- CCPA references: California Civil Code sections 1798.100 to 1798.199.100, including CPRA amendments effective 2023. The 100,000-resident threshold is in 1798.140(d)(1)(B).
- Patterns observed during a Shopify DTC tracking rebuild, Q2 2024, and two subsequent engagements; all anonymized.
- Server-side CAPI under CCPA "sharing" reflects the California Attorney General's interpretive guidance from 2023 onward; reasonable operators disagree about edge cases.
- Nothing in this post is legal advice. Before acting on any interpretation, engage privacy counsel for your jurisdiction and facts.