← Back to Blog

Privacy Compliance Checklist for New Online Stores (2026)

Launching an online store? Here's the complete privacy compliance checklist — everything you need before your first sale.

2026-03-07

You're launching an online store. You've got your products, your branding, your Shopify or WooCommerce site set up. But have you handled privacy compliance?

With 20 US states now having comprehensive privacy laws — and enforcement ramping up — getting this right before you launch is far cheaper than dealing with it after a complaint or fine.

Here's everything you need, in order of priority.

Before You Launch

1. Scan Your Site

Before you write a privacy policy, you need to know what your site actually does with visitor data. Most store owners are surprised by how many trackers and cookies their theme, apps, and plugins load without their knowledge.

Scan your site with ClearConsent to get a complete picture — trackers, cookies, forms, and missing compliance signals — in under 60 seconds.

2. Privacy Policy

Required by: Every state with a privacy law, plus every major platform (Shopify, Google, Meta, Stripe).

Your privacy policy must cover:

  • [ ] What personal data you collect (names, emails, payment info, browsing data, cookies)
  • [ ] Why you collect it (order fulfillment, marketing, analytics, fraud prevention)
  • [ ] Who you share it with (Shopify, payment processor, shipping carrier, ad platforms, email tools)
  • [ ] Consumer rights by state (access, delete, correct, opt out)
  • [ ] How consumers can exercise those rights (email, form, or link)
  • [ ] Cookie disclosure (what cookies, what they do, how to manage)
  • [ ] Data security measures (HTTPS, encryption)
  • [ ] Do Not Sell / Do Not Share disclosure (if you use ad trackers)

Where to put it: Linked in your site footer, accessible from every page.

3. Cookie Consent Banner

Required by: California, Colorado, Connecticut, Texas, Virginia, and most other states with privacy laws.

Your banner must:

  • [ ] Appear before non-essential cookies are loaded
  • [ ] Allow visitors to accept or reject non-essential cookies
  • [ ] Categorize cookies (essential, analytics, advertising)
  • [ ] Honor Global Privacy Control (GPC) signals
  • [ ] Remember the visitor's preference for return visits

4. "Do Not Sell or Share" Link

Required by: CCPA (California) and several other states if you use advertising trackers.

  • [ ] Place a "Do Not Sell or Share My Personal Information" link in your footer
  • [ ] Link to a page or mechanism where visitors can opt out
  • [ ] If you use a cookie consent banner, the opt-out can be handled there

5. Consumer Request Process

Required by: All 20 state privacy laws.

You need a way for consumers to:

  • [ ] Request access to their personal data
  • [ ] Request deletion of their personal data
  • [ ] Request correction of inaccurate data
  • [ ] Opt out of data sale and targeted advertising

At minimum, provide an email address (like [email protected]) and commit to responding within 45 days (the deadline in most states).

After Launch — Ongoing

6. Review Third-Party Apps and Plugins

Every app you install may add trackers and cookies. When you add a new app:

  • [ ] Re-scan your site to detect new trackers
  • [ ] Update your privacy policy to disclose new data sharing
  • [ ] Ensure your cookie banner blocks new non-essential cookies until consent

7. Weekly or Monthly Re-Scans

Privacy compliance isn't set-and-forget. Apps update, themes change, new trackers appear. Schedule regular re-scans to catch changes before regulators do.

ClearConsent paid plans include automatic weekly re-scans with email alerts when your compliance score drops.

8. Keep Your Privacy Policy Updated

When you add new tools, change marketing platforms, or start collecting new types of data, your privacy policy needs to be updated. A stale policy that doesn't reflect your current practices is almost as bad as no policy at all.

The Quick Start Path

If this checklist feels overwhelming, here's the fastest path:

1. Scan your site at ClearConsent (free, 60 seconds)

2. Sign up for a plan ($9/mo)

3. Generate your privacy policy from scan results (one click)

4. Install the cookie consent banner (paste one line of code)

5. Add the "Do Not Sell" link in your footer

6. Set up a [email protected] email for consumer requests

Total time: under 30 minutes. Total cost: $9/month. Compared to a privacy lawyer ($2,000-$5,000) or a CCPA fine ($7,500 per violation), this is the cheapest insurance your business can buy.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free