Both the GDPR and the CCPA recognize a right to data portability(*). The CCPA considers data portability as part of the right to access,
while the GDPR provides for a separate and distinctive right.
- GDPR: Articles 12, 20 | Recital 68
- CCPA: Sections 1798.100, 1798.110, 1798.130, 1798.145 (g)(3)

While preparing for portability type request, think about these questions:
• Are you able to provide all of the required personal information if a customer asks for it? Try to plan for a request in advance by maintaining a map of all of the personal information you (or the service providers you use, like Shopify) store about your customers.
• Have you considered other service providers that you might use who may have access to your customers’ personal information? These could include third-party apps, channels, and payment gateways.
• Do you have contact information for all of the third-party services you use that might store your customers’ personal information?

Under the GDPR regulations :
- The right to data portability only applies to the personal data that has been provided by the data subject themselves and that is processed on the basis of consent or contract and the processing is carried out by automated means
- Data subjects’ requests must be complied without “undue delay and in any event within 1 month from the receipt of the request.”
The deadline can be extended an 2 additional months taking into account the complexity and number of requests. In any case, the data subject must be informed of such extension within one month from the receipt of the request.
- The text extends this right to having the personal data transmitted directly from one controller to another

Under the CCPA regulations :
- The deadline to respond to such a right is 45 days of receipt of the consumer’s request.
It could be extended an additional 45 days, but notice should be given to the consumer within the first 45 days.
-The right applies only to personal information collected in the 12 months prior to the request.
- Businesses are not required to provide access to personal information more than twice in 12 months.
- The scope is limited to allowing consumers receive personal information, and it does not extend to having a business transfer the information to another business.

How do we help you? If you see a new portability request in the dedicated table, you can rest assured that we've already:
Verified the identity of the requester
We do so by verifying that the requester has access to the submitted email address specified while submitting the request, and then ask for a second confirmation before allowing access to the destination page.
Collected IP & browser data about when the request was made & when the requester double confirmed the request in the email, in order to provide more security checks if required later on.
Made available a link allowing the user to download personal data (first name, last name, email, phone, marketing consent, saved addresses, orders & submitted privacy requests like this one - portability request) in a machine readable format (JSON for example).

Shopify also made it easy for you to request data from third party apps installed through the app store. To do so, it is only a couple of steps away :
In your Shopify admin, navigate to the Customers tab.

Search for the email of the customer as provided in the request.

Click ‘Request customer data’ (Please note that this button is only visible to the Account Owner).

The identifiable personal information Shopify stores about that customer will be sent to the Account Owner’s email.
The request is then sent to third party apps you have currently installed on your store. The third party app developers will independently contact you about this request.
You may then combine that information with any other information you may store about the customer and provide it to the customer.

However, If your business (internally, via any third party app or any connected service provider) has more information linked to the submitted email, you should compile all the data from each data user, and send a report to the email during the applicable legal delay.

(*) This is an interpretation and a quick overview of the texts according to our understanding at the moment of the writing, we'll try to keep this up-to-date as actively as possible. Be sure to double check if required as this is not a legal advice.
Was this article helpful?
Thank you!