Restaurant CCPA Compliance

With some of the most stringent consumer privacy laws in the country, California is leading the way in protecting its citizens on the web. Starting on January 1, 2020, restaurants that accept credit cards from California residents must comply with the California Consumer Privacy Act (CCPA). Keep reading to find out what you need to do at your restaurant to stay compliant.

What You Need to Know About Making Your Restaurant CCPA Compliant

1. What do I have to do to become CCPA compliant?

Update your privacy policy to include, at a minimum:

  • What kind of information you collect and process from guests.
  • The reason why you collect and process personal information.
  • How you collect and process the information.
  • How guests can request access to, change, move, or delete their personal information.
  • How you verify the identity of the person who submits one of the requests above.
  • How, why, and to who personal data is sold.
  • How a guest can opt-out of having their information sold.

Get more detailed information about how to write a CCPA compliant privacy policy here.

Update your website:

  • Add your new privacy policy to your website
  • Add a method to verify a user’s identity when they want to request access to, change, move, or delete their personal information.
  • Include a “Do Not Sell My Personal Information” link so visitors who don’t want their data to be sold can opt-out.
  • Include a method for obtaining prior consent from minors to sell their information. Minors who are 13 and older may consent for themselves, while those 12 and under require a parent or guardian to consent for them.

2. Do I need to comply with CCPA if my restaurant is not in California?

CCPA compliance is required of any business in the world of any size that meets the requirements below. 

  1. The business collects the personal data of California residents, AND;
  2. The company, their parent company, or a subsidiary meets at least one of the following criteria:
    • An annual gross income of $25 million or more.
    • The company collects personal data from at least 50,000 California residents, households, and/or devices annually.
    • At least 50% of the company’s yearly revenue is generated by selling the personal information of California residents.

If your restaurant is in a bordering state or in an area frequented by many tourists, there is a good chance you may meet the requirements above. If so, keep reading to find out what you need to do to become CCPA compliant.

restaurant ccpa compliance

3. What is considered personal information under CCPA?

The CCPA definition for what constitutes personal information is pretty broad: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

This includes, but is not limited to first and last names, home addresses, email addresses, phone numbers, IP addresses, purchase history, and any other information that falls under these 11 categories:

  • Identifiers
  • Select Information in Customer Records
  • Legally Protected Characteristics
  • Commercial Purchasing Information
  • Biometric Information
  • Internet or Network Activity
  • Geolocation
  • Information Typically Detected by the Senses
  • Employment Information
  • Education Information
  • Inferences from Above Used to Profile 

4. What will happen to my restaurant if I don’t meet the CCPA requirements?

First, you may receive a non-compliance letter from the Attorney General of California. Within 30 days of receiving the letter, if you still do not comply, you will be fined up to $2,500 for a non-intentional offense and $7,500 per intentional offense. This means, if you unlawfully and knowingly collect information from 100 California residents, your fine could be up to $750,000.

5. My restaurant is already GDPR compliant. Do I need to do anything?

Being GDPR compliant does not mean you are automatically CCPA compliant. While GDPR laws in the EU are more extensive, they only overlap with some of CCPA’s rules. 

Other Ways CCPA Could Affect Your Restaurant

CCPA will not only affect what you do with your website and email list – there are also stipulations on how you collect information in your restaurant. 

Access Requests

If a guest requests access to their data that you’ve collected, there’s going to be a lot more work involved for you. This is especially true for multi-location and franchised restaurants. All data you collect – from website cookies to a business card they dropped into a bowl for a giveaway – needs to be sourced, verified to be theirs, and handed off to them in a secure way.

Loyalty Programs

If you use a third-party loyalty program to track points, send emails, and calculate rewards, your customers who opt-out of data sharing from you or your third-party provider will no longer be able to participate in the program. 

Online Ordering or Reservations Apps

Using a third-party ordering or reservations app has the potential to get complicated under the CCPA. Though the third-party provider does most of the heavy lifting in these cases, you could be found in violation if a user’s location, name, email address, or payment information is improperly handled.

For more detailed information on how the CCPA will impact the restaurant industry, you can watch this webinar presented in partnership with the National Restaurant Association and the law firm Davis Wright Tremaine, LLP and subscribe to updates from the Attorney General of California.

The restaurant industry is fast: we move quickly, think on our feet, and adapt to the ever-changing needs of our guests. Stay up to date with the latest trends on menu items, staff turnover, and more in our latest report.

Download Now
Written by   |  
Stephanie is a Providence, RI native with a deep love for her little city and all its quirks. When she's not writing about the restaurant industry as Upserve's Content Marketing Coordinator, she's most likely traveling, cooking, trying new restaurants, reading, podcasting, or spending time with family.