With some of the most stringent consumer privacy laws in the country, California is leading the way in protecting its citizens on the web. Starting on January 1, 2020, restaurants that accept credit cards from California residents must comply with the California Consumer Privacy Act (CCPA). Keep reading to find out what you need to do at your restaurant to stay compliant.
What You Need to Know About Making Your Restaurant CCPA Compliant
1. What do I have to do to become CCPA compliant?
- What kind of information you collect and process from guests.
- The reason why you collect and process personal information.
- How you collect and process the information.
- How guests can request access to, change, move, or delete their personal information.
- How you verify the identity of the person who submits one of the requests above.
- How, why, and to who personal data is sold.
- How a guest can opt-out of having their information sold.
Update your website:
- Add a method to verify a user’s identity when they want to request access to, change, move, or delete their personal information.
- Include a “Do Not Sell My Personal Information” link so visitors who don’t want their data to be sold can opt-out.
- Include a method for obtaining prior consent from minors to sell their information. Minors who are 13 and older may consent for themselves, while those 12 and under require a parent or guardian to consent for them.
2. Do I need to comply with CCPA if my restaurant is not in California?
CCPA compliance is required of any business in the world of any size that meets the requirements below.
- The business collects the personal data of California residents, AND;
- The company, their parent company, or a subsidiary meets at least one of the following criteria:
- An annual gross income of $25 million or more.
- The company collects personal data from at least 50,000 California residents, households, and/or devices annually.
- At least 50% of the company’s yearly revenue is generated by selling the personal information of California residents.
If your restaurant is in a bordering state or in an area frequented by many tourists, there is a good chance you may meet the requirements above. If so, keep reading to find out what you need to do to become CCPA compliant.
3. What is considered personal information under CCPA?
The CCPA definition for what constitutes personal information is pretty broad: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes, but is not limited to first and last names, home addresses, email addresses, phone numbers, IP addresses, purchase history, and any other information that falls under these 11 categories:
- Select Information in Customer Records
- Legally Protected Characteristics
- Commercial Purchasing Information
- Biometric Information
- Internet or Network Activity
- Information Typically Detected by the Senses
- Employment Information
- Education Information
- Inferences from Above Used to Profile
4. What will happen to my restaurant if I don’t meet the CCPA requirements?
First, you may receive a non-compliance letter from the Attorney General of California. Within 30 days of receiving the letter, if you still do not comply, you will be fined up to $2,500 for a non-intentional offense and $7,500 per intentional offense. This means, if you unlawfully and knowingly collect information from 100 California residents, your fine could be up to $750,000.
5. My restaurant is already GDPR compliant. Do I need to do anything?
Being GDPR compliant does not mean you are automatically CCPA compliant. While GDPR laws in the EU are more extensive, they only overlap with some of CCPA’s rules.
Other Ways CCPA Could Affect Your Restaurant
CCPA will not only affect what you do with your website and email list – there are also stipulations on how you collect information in your restaurant.
If a guest requests access to their data that you’ve collected, there’s going to be a lot more work involved for you. This is especially true for multi-location and franchised restaurants. All data you collect – from website cookies to a business card they dropped into a bowl for a giveaway – needs to be sourced, verified to be theirs, and handed off to them in a secure way.
If you use a third-party loyalty program to track points, send emails, and calculate rewards, your customers who opt-out of data sharing from you or your third-party provider will no longer be able to participate in the program.
Online Ordering or Reservations Apps
Using a third-party ordering or reservations app has the potential to get complicated under the CCPA. Though the third-party provider does most of the heavy lifting in these cases, you could be found in violation if a user’s location, name, email address, or payment information is improperly handled.
For more detailed information on how the CCPA will impact the restaurant industry, you can watch this webinar presented in partnership with the National Restaurant Association and the law firm Davis Wright Tremaine, LLP and subscribe to updates from the Attorney General of California.