Manage information collection and CCPA privacy rights for sellers
About information collection and CCPA privacy rights
The California Consumer Privacy Act of 2018 (CCPA) is a law that provides California residents with certain rights regarding their personal information, and went into effect on January 1, 2020. California residents and customers of Square sellers may have the right to make a data request from those businesses.
When making purchases from some Square sellers, some customers' personal or contact information may be collected. Under the CCPA, California residents and customers of Square sellers may have the right to make a data request from that business.
Before you begin
Ensure you’ve reviewed the Square profile - Privacy Notice for Buyer Features and Square Payto understand what types of information is collected.
Not all Square sellers may be subject to the CCPA.
The CCPA does not apply to data about businesses, including sole proprietorships, or other legal entities, but it does apply to data that businesses or legal entities collect or maintain about individuals who are California residents.
The CCPA defines processing of personal information broadly as any operation or set of operations that are performed on personal information, whether or not by automated means. “Processing” includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Business owners determine the purposes and means of processing customers’ personal information. You are the “business” for purposes of the CCPA if you meet the other criteria for CCPA applicability, such as “doing business” in California and meeting a particular revenue threshold.
When Square processes our sellers’ own personal information, we act as a business under CCPA. Square describes what seller data we collect, how we use it, and with whom we may share it in the Privacy Notice for Square Sellers and Website Visitors. Since Square sellers are themselves businesses, their rights under CCPA differ from the rights that California consumers would have under the law. Through January 1, 2023, there is a limited exemption from CCPA for personal information reflecting communications and transactions between businesses, such as between Square and Square Sellers.
The California Attorney General is responsible for enforcing businesses’ compliance with the CCPA. If you are a California resident, you can visit the Attorney General’s website to find more information about your privacy rights.
Personal information collection
Personal information under CCPA means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. This is a very broad definition. It can include a California resident’s name, phone number, email address or postal address. It also can include records of products or services purchased, purchasing or consuming histories or tendencies, or information a business obtains about an individual’s online activity, such as an IP address or browsing history.
When using Square’s buyer features, personal information is collected in the following ways:
- Contact information: When customers shop with a Square seller and choose to receive a digital receipt and other communications from sellers, customers will be asked to fill in certain contact information, such as their email address or phone number.
- Square profile: When using Square profile, Square passively collects certain information about their device and how they browse or use our portal, such as their IP address, device characteristics, the web pages they click on, and the dates and times of their visits.
At a high level, the CCPA grants individuals who live in California certain rights over their personal information, such as:
- The right to access their personal information.
- The right to delete their personal information.
- The right to opt-out of the “sale” of their personal information.
In addition to honoring and fulfilling these rights, the CCPA also imposes certain other requirements on businesses. For example, the CCPA requires businesses to:
- Disclose specified content in their privacy policies.
- Contractually restrict the activities of “service providers” that process personal information on their behalf.
- Train relevant personnel responsible for CCPA compliance.
Businesses may not discriminate against California residents for exercising their rights under the CCPA. Businesses may offer financial incentives for the collection, sale or deletion of individuals’ personal information only if they obtain opt-in consent.
Manage CCPA information requests
The CCPA applies to for-profit businesses that meet the following criteria:
- Do business in California;
- Collect personal information about California residents;
- Decide how and why the personal information is processed. The business must determine this, either alone or jointly. With others, the purposes and means of processing personal information; and
- Meet one of the following three thresholds under the law:
- Has annual gross revenues in excess of $25,000,000
- Annually buys, sells, or receives or shares for commercial purposes personal information of 50,000 or more California residents, households or devices
- Derives 50% or more of its annual revenues from “selling” California residents’ personal information
Not all Square sellers are subject to CCPA’s obligations. You may wish to consult an attorney or contact the California Attorney General’s office for more information on whether your business is subject to CCPA’s obligations.
An important first step is to confirm the identity of the person making the request. You can ask for evidence of identity to make sure that you are dealing with the correct person and that this is the person who is entitled to receive the information requested. You cannot require your customers to create an account with you to make a request under the CCPA.
Under the CCPA, California residents may request the following details from Square sellers from the preceding 12 months:
- The categories of personal information the seller collected about them.
- The specific pieces of personal information the seller collected about them.
- The categories of sources from which the seller collected the customer’s personal information.
- The business or commercial purposes for collecting or “selling” personal information.
- The categories of personal information that the seller shared with third parties.
- The categories of personal information that the seller “sold” to third parties, and the third parties to whom they “sold” it to.
- The categories of personal information that the seller disclosed for a “business purpose”, and the third parties to whom they disclosed it to.
The CCPA also grants customers the right to:
- Request that the seller delete the personal information the seller collected, subject to certain exceptions.
- If the business “sells” a customer’s personal information, they can opt out of the “sale” of their personal information to third parties.
Once you’ve received a data request, let your customer know that you’re handling their request while working towards providing all relevant information and concluding the request within any required timelines, unless there is an applicable exception set out in the CCPA.
- For access requests, typically you’ll be required to respond fully to a data request within 45 days, although you may be able to seek an extension in limited circumstances. A customer can make up to 2 access requests per 12-month period.
- For deletion requests, the CCPA does not prescribe a required timeframe for deleting a consumer’s personal information. However, unless an exception applies, you should delete the consumer’s information promptly.
- For opt out of sale requests, the CCPA requires businesses to ensure that, going forward, you will not “sell” the consumer’s relevant personal information to third parties. You must offer this choice and honor an opt-out request if you have “sold” customers’ personal information within the meaning of the CCPA.
The information you provide in response to a CCPA access request must be in a readily usable format that lets the consumer transmit this information to another entity without hindrance. If you are unclear about the request being made, you can get in touch with your customer for more clarity to help you respond to the request.
When a customer makes a deletion request, assuming no exception applies, you must delete the customer’s personal information and direct any of your service providers that also maintain that information to delete it from their records.
Information request exemptions
Under the CCPA, businesses are not required to delete personal information if the following applies:
The data is necessary to provide goods or services to a customer.
The data complies with legal obligations.
The data is used to discover and resolve issues related to security or functionality.
If the data has solely internal uses that a consumer would expect.
Penalties for non-compliance
A business can be penalized a maximum of $2,500 for each violation of the CCPA and $7,500 for each intentional violation.
Individuals may also bring a lawsuit against a business for a security breach involving personal information if the breach is a result of the business’s failure to implement and maintain reasonable security procedures and practices.
Submit an information request to Square
If you are a Square seller, you can submit an access, deletion, or correction request by email at privacy@squareup.com or by phone at 1-844-213-7377.
Once your request is received, we’ll verify it by requesting that you confirm certain personal information associated with your account. You may also be entitled to submit a request through an authorized agent.