CCPA for Square Sellers on How to Handle a Data Request from Your Customers

Square is committed to protecting our customers’ privacy rights under CCPA and to helping our sellers comply with CCPA requests from their own customers. While we cannot give you legal advice*, we’ve created support center articles to help you understand how you can use Square’s tools to meet your CCPA compliance obligations.

What is the CCPA and How Does It Impact My Business?

For a quick overview of what the CCPA is all about and how it may apply to you, please visit our CCPA FAQs.

From January 1, 2020, under the CCPA, California residents are entitled (subject to certain limits) to request the following from “businesses” who manage their personal information:

• Certain details about the personal information that is being held about them by the business, including:

  • the categories of personal information collected about that consumer;

  • the categories of sources from which that personal information was collected;

  • the business or commercial purposes for collecting or selling the information;

  • the categories of third parties with whom the business shared the consumer’s personal information;

  • the specific pieces of personal information the business collected about that consumer;

  • if the business discloses the personal information for a business purpose, the categories of information the business disclosed for a business purpose and the categories of third parties to whom the information was disclosed for a business purpose;

  • if the business “sells” the personal information, the categories of personal information “sold” and the categories of third parties to whom the information was sold

• To have the personal information the seller collected from the consumer deleted

• If the business “sells” the consumer’s personal information, to opt out of the sale of their personal information to third parties

As a business owner, you determine the purposes and means of processing customers’ personal information. You are the “business” for purposes of the CCPA if you meet the other criteria for CCPA applicability, such as “doing business” in California and meeting a particular revenue threshold (more information about this can be found in our CCPA FAQs).

Personal information under CCPA means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. This is a very broad definition. It can include a California resident’s name, phone number, email address or postal address. It also can include records of products or services purchased, purchasing or consuming histories or tendencies, or information a business obtains about an individual’s online activity (e.g., IP address, browsing history, etc.).

You should familiarize yourself with what personal information you may have related to your customers who are California residents.

Steps to Consider If You Get Data Requests From Your Customers

Determine Your CCPA Obligations If You Have Not Already Done So

Not all Square sellers will be subject to CCPA’s obligations. You may wish to consult an attorney or contact the California Attorney General’s office for more information on whether your business is subject to CCPA’s obligations.

If you have determined you have an obligation to comply with CCPA:

Verify Their Identity

An important first step is to confirm the identity of the person making the request. You can ask for evidence of identity to make sure that you are dealing with the correct person and that this is the person who is entitled to receive the information requested. You cannot require your customers to create an account with you to make a request under the CCPA.

Comply with the Request

Once you have received a data request, you can let your customer know that you are dealing with their request while working towards providing all relevant information and concluding the request within any required timelines, unless there is an applicable exception set out in the CCPA.

For access requests, typically you will be required to respond fully to a data request within 45 days, although you may be able to seek an extension in limited circumstances. A customer can make up to 2 access requests per 12-month period.

For deletion requests, the CCPA does not prescribe a required timeframe for deleting a consumer’s personal information. However, unless an exception applies, you should delete the consumer’s information promptly.

For opt out of sale requests, the CCPA requires businesses to ensure that, going forward, you will not “sell” the consumer’s relevant personal information to third parties. You must offer this choice and honor an opt-out request if you have “sold” customers’ personal information within the meaning of the CCPA (more information about this can be found in our CCPA FAQs).

If you are unclear about the request being made, you can get in touch with your customer for more clarity to help you respond to the request.

How Can I Comply?

When a customer makes an access request, there is specific information you must provide when responding:

• the categories of personal information you collected about that consumer;

• the specific pieces of personal information you collected about that consumer;

• the categories of sources from which you collected that personal information;

• the business or commercial purposes for collecting or selling the information;

• the categories of third parties with whom you shared the consumer’s personal information;

• if you disclose the personal information for a business purpose, the categories of information you disclosed for a business purpose and the categories of third parties to whom you disclosed it; and

• if you “sell” personal information, the categories of personal information “sold” and the categories of third parties to whom you “sold” the information.

Your response to an access request must cover what you have done with the consumer’s information over the preceding 12 months. In addition, the information you provide in response to a CCPA access request must be in “a readily usable format” that lets the consumer transmit this information to another entity “without hindrance.”

When a customer makes a deletion request, assuming no exception applies, you must delete the customer’s personal information and direct any of your service providers that also maintain that information to delete it from their records.

When a customer opts out of the “sale” of their personal information, you must ensure that, going forward, you will not “sell” the consumer’s relevant personal information to third parties. As indicated above, you must offer this choice and honor an opt-out request if you have “sold” customers’ personal information within the meaning of the CCPA.

Tools and Tips

We will be providing a few tips to our sellers to help you respond to requests you receive from your customers regarding Square-processed personal information.
Separately, if your customer has used Buyer Features, then they can exercise their rights for those features here directly with Square.
In addition to fulfilling any request yourself, make sure you also consider any app integrations you have authorized or built using your Square account. For example, have you authorized any third party apps through the Square app marketplace to access customer data within your Square account? If so, make sure that you also account for these integrations when responding to your customer’s data request.

Transfer the Information Securely to the Requester

If the customer maintains an account with you, the CCPA requires that your response to the customer’s access request be delivered through the customer’s account. Otherwise, you should provide your response to a CCPA access request by mail or electronically, depending on your customer’s preference. You should send out any information requested in a secure manner, such as through a file-sharing service that sends files using encrypted transmission.

No Charge

You cannot charge your customers for the handling of personal information requests under the CCPA unless those requests are manifestly unfounded or excessive, in particular because of their repetitive character.

Track Your Compliance

It is a good idea to track when these requests come in so that you can respond to them within the required timeframe. It is also a good idea to keep a record of the request and any search carried out, so that if you are ever questioned about the request in the future, you will be better prepared to demonstrate your business’s compliance.

You can fulfill your customers’ CCPA requests (pertaining to Square-processed data) by accessing the CCPA tab in the Account & Settings section of your online Square Dashboard. There you have the ability to process your customers’ requests and to maintain a log of your handling of the customers’ requests for future reference.

Other Tips

As a business, you should keep yourself informed about your responsibilities under the CCPA and make your employees and suppliers equally aware. In addition to this being good business practice, this will help you avoid running afoul of the CCPA.

If CCPA applies to your business, the maximum penalties for not complying with the law are $2,500 per violation of the CCPA (or up to $7,500 for each intentional violation). If the Attorney General has reason to believe a business has violated the CCPA, the business has 30 days to cure that violation after being notified that it may be noncompliant.

In addition, the CCPA provides a private right of action for certain data breaches, meaning customers may be able to sue in the event of a breach affecting their unencrypted and unredacted personal information.

For more information, please read our CCPA FAQs.

The California Attorney General is responsible for enforcing businesses’ compliance with the CCPA. You can visit the Attorney General’s website to find more information about business’s obligations under the CCPA, how to manage the personal data you store, and how to deal with data requests.

This article is intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the CCPA to provide guidance tailored to your specific circumstances.