At Square, we are committed to the protection of individuals’ data and privacy rights, and we strive to help our sellers comply with their privacy obligations.
What is the CCPA?
The CCPA is an acronym given to the California Consumer Privacy Act of 2018, a law that provides California residents with certain rights regarding their personal information.
When does it come into effect?
The CCPA comes into effect on January 1, 2020.
What information does the CCPA apply to?
The CCPA applies to personal information that certain businesses process about individuals who live in California. The CCPA does not apply to data about businesses (including sole proprietorships) or other legal entities, but it does apply to data that businesses or legal entities collect or maintain about individuals who are California residents (e.g., their customers).
What is personal information under the CCPA?
Personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. It can include a California resident’s name, phone number, email address or postal address. It also can include records of products or services purchased, purchasing or consuming histories or tendencies, or information a business obtains about an individual’s online activity (e.g., IP address, browsing history, etc.).
You should familiarize yourself with what personal information you may have about your customers (and other individuals) that are California residents.
Who has to comply with the CCPA?
The CCPA applies to for-profit “businesses” that:
Do business in California;
Collect personal information about California residents;
Decide how and why the personal information is processed; the business must determine, either alone or jointly with others, the purposes and means of processing the PI; and
Meet one of the following three thresholds under the law:
Has annual gross revenues in excess of $25,000,000;
Annually buys, sells, or receives or shares for commercial purposes personal information of 50,000 or more California residents, households or devices;
Derives 50% or more of its annual revenues from “selling” California residents’ personal information.
What is “Processing” under the CCPA?
CCPA defines processing of personal information broadly as any operation or set of operations that are performed on personal information, whether or not by automated means. “Processing” includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What does the CCPA require?
At a high level, the CCPA grants individuals who live in California certain rights over their personal information, such as:
The right to access their personal information;
The right to delete their personal information;
The right to opt-out of the “sale” of their personal information;In addition to honoring and fulfilling these rights, the CCPA also imposes certain other requirements on businesses. For example, the CCPA requires businesses to:
Disclose specified content in their privacy policies;
Contractually restrict the activities of “service providers” that process personal information on their behalf; and
Train relevant personnel responsible for CCPA compliance
Businesses may not discriminate against California residents for exercising their rights under the CCPA. Businesses may offer financial incentives for the collection, sale or deletion of individuals’ personal information only if they obtain opt-in consent.
What is the difference between a “Business” and a “Service Provider”?
As mentioned in FAQ 5, the CCPA applies to “businesses” that meet certain factors. Under CCPA, a “business” calls the shots as to why and how personal information is processed.
In contrast, a “service provider” processes personal information on behalf of a business pursuant to a written contract that prohibits the service provider from retaining, using or disclosing the personal information it receives from the business other than to perform the services in the contract. Unlike a business, a service provider does not determine the purposes and means of the processing of the personal information it receives from a business.
What are the penalties for not complying with the CCPA?
A business may be penalized a maximum of $2,500 for each violation of the CCPA and $7,500 for each intentional violation.
Individuals also may bring a lawsuit against a business for a security breach involving personal information if the breach is a result of the business’s failure to implement and maintain reasonable security procedures and practices.
What information are my customers able to request under the CCPA?
If you are a Business, the CCPA sets out what kinds of requests your California customers can make about their personal information. For example, if you are a “business” under CCPA, your California customers are entitled to request the following about your information practices in the preceding 12 months:
the categories of personal information collected about that consumer;
the categories of sources from which that personal information was collected;
the business or commercial purposes for collecting or selling the information;
the categories of third parties with whom the business shared the consumer’s personal information;
the specific pieces of personal information the business collected about that consumer;
if the business discloses the personal information for a business purpose, the categories of information the business disclosed for a business purpose and the categories of third parties to whom the information was disclosed for a business purpose; and
if the business “sells” the personal information, the categories of personal information “sold” and the categories of third parties to whom the information was sold
This information must be provided to individuals securely in a readily usable format that allows them to transmit the information from one entity to another without hindrance.
Your California customers also have the right to request the deletion of their personal information, subject to certain exceptions enumerated under the CCPA.
What is a “Sale” under the CCPA?
The CCPA defines “sale” differently than what most people may think of as a “sale.” It defines a “sale” of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
Data shared with companies that qualify as a “service provider” under CCPA is not a “sale” under the law. Square acts as our Sellers’ service provider under CCPA, as described in our updated terms of service.
Sellers who are considered “businesses” under CCPA should consider whether anything else they do with their customers’ or employees’ data could be considered a “sale” under the CCPA. If it is, CCPA may require Sellers to place a clear and conspicuous link on their website titled “Do Not Sell My Personal Information.” That link must lead to a web page that enables individuals to opt out of the sale of their personal information.
Is Square a business or a service provider?
When we process our Sellers’ own personal information, we act as a business under CCPA. Square describes what seller data we collect, how we use it and with whom we may share it in our Seller Privacy Notice. Since Square Sellers are themselves businesses, their rights under CCPA differ from the rights that California consumers would have under the law. Through January 1, 2021, there is a limited exemption from CCPA for personal information reflecting communications and transactions between businesses, such as between Square and Square Sellers.
Square acts primarily as a service provider with respect to the personal information we process about the customers who transact with Square sellers. For example, when a customer makes a purchase with a Square seller, we process the transaction as a service provider on the seller’s behalf.
We also offer certain features directly to customers who transact with Square sellers. We call these our “Buyer Features.” Customers can learn more about the data we collect for the “Buyer Features” in our Privacy Notice for Square Buyer Features. California customers can exercise their rights under CCPA for the Buyer Features by going to Square profile.
Are Square Sellers businesses or service providers?
Square sellers may be “businesses” with respect to the personal information they process about their California customers. This means that Square sellers are responsible for understanding their responsibilities as “businesses” under the CCPA.
We will be providing tools to our sellers to help you respond to requests you receive from your customers.
What are Square’s obligations under the CCPA?
Square is committed to safeguarding the data we manage and protecting privacy rights under the CCPA.
As indicated in FAQ 12, above, Square primarily acts as a service provider to sellers when we process your customers’ personal information. For customers who interact with our Buyer Features, our Privacy Notice for Square Buyer Features describes how Square processes their personal information in accordance with the CCPA and how they can exercise their rights under CCPA.
For Square sellers, you can view our relevant privacy notice here.
If you are a seller that has an account with us, you can find Square’s privacy notice that applies to Sellers on our website. Your customers who choose to use our Buyer Features, including our Buyer Portal, can find the privacy notice that applies to them on our website as well.
For visitors to our Squareup.com website who do not have an account with us and do not use the Buyer Features, please check out our website privacy notice.
I’m a Square Seller. How do I make a data request to Square under CCPA?
The CCPA’s access and deletion rights do not apply to the information Square holds about our sellers and their personnel in their capacity as employees of a Square seller. This is because Square and our sellers are considered businesses under the CCPA, and therefore the information Square collects from you is exempt from certain requirements of the CCPA that only apply to individual consumers. Regardless of whether the law gives you new rights, however, you have the ability to access much of your personal information directly via your online Square Dashboard.
To learn more about how we process your information and what rights you have as a Seller, see our privacy notice.
I’m a Square Seller. What do I do if my customer makes a data request under the CCPA?
For more information, please see our article directed towards Square sellers.
I am a customer of a Square Seller. How do I make a data request under the CCPA?
We generally act as a service provider to Square Sellers, who are business owners and operators. If you are a California resident and the customer of a Seller that uses Square, you may have the right to request certain information from that Seller regarding the personal information they collect about you. Please make any personal information requests that you have directly to the relevant Square Seller. Please note that not all Square Sellers will be subject to CCPA. Learn more about how to make a CCPA data request in our Support Center.
If you are a Square Seller’s customer and you have elected to use our Buyer Features, you can exercise your choices and make requests about the data we use for the Buyer Features by going to Square profile.
What are some exemptions to the CCPA?
Through January 1, 2021, there is an exemption from CCPA for personal information exchanged between businesses (such as between Square and Square Sellers). Personal information collected from or about an employee, owner, director, officer, or contractor of a business is exempt from certain CCPA requirements, if that information is collected in the course of business to business communications and transactions within the context of a business providing or receiving a product or service from another. However, this exemption does not apply to the right to opt-out of the sale of personal information, the obligation not to discriminate against consumers for choosing to exercise other rights, or the private right of action in the event of a data breach.
Businesses also do not need to delete personal information if, among other exceptions, that data is necessary to provide goods or services to a customer; comply with legal obligations; discover and resolve issues related to security or functionality; or solely internal uses that a consumer would expect.
These FAQs are intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the CCPA to provide guidance tailored to your specific circumstances.