California Consumer Privacy Act Overview

Toast is committed to ensuring that individuals that provide personal information to Toast and our customers trust that their information is being adequately protected and managed in line with their expectations and in accordance with the applicable data privacy legislation. Part of this commitment means that our customers have the appropriate information and tools on hand to understand their obligations and how Toast can support certain aspects of these obligations.  

This guidance note is intended to provide information to our customers on the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, or “CPRA”) (CCPA) and their potential responsibilities in this area. The contents of this guidance note should not be construed as legal advice. If you have any questions about the applicability of the CCPA to your business or your obligations, we recommend reaching out to your own independent legal counsel.
 

In this Article: 

California Consumer Privacy Act (CCPA) Overview

What Is the CCPA?

The CCPA is a California data privacy law establishing requirements for how businesses must collect and process the personal information of California residents that goes into effect on January 1, 2020. The CCPA establishes individual rights (e.g., a right to access their information and a right to deletion) that may be invoked by individuals to provide greater transparency as to how businesses use their data as well as additional control over their information.

What Is the CPRA?

The California Privacy Rights Act will come into effect on January 1, 2023 (“CPRA”). It amends the CCPA, meaning that requirements created by the CPRA are now part of the CCPA.

The requirements in the CPRA build on those previously established in the CCPA. The CPRA expands on the rights that individuals may exercise with respect to their personal information, and imposes additional requirements on businesses that collect and process individuals’ personal information. This includes an employer’s obligations towards employees’ personal information, and personal information that a business collects/ processes in a business-to-business context.
 

What Is Personal Information Under the CCPA?

Personal information under the CCPA is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Therefore, your customer’s name, address, email, and phone number are all personal information, but so is their order history and feedback if it's connected to or can be associated with that individual. 
 

Does the CCPA Affect My Business? [Updated to Reflect CPRA Criteria

It depends. The CCPA governs the collection and use of California residents’ personal information and applies to businesses that meet one of the following criteria:

• • As of January 1, have annual gross revenues in excess of $25 million in the preceding calendar year;
  • Annually buy, receive, sell, or share the personal information of 100,000 or more customers for commercial purposes; or
  • Derive 50% or more of its annual revenue from selling or sharing customers’ personal information.

The CCPA may also apply to your business if it's controlled by or shares common branding (e.g., shared name, service mark, or trademark) with a business that meets one of the criteria above. If you're unsure whether the CCPA applies to you, please consult with your own independent legal counsel. 
 

Recommended Activities if Your Business Must Comply With the CCPA

1. Think about your data and develop a data inventory: Although not required under the CCPA, understanding what personal information you collect, where you collect it from, how you use it, who you share it with, and how long you retain it are important for effective CCPA compliance in other areas (e.g. notice disclosures and individual rights obligations). 
2. Think about how you collect information and disclosures: The CCPA requires businesses to provide information to in-scope individuals at the point where information is collected. This could apply whether someone is a consumer, an employee, or otherwise. Consider where personal information is collected and whether you have the appropriate disclosures and notices in place. In some cases, privacy policies may also be required. 
3. Address individual rights compliance: The CCPA prescribes a number of information rights (e.g. right to access, right to deletion) that are described in additional detail in this guidance note. It's important that in-scope businesses understand the nature of these requests and develop a process to comply should a request come in. 
4. Identify if you sell any personal information: The CCPA imposes additional obligations if an in-scope business “sells” personal information. At a high level, a “sale” of personal information means that you're collecting personal information and then providing it to a third party that is using the data independently outside of any services they are performing on your behalf for some type of consideration. The transfer of money is not necessarily a requirement for a “sale”.  
5. Implement appropriate security controls: In addition to other legislation, the CCPA imposes additional security requirements for businesses that process personal information. It's important that businesses understand the nature of the information they're collecting and managing and that appropriate security measures are put into place to protect that information. 

Additional Considerations to Address CPRA Requirements

If your business has already gone through a CCPA compliance initiative, here is some guidance on how you might think about updating your existing processes to comply with updates brought in by the CPRA.

If you haven’t yet prepared for the CCPA, the list of is a good place to start, then continue on to the following list:
 

1. Data inventory: Make sure that your data inventory is up to date so that you can assess what data you have that is in scope for CPRA and what your obligations are under the CPRA.
2. Update Individual Rights processes: The CPRA expands the rights that individuals may exercise over their personal data. See below in the section called “Individual Rights under the CCPA” for further guidance on the updates.
3. Identify if you “share” personal information: The CPRA imposes additional obligations if an in-scope business “shares” personal information. At a high level, “sharing” personal information means that you are "disclosing personal information . . . to a third party for cross-context behavioral advertising, regardless if you receive any kind of payment.” The CPRA adds a requirement to disclose if your business “shares” information and to allow individuals to opt out of such sharing.
4. Update your disclosures, notices, and links: Make sure that your privacy statement includes any information that you are required to disclose, including details around the use and retention of sensitive personal information. If your business “shares” personal information, make sure that you have any required links on your website. Some businesses are required to report metrics around individual rights requests they receive. If your business offers financial incentives associated with the processing of personal information (e.g. via a loyalty program), you may have additional disclosure, consent, and other requirements.
5. Vendors and Employees: The CPRA imposes new requirements for vendors such as service providers, and contractors (both defined in the CPRA). The CPRA also extends individual rights to employees. Consider reviewing contracts, disclosures, and supporting procedures for these groups.

Individual Rights Under the CCPA [Updated With CPRA Requirements]

Individual Rights Overview

The CCPA details a number of individual rights that your customers or employees may be able to exercise depending on the applicability of the CCPA to your business. The CPRA expands and replaces the set of individual rights that individuals may exercise.

• The right of access: Individuals have the right to access certain data for the preceding 12-month period, upon verification of their identity: (i) the categories of personal information collected, (ii) the categories of sources where the personal information was collected, (iii) the business or commercial purposes for collecting (or where applicable, selling or sharing) the personal information, (iv) the categories of personal information that were disclosed to third parties for a business purpose along with the corresponding recipients, (v) the categories of personal information sold or shared along with the corresponding recipients, and (vi) the specific pieces of personal information collected about the individual.
• The right of deletion: Individuals have the right to request businesses delete personal information that it has collected from them, subject to certain exceptions.
• The right of correction: Individuals have the right to request that an in-scope business correct inaccurate personal information, subject to certain conditions.
• The right to opt out of the sale or sharing of personal information: Individuals have the right to request that an in-scope business refrain from selling or sharing personal information it has collected about them to third parties now or in the future. Individuals under the age of 16 have the right to opt in (or have a parent or guardian opt in on their behalf), to such sales or sharing.
• The right to limit the use and disclosure of sensitive personal information: Individuals have the right to limit the use or disclosure of that sensitive personal information, subject to certain exceptions.
• The right of access to and to the ability to opt out of automated decision-making technology: Individuals have the right to access information pertaining to automated decision-making technologies and the ability to opt out. This right will likely be subject to clarification via further regulation.
• The right against discrimination and retaliation: Individuals have the right to not be discriminated or retaliated against as a result of exercising any of the above rights.

Note: the personal information of employees, and personal information processed in a business-to-business context are now subject to the requirements of the CPRA, including individual rights requests.

This is a high-level summary of the individual rights under the CCPA. There are additional requirements in relation to each right as well as many exceptions where these rights may not be able to be invoked depending on the specific circumstances. Additionally, in-scope businesses are required to establish intake channels (e.g. a toll-free phone number, email, website form) to ensure that individuals have the ability to submit these rights requests. 

Please consult with your independent legal counsel to determine the applicability of the CCPA to your business and the applicability of the above rights to determine if you need to comply with an individual’s request.
 

Individual Rights Considerations Under the CCPA

Below are some considerations when you receive an individual rights request from one of your customers or employees:

• Identity verification: In-scope businesses need to verify the identity of the individual making the request before providing them with the information they have requested. This prevents the disclosure of information to individuals that do not have a right to it. Think about what personal information you hold and the types of information that you may need from an individual to verify their identity within your business. Examples may include, but are not limited to names, email addresses, phone numbers, or information such as an employee identification number or a loyalty account number. Note that under the CCPA, a request can also be submitted by an authorized agent acting on behalf of the individual. 
• Applicability determination: After identity verification, the next determination is whether or not the individual is entitled to have the request fulfilled. The CCPA provides numerous instances where a business is not required to fulfill an individual rights request. This makes sense in certain cases, as a party to an active contract or an existing employee may not be entitled to complete deletion given the need to maintain their information. We recommend familiarizing yourself with the circumstances as to when each right applies. 
• Timelines and communication: The CCPA imposes a number of timelines not only for the fulfillment of the right itself but also in relation to when you need to communicate with the requestor. It is important to ensure that you are aware of these timelines. In parallel with the deadlines, communication with the individual making the request is also important. It may be important to clarify the individual’s request if it is too broad or if you would like more clarity. Communication is also important to ensure that you properly verify the identity of the individual and determine whether or not their request is permissible under the CCPA. 
• Rights fulfillment: In order to fulfill individual rights requests under the CCPA, in-scope businesses need to understand what personal information they collect, how it is used, and how they share that information. For example, if you do not know what personal information you hold or how it's shared, providing information to an individual pursuant to an access request or being able to understand what you must delete as part of a deletion request will be difficult. The CCPA outlines a number of requirements specific to what needs to be provided to an individual so we recommend you read the CCPA to understand these requirements and engage an independent legal counsel if you have any questions. 

In certain cases, Toast may be able to support our customers with individual rights fulfillment. To learn more, check out this Support Center article, , which outlines where Toast is able to assist during this process.