On January 1st, 2020, the California Consumer Privacy Act (CCPA) comes into effect. The Act is intended to give residents of the state of California more control over how their personal information is used by businesses.
Read on to see if this legislation applies to your restaurant business, and how to comply with it.
Who Does the CCPA Apply to?
The CCPA regulations apply to you if you do business in California, and satisfy any one or more of the following thresholds:
- Your business has annual gross revenues in excess of $25 million.
- You store the personal information of 50,000 or more consumers.
- You earn more than half of your annual revenue selling consumers' personal information.
Complying with CCPA
If you meet even one of the thresholds above, you are required to "implement and maintain reasonable security procedures and practices" in protecting consumer data.
Consumers have the right to ask you what information is being collected about them, why, and whether it is being sold. You must disclose this within 45 days of a verifiable request, and disclosure must include data collected from the consumer in the last 12 months.
Consumers also have the right to ask you to delete personal information, with some exceptions, for example, information does not need to be deleted if it is necessary in order to "provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer."
A fine up to $7,500 can be levied for each intentional violation of the regulations, and $2,500 for each unintentional violation. Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages.
Consumer Information in SpeedLine
Through the SpeedLine® point-of-sale and SpeedDine® online ordering software, various consumer information is recorded. The lists below outline what is collected, and what that information is used for:
- Names, phone numbers, email addresses, and delivery addresses are needed in order to contact the customer about their order, and to deliver their food in the case of delivery orders.
- Users can optionally provide an email address to receive commercial email.
- Customer purchases are recorded for reporting purposes, and to make re-ordering faster and more convenient.
SpeedDine-Specific:
- An optional password can be used to identify the consumer on the SpeedDine service. This password is stored hashed and encrypted, meaning it cannot be read as originally entered, and is not known to anyone.
- On SpeedDine, the IP (Internet Protocol) address of the user is tracked, as is their browser, device type, and screen size. Depending on what information consumers share with Google, this may also include gender and inclusion in an age range (specific age is not tracked). This information cannot be used to identify individual consumers.
- On SpeedDine, geolocation data is used to determine the closest franchise store to the consumer's current location.
- Summary Internet and hardware information gleaned through SpeedDine is also shared with the Google Analytics system, but none of that technical information can be used to identify individual consumers.
The consumer information remains in the store in the SpeedLine system, and/or in restaurant head office reporting systems. The information is never sold by SpeedLine.
Note: SpeedLine has provided this content for informational purposes only, and not for the purpose of providing legal advice. You should contact your attorney to obtain professional advice with respect to any particular issue.
