CCPA FAQ
At Square, we are committed to the protection of individual's data and privacy rights, and we strive to help our sellers comply with their privacy obligations.
The CCPA is an acronym given to the California Consumer Privacy Act of 2018, a law that provides California residents with certain rights regarding their personal information.
The CCPA applies to personal information that certain businesses process about individuals who live in California. The CCPA does not apply to data about businesses (including sole proprietorships) or other legal entities, but it does apply to data that businesses or legal entities collect or maintain about individuals who are California residents (e.g., their customers).
Personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. It can include a California resident’s name, phone number, email address or postal address. It also can include records of products or services purchased, purchasing or consuming histories or tendencies, or information a business obtains about an individual’s online activity (e.g., IP address, browsing history, etc.).
You should familiarize yourself with what personal information you may have about your customers (and other individuals) that are California residents.
The CCPA applies to for-profit “businesses” that:
- Do business in California;
- Collect personal information about California residents;
- Decide how and why the personal information is processed; the business must determine, either alone or jointly with others, the purposes and means of processing the PI; and
- Meet one of the following three thresholds under the law:
- Has annual gross revenues in excess of $25,000,000;
- Annually buys, sells, or receives or shares for commercial purposes personal information of 50,000 or more California residents, households or devices;
- Derives 50% or more of its annual revenues from “selling” California residents’ personal information.
CCPA defines processing of personal information broadly as any operation or set of operations that are performed on personal information, whether or not by automated means. “Processing” includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
At a high level, the CCPA grants individuals who live in California certain rights over their personal information, such as:
- The right to access their personal information;
- The right to delete their personal information;
- The right to opt-out of the “sale” of their personal information
In addition to honoring and fulfilling these rights, the CCPA also imposes certain other requirements on businesses. For example, the CCPA requires businesses to:
- Disclose specified content in their privacy policies;
- Contractually restrict the activities of “service providers” that process personal information on their behalf; and
- Train relevant personnel responsible for CCPA compliance.
Businesses may not discriminate against California residents for exercising their rights under the CCPA. Businesses may offer financial incentives for the collection, sale or deletion of individuals’ personal information only if they obtain opt-in consent.
As mentioned above, the CCPA applies to “businesses” that meet certain factors. Under CCPA, a “business” calls the shots as to why and how personal information is processed.
In contrast, a “service provider” processes personal information on behalf of a business pursuant to a written contract that prohibits the service provider from retaining, using or disclosing the personal information it receives from the business other than to perform the services in the contract. Unlike a business, a service provider does not determine the purposes and means of the processing of the personal information it receives from a business.
A business may be penalized a maximum of $2,500 for each violation of the CCPA and $7,500 for each intentional violation.
Individuals also may bring a lawsuit against a business for a security breach involving personal information if the breach is a result of the business’s failure to implement and maintain reasonable security procedures and practices.
If you are a Business, the CCPA sets out what kinds of requests your California customers can make about their personal information. For example, if you are a “business” under CCPA, your California customers are entitled to request the following about your information practices in the preceding 12 months:
- the categories of personal information collected about that consumer;
- the categories of sources from which that personal information was collected;
- the business or commercial purposes for collecting or selling the information;
- the categories of third parties with whom the business shared the consumer’s personal information;
- the specific pieces of personal information the business collected about that consumer;
- if the business discloses the personal information for a business purpose, the categories of information the business disclosed for a business purpose and the categories of third parties to whom the information was disclosed for a business purpose; and
- if the business “sells” the personal information, the categories of personal information “sold” and the categories of third parties to whom the information was sold.
This information must be provided to individuals securely in a readily usable format that allows them to transmit the information from one entity to another without hindrance.
Your California customers also have the right to request the deletion of their personal information, subject to certain exceptions enumerated under the CCPA.
The CCPA defines “sale” differently than what most people may think of as a “sale.” It defines a “sale” of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
Data shared with companies that qualify as a “service provider” under CCPA is not a “sale” under the law. Square acts as our Sellers’ service provider under CCPA, as described in our updated terms of service.
Sellers who are considered “businesses” under CCPA should consider whether anything else they do with their customers’ or employees’ data could be considered a “sale” under the CCPA. If it is, CCPA may require Sellers to place a clear and conspicuous link on their website titled “Do Not Sell My Personal Information.” That link must lead to a web page that enables individuals to opt out of the sale of their personal information.
Sellers’ Data
When we process our Sellers’ own personal information, we act as a business under CCPA. Square describes what seller data we collect, how we use it and with whom we may share it in our Seller Privacy Notice. Since Square Sellers are themselves businesses, their rights under CCPA differ from the rights that California consumers would have under the law. Through January 1, 2023, there is a limited exemption from CCPA for personal information reflecting communications and transactions between businesses, such as between Square and Square Sellers.
Consumer Data
Square acts primarily as a service provider with respect to the personal information we process about the customers who transact with Square sellers. For example, when a customer makes a purchase with a Square seller, we process the transaction as a service provider on the seller’s behalf.
We also offer certain features directly to customers who transact with Square sellers. We call these our “Buyer Features.” Customers can learn more about the data we collect for the “Buyer Features” in our Privacy Notice for Square Buyer Features. California customers can exercise their rights under CCPA for the Buyer Features by going to Square profile.
Square sellers may be “businesses” with respect to the personal information they process about their California customers. This means that Square sellers are responsible for understanding their responsibilities as “businesses” under the CCPA.
We will be providing tools to our sellers to help you respond to requests you receive from your customers.
Square is committed to safeguarding the data we manage and protecting privacy rights under the CCPA.
As indicated in FAQ 12, above, Square primarily acts as a service provider to sellers when we process your customers’ personal information. For customers who interact with our Buyer Features, our Privacy Notice for Square Buyer Features describes how Square processes their personal information in accordance with the CCPA and how they can exercise their rights under CCPA.
For Square sellers, you can view our relevant privacy notice.
If you are a seller that has an account with us, you can find the Square privacy notice that applies to Sellers on our website. Your customers who choose to use our Buyer Features, including our Buyer Portal, can find the privacy notice that applies to buyers on our website as well.
For visitors to our Squareup.com website who do not have an account with us and do not use the Buyer Features, please check out our website privacy notice.
If you are a Square Seller, you may submit an access, deletion, or correction request by emailing us at privacy@squareup.com or by calling us at 1 844 213 7377. Once we receive your request, we will verify it by requesting that you confirm certain personal information associated with your account. You may also be entitled to submit a request through an authorized agent.
For more information, please see our article directed towards Square sellers.
We generally act as a service provider to Square Sellers, who are business owners and operators. If you are a California resident and the customer of a Seller that uses Square, you may have the right to request certain information from that Seller regarding the personal information they collect about you. Please make any personal information requests that you have directly to the relevant Square Seller. Please note that not all Square Sellers will be subject to CCPA. Learn more about how to make a CCPA data request in our Support Center.
If you are a Square Seller’s customer and you have elected to use our Buyer Features, you can exercise your choices and make requests about the data we use for the Buyer Features by going to Square profile.
Under CCPA, businesses are not required to delete personal information if, among other exceptions, that data is necessary to provide goods or services to a customer; comply with legal obligations; discover and resolve issues related to security or functionality; or solely internal uses that a consumer would expect.
These FAQs are intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the CCPA to provide guidance tailored to your specific circumstances.