Vend and the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) comes into force on 1 January 2020 and provides California residents with specific rights in respect of their personal information. The CCPA will likely apply to you if your company is based in California or if you have customers or contacts in California.

The purpose of this guide is to give you details on Vend's approach to the CCPA and to provide you with an overview of the requirements to help you with your compliance.

This guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional advisers to determine exactly how the CCPA may apply to your organisation.


What is Vend doing to prepare for CCPA?

As with the General Data Protection Regulation (GDPR) which came into effect for EU residents on 25 May 2018, we’re excited about the strong data privacy and security principles that the CCPA emphasises for California residents. We’ve done a lot of work as part of our CCPA readiness project to ensure that Vend (and our retailers!) are ready when the law comes into force on 1 January 2020. This project has included:

  • Reviews and updates to our internal data processes, procedures, data systems and documentation.
  • Continued investment in our security infrastructure.
  • Reviews and updates to our third party vendor contracts.

 

  We've updated our Privacy Policy

We know you’re as excited as we are about CCPA compliance, so we’ve already updated our Privacy Policy! These changes ensure we meet the CCPA’s high standard for data privacy, and that the handling of data by Vend and Vend retailers is made clearer.


Who does CCPA apply to? 

The CCPA applies to any business that collects the personal information of California residents, and which:

  • has annual gross revenues in excess of USD$25 million;
  • possesses the personal information of 50,000 consumers, households, or devices; or
  • earns more than 50% of its annual revenue from selling California consumers’ personal information.

When is compliance required by?

The CCPA comes into effect on 1 January 2020, which is when businesses need to comply by and when California residents can start exercising their rights. Requests under the CCPA can relate to personal information dating as far back 1 January 2019 (i.e. the prior 12 months).

  Enforcement and additional guidance

Enforcement will likely start on 1 July 2020, with additional regulatory guidance expected between now and then. We will do our best to keep this page up to date.


What are your (retailer) obligations?

Privacy Policy 

If you don’t already have a privacy policy and you collect the personal information of California residents, the CCPA now requires you to have one. 

The purpose of the privacy policy is to provide customers with a comprehensive description of your online and offline practices regarding the collection, use, disclosure, and sale of personal information; and to advise customers of their rights regarding their personal information.

The privacy policy must be presented in a way that is easy to read and understandable, and you’ll need a link to it on your website. The privacy policy should:

  • Explain that a consumer has the right to request that the business disclose what personal information it collects, uses, discloses, and sells.
  • Provide instructions for submitting a verifiable consumer request to know and provide links to an online request form or portal for making the request, if offered by the business.
  • Describe the process the business will use to verify the consumer request, including any information the consumer must provide.
  • List the categories of consumers’ personal information the business has collected about consumers in the preceding 12 months. 
  • For each category of personal information collected, provide the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom the business shares personal information. 
  • State whether or not the business has disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding 12 months.
  • List the categories of personal information, if any, that it disclosed or sold to third parties for a business or commercial purpose in the preceding 12 months.
  • State whether or not the business sells the personal information of minors under 16 years of age without affirmative authorization.
  • Explain that the consumer has a right to request the deletion of their personal information collected or maintained by the business.
  • Provide instructions for submitting a verifiable consumer request to delete and provide links to an online request form or portal for making the request, if offered by the business.
  • Describe the process the business will use to verify the consumer request, including any information the consumer must provide.
  • Explain that the consumer has a right to opt-out of the sale of their personal information by a business.
  • Include the contents of the notice of right to opt-out or a link to it.
  • Explain that the consumer has a right not to receive discriminatory treatment by the business for the exercise of the privacy rights conferred by the CCPA.
  • Explain how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf. 
  • Provide consumers with a contact for questions or concerns about the business’s privacy policies and practices using a method reflecting the manner in which the business primarily interacts with the consumer. 
  • Date the privacy policy was last updated.

 

  Important Note

This list has been compiled from the CCPA regulations at a particular date, is not exhaustive, and may be out of date at the time of reading. Please seek legal advice as to what your privacy policy should include.

Information/deletion requests

An important part of the CCPA is the right of California residents to request a copy (or deletion) of their personal information. The CCPA requires you to provide various contact methods for receiving these requests. It is worth including these contact methods in your privacy policy and on your website.

 

  Toll free phone number

Some businesses are required to provide a toll-free phone number as a method for receiving CCPA requests. You should seek legal advice as to whether or not this is applicable to you.

If you receive a CCPA request, you should action it within 45 days. See Tools to help you comply with CCPA below for information on how you can do this.

Sale opt-out

Whether or not you ‘sell’ the personal information of California residents comes down to the definition set out in the CCPA. That definition states that a sale is any exchange of personal information for either money or other valuable consideration

You should give careful thought as to whether any of your data transfer activities might constitute a sale. If you do sell personal information, California residents have the right to:

  • request a list of the categories of their personal information that you have sold;
  • request a list of the buyers of that personal information, by category of personal information, over the previous 12 months; and
  • opt out of the sale of their personal information going forward.

If you do sell personal information, to enable California residents to opt-out you must display a functional ‘Do not sell my personal information’ link on every page of your website.

 

  Transfer to Vend is not a sale

Your transfer of personal information to us (by using our service) is not a sale under CCPA, as we are a service provider and we only use the information you transfer to us for the purposes of providing our service.


Tools to help you comply with CCPA

Below are some of the tools made available in Vend to assist with your CCPA compliance. These tools cover everything from the right to access and delete, data portability, rectification and consent.

Deletion request support for users and customers

We’re making sure delete means delete, helping you to honour deletion requests from users and customers. This will ensure that personal data relating to a user’s or customer’s identifier is fully deleted from Vend upon request. For any content (i.e. sales, reports, etc.) previously associated with a deleted user’s identifier, “Anonymous User” or “Anonymous Customer” will show instead.

Data exporting tools

To honor an individual's right to access their data, Vend allows you to export customer lists and sales ledgers in a CSV format. Check out our Help Centre for exporting options available in Vend. You can also set-up a Personal Token which interacts with Vend’s comprehensive API (See: https://docs.vendhq.com/) to retrieve personal data associated with a data subject supporting the access and portability rights.

Ability to rectify user or customer data

If a user or customer advises that any of the personal information you hold about them is inaccurate or incomplete, Vend lets you rectify the inaccuracy from inside the app under the navigation items ‘Users’ and ‘Customers’ respectively.

Customer consent to receiving marketing materials

In Vend, it’s possible to capture customer consent to receive marketing or promotional materials from you. Before adding a customer to your database, there’s a toggle to opt them in or out of marketing communications based on the customer’s stated preference. Additionally, when you add a customer to your Loyalty program, they’ll need to tick a checkbox when they receive their Loyalty signup email, in order to capture their consent.

Reduced risk of data destruction

To reduce the risk of accidental or malicious destruction of data, it’s possible to disable users temporarily, rather than permanently deleting them in Vend. Users are unable to log in to Vend while their account is disabled. When their account is re-enabled, they’ll be able to log in with their original account details and begin selling as normal.


CCPA vs GDPR

The CCPA and the European Union’s General Data Protection Regulation (GDPR) are similar in the sense that both seek to increase consumer rights in respect of personal information, but each has its own framework. This means that being compliant with GDPR does not mean that you’re also in compliance with the CCPA. You should seek legal advice as to what additional steps you may be required to take.


Vend does not sell personal information

Vend uses various service providers in the provision of our service to you (for example, cloud storage providers). As these service providers are contractually bound to use the information we share only for the purposes of providing their service to us (and not for their own purposes), our transfer of personal information to them is not a sale under the CCPA.


Further reading on CCPA

Need more information? Below are links to some helpful CCPA resources:

https://oag.ca.gov/privacy/ccpa

https://www.dlapiper.com/en/us/focus/ccpa/?tab=insights

https://www.fenwick.com/publications/pages/five-steps-to-mitigate-ccpa-class-action-risk-what-companies-need-to-do-to-increase-data-security.aspx

Did this answer your question?
Have more questions? Contact us so that we can help you out.