Starting January 1, 2020, a new privacy law, the California Consumer Privacy Act (“CCPA”) will govern how businesses handle the personal information of California residents. At Olo, we are committed to our customers’ success, including their compliance efforts with respect to the CCPA. We’re here to assist customers by providing privacy and security protections through the Olo platform.
Olo views the CCPA as yet another opportunity for Olo to strengthen our long-standing commitment to data protection principles and practices. Olo maintains a written information security program designed to protect the personal information in Olo’s possession, custody or control, which includes the following safeguards: (a) secure business facilities, data centers, servers, and back-up systems; (b) network, device application, database and platform security; (c) secure transmission, storage and disposal; (d) encryption of personal information at all times while in Olo’s possession, custody or control; (e) encryption of PII in transit; (f) segregating personal information from information of other clients of Olo; and (g) personnel security and integrity.
What is the CCPA?
The CCPA is a response to a perceived gap in comprehensive privacy protections in the United States. This law requires companies that handle the personal information of California residents to inform residents of the companies’ privacy practices and to offer residents the ability to:
- Access the information that companies maintain about the individuals;
- Delete that information in certain circumstances; and
- Direct companies not to share individuals’ information with third parties, or allow third parties to access that information, for those parties’ own purposes.
The CCPA also imposes significant restrictions on the resale of personal information by companies that do not receive the personal information directly from individuals. The law requires such companies – typically, “data brokers” – to ensure that the individuals to whom the personal information relates receive notice that their information will be resold and are given an opportunity to opt out of such resale.
Who must comply with the CCPA?
Most of the CCPA’s requirements apply to “businesses” – companies that collect (or direct the collection of) consumers’ personal information and determine the purposes for which the information is collected, used and disclosed.
The law also imposes limited requirements on “service providers” – companies that process consumer personal information on behalf of a business, and to which a business discloses such information for a business purpose and pursuant to a written contract. The CCPA requires service providers to process personal information only as necessary to provide their services, as these services are defined by their business customers – i.e., the “businesses” – within the contract.
The CCPA applies to any “business” that:
- Handles California residents’ personal information;
- Is “doing business” in California, and
- Meets any one of these three thresholds:
- Has an annual gross revenues of $25 million;
- Obtains personal information from 50,000 or more California residents, households, or devices annually; or
- Derives 50 percent or more of the company’s annual revenue from “selling” (i.e., sharing or giving access to the information to third parties for those parties’ own purposes) California residents’ personal information.
What data is “personal information” under the CCPA?
The CCPA defines personal information broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
In practice, this broad definition means that information such as contact information, transaction data, IP address, mobile device identifiers, and ordering details may be within scope of the CCPA’s definition of personal information, and subject to the law’s requirements.
How does Olo address CCPA requirements?
Olo is a “service provider” under the CCPA because we process personal information only on behalf of our customers, pursuant to a written contract (Olo’s Master Services Agreement (“MSA”)), and only to provide our services to our customers, pursuant to the MSA.
What is Olo doing to help our customers comply with the CCPA?
Below is information on the steps that Olo will take to help customers comply with the CCPA, including instructions on how to send your end users’ CCPA requests to Olo so that we may help customers respond.
Specifically, with respect to CCPA Requests for which our customers require Olo’s assistance:
- We will provide our customers with the personal information we maintain about the customers’ respective end users in response to access requests. Please note that our responses will not include any personal information we deem sensitive, such as payment card numbers, full addresses or phone numbers, and other details that may compromise the security of our systems, the personal information or the individuals to whom the information pertains. Olo will provide such information to our customer within 15 business days of Olo’s receipt from the customer of the CCPA request and the email address of the requesting end user.
- We will delete and/or anonymize personal information we maintain about a customers’ end users in response to deletion requests except to the extent we are required or permitted to maintain the information by applicable law, including the CCPA. For example, we may need to keep personal information for fraud detection, security purposes or as it relates to chargeback inquiries. Olo will delete such information, subject to the exceptions provided above, within 15 business days of Olo’s receipt from the customer of the CCPA request and the email address of the requesting end user and provide a confirmation of the same back to the customer.
- If Olo operates your white label ordering websites or mobile apps, upon customers providing Olo with a “Do Not Sell My Personal Information” link, Olo will assist you in posting such links on your white label ordering platform’s websites and mobile apps. Please note that customers may not use Olo’s platform to provide end user information to any third party in a manner which may constitute a sale under the CCPA. Olo will post such links to your ordering platform’s websites and mobile apps within 5 business days of the link being provided to Olo.
Our security and privacy teams have also analyzed the requirements of the CCPA and have enhanced our policies, procedures, contracts and platform features to help our customers meet their CCPA obligations. We will continue to monitor interpretations and amendments to the law and, where necessary, will adjust our practices accordingly.
As an Olo customer, what do I need to provide to Olo in connection with CCPA?
- If Olo operates your white label ordering websites or mobile apps and you are required to post a “Do Not Sell My Personal Information” or equivalent link, you must provide us with a link to the page where an end user can opt out of sale of their information and provide the functionality to support such opt-outs. Olo will assist you in posting such links.
- You will be responsible for identifying and responding to requests from your end users in compliance with CCPA. As described above, Olo will provide you with end user information for access requests and delete/anonymize end user information in response to deletion requests except as otherwise required by applicable law or permitted by the CCPA.
- You will be responsible for verifying the identity of an end user submitting a CCPA request and for evaluating the scope and legality of CCPA requests.
- Since Olo has limited visibility into your other systems, you are responsible for notifying your other service providers or other third party providers of any CCPA requests even if those service providers are receiving your end users’ data from Olo.
In addition to these FAQs, we will be providing our customers with a letter that sets out in more detail Olo’s and customers’ respective roles and responsibilities to facilitate compliance with the CCPA.
If you or anyone in your organization has questions about the CCPA, or any of Olo’s security and privacy practices, please do not hesitate to contact the Olo team at firstname.lastname@example.org.
Please note that these FAQs (including links and cross-references) are not legal advice and are provided for informational purposes only. For legal advice, you’ll need to consult with your organization’s legal team. Olo is not liable in any way with regard to the content of these