California Consumer Privacy Act (CCPA) Overview
CCPA intends to give enhanced privacy and consumer protection rights for residents of California. CCPA is geared to any business who collects or stores consumers personal and transactional data and operates in California.
What does CCPA encompass?
CCPA has three consumer rights functions that are affected by your Punchh enabled program: the consumer’s right to disclosure, access, and delete their stored data.
The other main function of CCPA, the consumer’s right to anti-discrimination and the right to opt in/out, pertains to the sale of data. Punchh does not sell or transfer any client data to any other business; therefore, that major aspect of CCPA does not apply here.
How will Punchh assist clients?
Businesses must offer a means for users to access, request, or delete their personal data. We would recommend adding this function on your website. After the request has been made to the business, we have set up two new processes to support clients with the CCPA regulations. One is data disclosure/access. The other is data deletion.
Both of these processes are accessible via the Punchh Platform or our API’s, depending on the client's preference. These processes can be regulated by a specific role permission within the Punchh Platform to grant to admins as the brand sees fit. Under CCPA, businesses have 45 days to comply with a consumer request for access or deletion. You can find the full flow of these processes below.
When will it go into effect?
The CCPA will go into effect on January 1, 2020, as provided in the legislation. The California attorney general, which generally enforces the CCPA, shall adopt regulations on or before July 1, 2020, and shall not bring an enforcement action until 6 months after the publication of such regulations or July 1, 2020.
Punchh recommends all clients operating in California to update their Privacy Policy to include the proper information outside of just how it affects their Punchh enabled program. Please work with your legal council if you haven’t already started on that update. If you need more information that can be found at https://ccpa-info.com/
Punchh CCPA Enabled Data Processes
For the Right to Access:
Once a consumer requests their information to be sent to them, the Client Admin (who has the proper permissions) will navigate in the Punchh Platform to the Guest timeline. Click on "Export User Details". An email will be sent to the guest with their information immediately and directly. The information sent to the consumer entails the following:
- Personal Information
- Transaction(s) in which loyalty was awarded
- Coupon Redemptions
- Device(s) Information if applicable
- Redemptions
These are sent as separate links and will be active for only 7 days from the day of generation. There is an audit trail maintained in Punchh for this outbound communication (date/time). Per CCPA requirement is the guest can request two times in 12 months. Currently Punchh has not restricted it to two times. This is at the discretion of the brand.
Settings Read Only and Settings Advanced Permissions Must be Enabled
In order for an admin user to Export User Details, their role must be set up with the proper permissions enabled. These permissions include Settings Read Only and Settings Advanced. You can turn on these permissions under Settings > Admin Users > Roles and then click on the user role for which you want to edit permissions. From there, toggle the following permissions on to green (enabled) and click Save at the bottom.
The second option for Right to Access is providing an API.
Brands should note that CCPA does not mandate service providers to build any APIs. Punchh is providing it so it makes managing their guests' requests to access data easier. The primary difference in this process flow is the brand can choose if the consumer gets the information directly or if they want to sent it to them.
The Right to Deletion:
Once a consumer requests their information to be deleted, the Client Admin (who has the proper permissions) will navigate in the Punchh Platform to the Guest timeline, Edit Profile section. Click on "Deactivate the User". After the user has been deactivated properly the admin then can then choose “Permanently Delete User” in the same section. Punchh recommends a 7 day grace period before the full deletion goes into effect, in case the brand wants to reactivate the guest or the deletion request was done by mistake. This setting can be set by the brand with your Punchh Customer Success Manager’s help.
Deletion of a consumer can be done via API’s request as well. Request for consumer account deletion can also be sent to Punchh Support Team but they will only react if the request is coming from verified source (i.e client business itself).
Notice to Data Subjects
Punchh recommends that you update your Privacy policy and ensure it is linked to your website and app in some capacity. This allows guests to click on the link to review the Privacy Policy for CCPA rights. The Privacy Policy url link will be maintained via the Punchh Platform for apps developed by Punchh. Contact your CSM or Punchh support if you need help updating that url.