Calif. privacy act is changing the game for businesses

Restaurants gear up for more states to pursue bills in 2020.
data privacy
Illustration: Shutterstock

The California Consumer Privacy Act (CCPA) took effect Jan. 1. It’s the most sweeping state law aimed at protecting individuals’ personal information that’s collected by businesses, and it’s sending restaurants scrambling to understand and comply.

What’s the big deal? “The CCPA is a completely different kind of privacy law,” says Helen Goff Foster, a privacy expert with Davis Wright Tremaine, a law firm partner with the National Restaurant Association’s Restaurant Law Center. Foster says the CCPA’s broad definition of personal information and the fact that compliance can hit businesses brand-wide—moving from a parent company to franchisees and vice versa—are just two examples of why the law is unprecedented.

The CCPA’s four core rights: The law gives California residents four new rights: They have the right to get notice of a CCPA-covered business’s privacy practices—before the business collects information from them, whether online or offline. They can request access to any personal information that the business holds on them. They can ask that this information be deleted. And they can opt out of the business’s sale of their personal information. The burden on businesses to implement all these processes can be staggering, says Foster.

It’s likely to spread: A dozen states last year proposed a form of privacy legislation similar to CCPA, and more bills are expected this year. “This will continue to evolve,” says Foster. She says the quick pickup across the states and the groundswell of public support are unlike anything she’s seen. “Privacy legislation is going to be a place where restaurants are going to need to have their ‘compliance hat’ on for years.”

Stay tuned: The CCPA itself is in flux. California businesses are now complying with proposed CCPA rules that the state is expected to finalize as soon as this spring. “The proposed regulations themselves are pretty outrageous,” says Foster. “They could get more so or less so” as they’re finalized. The Association is working with Congress on federal privacy bills and collaborating closely with state restaurant associations as more states take up the issue. Visit Restaurant.org/privacy for the latest.

Compliance checklist

Update your privacy policy. Vague language won’t cut it. The CCPA sets specific requirements for CCPA-covered businesses. You’ll need to detail what information you collect, how you're using it, who you share it with and under what circumstances.

Manage your cookies. If you use cookies or pixels on your website for purposes such as tagging, tracking or advertising, the California attorney general’s office has said it considers all such cookies as a “sale” of data under CCPA that requires an opt-out option.

Make sure your 800 number is working. CCPA-covered businesses must have a toll-free number and a web form on their sites to take California residents’ requests for access to and/or deletion of their personal information. They also need a system to verify requesters’ identity.

Have a written information-security plan. If you have a data breach, you’ll want to show you were prepared. “It’s the best way to prove that you do have reasonable procedures, even if your procedures weren’t followed to the letter every time,” sFoster says. Include your data-encryption policy and an incident response plan, she advises.

Train your employees. That’s an explicit requirement of the CCPA, and another way to prove you take the law seriously, Foster says.

Get our CCPA white paper at Restaurant.org/dataprivacy.

Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.


Exclusive Content


In the fast-casual sector, Chipotle laps Panera Bread

The Bottom Line: The two fast-casual restaurant pioneers have diverged over the past five years, as the burrito chain has thrived while Panera hit a wall. Here's why.


In Red Lobster, a symbol of the challenges with casual dining

The Bottom Line: Consumers have shifted dining toward convenience or occasions, and that has created havoc for full-service restaurant chains. How can these companies get customers back?


Crumbl may be the next frozen yogurt, or the next Krispy Kreme

The Bottom Line: With word that the chain’s unit volumes took a nosedive last year, its future, and that of its operators, depends on what the brand does next.


More from our partners