What is CCPA? The California Consumer Privacy Act of 2018 (CCPA).

Much like the European Union’s General Data Protection Regulation (GDPR), which became fully effective in May 2018, the CCPA established new requirements for securely handling personal information of consumers and safeguarding consumer rights.  Ordergroove will comply with applicable CCPA regulations when the CCPA takes effect on January 1, 2020. 

Working in conjunction with our customers, we will also explore opportunities within our services to assist our customers to meet their CCPA obligations.

Many amendments to the CCPA are still being considered by the California legislature, and more than a few are expected to be adopted both before and after January 2020.  In addition, California’s Attorney General is expected to continue to issue guidance and regulations implementing the CCPA.   This means the scope and applicability of CCPA could change as we near its effective date of January 1, 2020, and after. At Ordergroove, we will continue to monitor developments as the effective date in January 2020 approaches as well as for the period through July 2020 during which the California Attorney General’s enforcement of the law will be fully in effect.

Our Compliance with the CCPA

Here are some of Ordergroove’s ongoing compliance initiatives to continue to meet our obligations under the CCPA, GDPR and other applicable data privacy and data security laws:

  • Identifying personal information and ensuring it’s received, used, stored, shared and disposed of properly. 
  • Complying with requirements for consumer rights under the CCPA.  These consumer rights under the CCPA are a consumer’s right of access to specific information, right of data portability, right of deletion or erasure of personal information.  Ordergroove does not sell personal information to third parties.    
  • We’ve implemented internal operating procedures to receive, verify and fulfill requests from consumers for both CCPA and GDPR. Below is a summary of these proceduresPlease contact your Account Team for additional support.   
  • Enhancing data integrity and security.  We are continuing to implement updates and modifications to our data security policies and procedures to provide enhanced security consistent with new expectations for industry standard, end-to-end security.
  • Disclosure/Notification Requirements: We are updating disclosures in our Privacy Policy and at the points of data collection to describe consumers’ rights to request disclosure of information we have collected (along with the designated method(s) for submitting requests) and other disclosures required under the CCPA. 

Ordergroove’s Data Protection Team

As we continue to do with the GDPR, Ordergroove’s Data Protection Team is focused on continuing to develop and implement improvements to our systems, processes and our products to comply with the standards required by the CCPA

Ordergroove’s Data Protection Team will continue to determine and implement organizational changes for handling data protection issues, including compliance with requirements for how to lawfully collect personal information; improvements to systems and processes to comply with consumer rights as to any personal information that is processed in our systems; updating data collection disclosures in our own privacy policy and data processing agreements, as necessary; and, improving disaster response procedures and notification processes for responding to potential data breaches.

What Our Customers Should be Doing (in using our Services).

All organizations processing personal information of California citizens have their own separate compliance obligations.  This is true for our customers as much as for us, and our customers should look to their own advisers to guide them through these Processes, including with requirements for updating terms of service and privacy policies, and for implementing data processing agreements.  

Reach out for help: Please do not hesitate to contact your Account Team if you need additional information.  

Ordergroove GDPR and CCPA Support Process for Clients

Glossary

  • OG = Ordergroove
  • Client = Merchant or Retailer
  • Consumer = Merchant or Retailer’s Consumer

Consumer Request to Access Data (including Request to Export Data)

Consumer requests may be submitted by Clients to Ordergroove by submitting a non-critical ticket either via email to support@ordergroove.atlassian.net or directly in the OG Support Portal, which can be found here: https://ordergroove.atlassian.net/servicedesk/consumer/portal/1

If sending an email please include the below in the email subject line and body:

  1. Subject: “(Client Name) GDPR (or CCPA) Consumer Data Export Request”
  2. Body: “Please export consumer data for Consumer ID <merchant_user_id>”
  3. Body: “Client represents that it has properly verified the identity of the requesting Consumer in compliance with applicable data protection law.”

If you would like additional training on how to use the Support Portal, please contact your OG Client Success contact.

Once a support ticket is created, or an email is sent, the OG Support team will review the request and respond within 30 days to either export the data across our systems or (if needed) to contact Client if additional information is required in order to verify the consumer’s identity or to determine what data is requested.    

In the consumer data export, OG will provide the following data (if OG stores for your account): 

  • Consumer profile information (first name, last name, email address, phone number)
  • Consumer address data (first name, last name, address 1, address 2, city, state/province code, zip/postal code, country, phone number)

OG will provide the export via the OG SFTP server, where it will be available for the Client to download and the ticket will be closed to confirm this is complete.  

Consumer Request to Delete Data (including Request to Restrict Processing)

Clients can submit requests to Ordergroove by submitting a non-critical ticket either via email to support@ordergroove.atlassian.net or directly in the OG Support Portal, which can be found here: https://ordergroove.atlassian.net/servicedesk/consumer/portal/1. Once a support ticket is created, or an email is sent, the OG Support team will address the request and have the consumer data deleted or processing restricted across our systems within 30 days.  

If sending an email please include the below in the email subject line and body:

  1. Subject: “(Client Name) GDPR (or CCPA) Consumer Account Deletion Request” or “(Client Name) GDPR (or CCPA) Consumer Account Restrict Processing Request”
  2. Body: “Please run the script to anonymize data for consumer ID <merchant_user_id>”
  3. Body: “Client represents that it has properly verified the identity of the requesting consumer in compliance with applicable data protection law.”

For restrictions of processing, Clients can submit requests to remove a restriction by submitting a non-critical ticket either via email to support@ordergroove.atlassian.net or directly in the OG Support Portal.

OG will ensure that the requested consumer data is deleted or processing restricted across all OG systems and sub-processors within 30 days, except to the extent that Ordergroove is required by law to retain some or all of the Personal data, and except to the extent the Personal data is archived on back-up systems, in either case so long as OG securely protects and anonymizes such Personal Data from any further processing and eventually deletes in accordance with OrderGroove’s deletion policies.  Once the request is fulfilled, OG will respond back on the ticket to confirm.  

If you would like additional training on how to use the Support Portal, please contact your OG Client Success contact.

Clients must provide a minimum 7-day lead time on requests to delete (or restrict processing of) data. Upon receiving a request, OG Support will ensure that any active subscriptions are canceled (or processing is suspended) within 2 business days to ensure no further subscription-related communications are sent to the consumer.

Consumer Request to Correct/Rectify Data   

Consumer requests may be submitted by Clients to Ordergroove by submitting a non-critical ticket either via email to support@ordergroove.atlassian.net or directly in the OG consumer Support Portal, which can be found here: https://ordergroove.atlassian.net/servicedesk/consumer/portal/1

If sending an email please include the below in the email subject line and body:

  1. Subject: “(Client Name) GDPR (or CCPA) Consumer Data Correction/Rectification Request”
  2. Body: “Please correct Consumer data for Consumer ID <merchant_user_id>.”
  3. Body: “Client represents that it has properly verified the identity of the requesting consumer in compliance with applicable data protection law.”
  4. Attach: Corrected information. 

If you would like additional training on how to use the Support Portal, please contact your OG Client Success contact.

Once a support ticket is created, or an email is sent, the OG Support team will review the request and respond within 30 days to either correct the data across our systems or (if needed) to contact Client if additional information is required in order to verify the consumer’s identity or to determine what data is requested to be corrected or how the data is requested to be corrected.   The ticket will be updated once complete.