CCPA and BentoBox: Everything You Need to Know

Note: This help article and its contents (including links and cross-references) are not legal advice and are provided for informational purposes only. For legal advice, you’ll need to consult with your organization’s legal team. BentoBox is not liable in any way with regard to the content of this article.

What is the CCPA?

The CCPA is a response to a perceived gap in comprehensive privacy protections in the United States. This law requires certain companies that handle the personal information of California residents to inform residents of the companies’ privacy practices and to offer residents the ability to: 

  • Access the information that companies maintain about the individuals; 

  • Delete that information in certain circumstances; and 

  • Direct companies not to share individuals’ information with third parties, or allow third parties to access that information, for those parties’ own purposes.

Who must comply with the CCPA?

Most of the CCPA’s requirements apply to “businesses” – companies that collect (or direct the collection of) consumers’ personal information and determine the purposes for which the information is collected, used and disclosed. The CCPA applies to any “business” that: 

  • Handles California residents’ personal information; 

  • Is “doing business” in California, and 

  • Meets any one of these three thresholds:

    • Has an annual gross revenues of $25 million;

    • Obtains personal information from 50,000 or more California residents, households, or devices annually; or

    • Derives 50 percent or more of the company’s annual revenue from “selling” (i.e., sharing or giving access to the information to third parties for those parties’ own purposes) California residents’ personal information.

The law also imposes limited requirements on “service providers” – companies that process consumer personal information on behalf of a business. The CCPA requires service providers to process personal information only as necessary to provide their services, as these services are defined by their business customers – i.e., the “businesses” – within the contract. 

What data is “personal information” under the CCPA?

The CCPA defines personal information broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.    

In practice, this broad definition means that personal information subject to the law’s requirements includes contact details, purchase history, transaction data, IP address, mobile device identifiers, and reservation and ordering details. 

How does BentoBox address CCPA requirements?

BentoBox is a “service provider” under the CCPA because we process personal information only on behalf of our customers, pursuant to BentoBox’s Platform Subscription Agreement to provide our services to our customers. 

What is BentoBox doing to help our customers comply with the CCPA? 

Below is information on the steps that BentoBox will take to help customers comply with the CCPA:

  • Customers can export data from the backend to respond to an individual’s access request. Although we collect information about browsing activity on the restaurant website, we maintain that information in aggregate form and cannot associate it with an individual. As a result, we do not provide information about browsing activity in response to an access request.

  • If a consumer submits a deletion request, please forward that request to BentoBox after verifying the consumer’s identity. We will delete and/or anonymize personal information we maintain about a customers’ end users in response to deletion requests except to the extent we are required or permitted to maintain the information by applicable law, including the CCPA. For example, we may need to keep personal information for fraud detection, security purposes or as it relates to chargeback inquiries. BentoBox will delete such information, subject to the exceptions provided above, within 15 business days of BentoBox’s receipt from the customer of the CCPA request and the email address of the requesting end user and provide a confirmation of the same back to the customer.

  • BentoBox has prepared a privacy policy that explains our platform’s collection, use, and disclosure of consumer personal information. You may choose to display this policy on your BentoBox-powered website. Customers that provide their own privacy policy should not include any description of personal information collection, use or disclosure that is inconsistent with or that limits BentoBox’s ability to provide the services. 

As a BentoBox customer, what do I need to do if CCPA applies to me? 

  • You will need to post instructions on your website for California residents to submit data subject rights requests to you. If you decide to use the privacy policy BentoBox has prepared, you may consider including the contact information in the section “How to make a request”.

  • You will be responsible for identifying and responding to requests from your end users in compliance with CCPA. As described above, BentoBox’s backend allows you to export data to respond to access requests, and we will provide you with assistance in responding to deletion requests.  

  • You will be responsible for verifying the identity of an end user submitting a CCPA request and for evaluating the scope and legality of CCPA requests. 

Additional considerations

Again, while we can’t offer legal advice, here are some helpful steps to consider taking when thinking about how CCPA may affect your business:

Review what data you are collecting, where it is stored, and why you are collecting it. Are you exporting personal data from your website visitors and transferring it somewhere else? How do you keep data safe? If you are using 3rd Party Integrations via BentoBox (Google Analytics, Campaign Monitor, OpenTable, etc.) or other external analytics/cookie tracking tools, review their privacy policies.

Personal information can be obtained in the form of cookies on a website. BentoBox offers a cookie banner that can be used to make your visitors aware of any tracking you may have on your site. This can be found within SETTINGS > General.


For analytics tools provided by Google (e.g. Google Analytics) you may also consider accepting their data processing addendum updated for CCPA. Click here to learn more, or contact if BentoBox manages your Google Analytics account.

If you use the Facebook Pixel on your site, Facebook will automatically determine if an end-user is located in California. Through July 31, 2020, Facebook will limit data use for customers from California; afterwards, if they receive a flag for a person in California based on that user's settings, they will process data in accordance with their role as a service provider and limit the use of that data subject to their state-specific terms.

Where can I get more information about CCPA?

More details can be found on the state of California’s dedicated CCPA website. There is also a proposed text of these regulations released by the office of California’s Attorney General, that while not final, are designed to help consumers and businesses  understand their rights and responsibilities.


You may contact BentoBox with any questions you may have about how the CCPA impacts your use of BentoBox at

Please note that these FAQs (including links and cross-references) are not legal advice and are provided for informational purposes only. For legal advice, you’ll need to consult with your organization’s legal team. BentoBox is not liable in any way with regard to the content of these FAQs.