What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'dpo@checkout.com', 'difficulty': 'EASY', 'action_type': 'EXPORT_DATA', 'instructions': 'Email dpo@checkout.com stating your identity and the specific right you wish to exercise (access, deletion, portability, or correction). Include sufficient identifying information for Checkout.com to locate your records.', 'deadline_days': None, 'deadline_hours': None} {'method': 'EMAIL', 'recipient': 'dpo@checkout.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Email dpo@checkout.com requesting erasure of your personal data, specifying the categories of data you want deleted and the basis for your request under applicable law.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has authority over unfair or deceptive practices in consumer data handling, including failure to honor stated privacy rights, relevant to US users.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'State Attorneys General enforce state privacy laws including CCPA/CPRA for California residents and equivalent laws in other states with data subject rights provisions.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Data Subject Rights clause as low severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Data Subject Rights clauses across approximately 2 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Data Subject Rights — Checkout.com

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Checkout.com Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Depending on where you live, you may have the right to see, correct, delete, or export your personal data held by Checkout.com, and you can exercise these rights by emailing their Data Protection Officer.

ⓘ

This analysis describes what Checkout.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

These rights are the primary mechanism by which individuals can control their personal data held by Checkout.com, and knowing the contact point and applicable rights is essential to exercising them effectively.

Consumer impact (what this means for users)

EU and UK users have the broadest data rights under GDPR, including erasure and portability, while California residents have CCPA rights; the single contact point dpo@checkout.com is provided for all rights requests, and the response must be provided within statutory timeframes under applicable law.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Export Your Data

Email dpo@checkout.com stating your identity and the specific right you wish to exercise (access, deletion, portability, or correction). Include sufficient identifying information for Checkout.com to locate your records.
Delete Your Data

Email dpo@checkout.com requesting erasure of your personal data, specifying the categories of data you want deleted and the basis for your request under applicable law.

Cross-platform context

See how other platforms handle Data Subject Rights and similar clauses.

Compare across platforms →

Monitoring

Checkout.com has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Depending on your location and subject to applicable law, you may have the right to: access your personal data; rectify inaccurate personal data; request erasure of your personal data; restrict or object to processing; data portability; and not be subject to automated decision-making. To exercise any of these rights, please contact our Data Protection Officer at dpo@checkout.com.

— Excerpt from Checkout.com's Checkout.com Privacy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: Data subject rights engage GDPR Articles 15-22 and UK GDPR equivalents for EU/UK users, CCPA/CPRA for California residents, and applicable national or state privacy laws for other jurisdictions. GDPR requires responses to access requests within one month, with a two-month extension available. The ICO and EU national supervisory authorities enforce GDPR rights obligations. The California Privacy Protection Agency (CPPA) enforces CCPA/CPRA. 2. GOVERNANCE EXPOSURE: Medium. The single DPO contact point simplifies consumer-facing rights management but requires robust backend procedures to route, triage, and respond to requests within statutory deadlines across multiple jurisdictions with differing timeframes and scope. Failure to respond within GDPR timeframes can result in supervisory authority complaints and enforcement. 3. JURISDICTION FLAGS: EU and UK users have the most comprehensive rights including erasure, portability, and objection to legitimate interests processing. California residents have CCPA rights to know, delete, correct, and opt out of sale/sharing. Users in other jurisdictions may have more limited rights depending on local law. The policy's qualification 'depending on your location and subject to applicable law' appropriately reflects this variance but may create consumer confusion. 4. CONTRACT AND VENDOR IMPLICATIONS: Merchants acting as data controllers for cardholder data must have procedures to route data subject requests to Checkout.com as processor, and their DPAs should specify Checkout.com's obligations to assist with rights requests under GDPR Article 28(3)(e). Response timelines and cooperation obligations should be contractually specified. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that the DPO function is properly resourced and that intake, triage, and response workflows meet statutory deadlines. Identity verification procedures for rights requests should be proportionate and not create unnecessary barriers. The automated decision-making right (Article 22) should have a specific human review workflow documented separately.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has authority over unfair or deceptive practices in consumer data handling, including failure to honor stated privacy rights, relevant to US users.
File a complaint →
State AG

State Attorneys General enforce state privacy laws including CCPA/CPRA for California residents and equivalent laws in other states with data subject rights provisions.
File a complaint →

Provision details

Document information

Document

Checkout.com Privacy

Entity

Checkout.com

Document last updated

May 5, 2026

Tracking information

First tracked

May 8, 2026

Last verified

May 11, 2026

Record ID

CA-P-010386

Document ID

CA-D-00663

Evidence Provenance

Source URL

https://www.checkout.com/legal/privacy-policy

Wayback Machine

View archived versions →

Content hash (SHA-256)

a644fb34e781c2f85b7f4158747e8b392097069bd33d31e2fe9cda04abdf18be

Analysis generated

May 8, 2026 15:31 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Checkout.com
Document: Checkout.com Privacy
Record ID: CA-P-010386
Captured: 2026-05-08 15:31:40 UTC
SHA-256: a644fb34e781c2f8…
URL: https://conductatlas.com/platform/checkoutcom/checkoutcom-privacy/data-subject-rights/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Low

Other risks in this policy

Data Sharing with Fraud Prevention and Credit Reference Agencies high
Dual Controller and Processor Status medium
Automated Decision-Making in Fraud Screening medium
International Data Transfers medium
Legitimate Interests as Legal Basis medium
Cookie and Tracking Technology Use low

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Checkout.com's Data Subject Rights clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.

Is ConductAtlas affiliated with Checkout.com?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Checkout.com.