California Consumer Privacy Rights (CCPA/CPRA)

What it is

California residents have legally enforceable rights to know what data Square has collected, to request deletion, to opt out of data sales and sharing, to correct errors, and to restrict use of sensitive data.

Why it matters (compliance & governance perspective)

These rights are backed by California law and are enforceable against Square; exercising them can materially limit how your personal information is used for advertising and profiling purposes.

Consumer impact (what this means for users)

California residents can submit requests to Square to access, delete, correct, or opt out of the sharing of their personal information, including sensitive data categories like financial information and biometrics, and Square is legally required to honor these requests within statutory timeframes.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision implements CCPA as amended by CPRA, enforced by the California Privacy Protection Agency and the California Attorney General. Square's obligations include responding to verified consumer requests within 45 days (extendable by an additional 45 days with notice), maintaining a Do Not Sell or Share link, and not discriminating against consumers who exercise their rights. Non-compliance can result in civil penalties and enforcement actions. GOVERNANCE EXPOSURE: Medium. Square's disclosure of these rights is a positive compliance indicator. The primary compliance risk lies in the operational implementation: whether request verification processes are frictionless, whether opt-out mechanisms are technically effective, and whether all data flows to third parties are accurately captured in the disclosure. Failure in any of these areas creates enforcement risk. JURISDICTION FLAGS: CPRA rights apply exclusively to California residents. However, similar rights exist under Colorado CPA, Virginia VCDPA, Connecticut CTDPA, and other state laws. Businesses should avoid treating CPRA compliance as the ceiling of obligation and assess applicability across all US states where Square operates and users reside. CONTRACT AND VENDOR IMPLICATIONS: Square's service provider agreements should include CPRA-compliant contractual provisions limiting downstream use of personal information by vendors. Merchants using Square should assess whether they share personal information with Square in a manner that creates their own independent CPRA obligations as businesses. COMPLIANCE CONSIDERATIONS: Legal teams should verify that Square's identity verification mechanism for consumer rights requests meets the CPRA standard without being unduly burdensome. The policy should be reviewed to confirm that the opt-out of sale and sharing is technically implemented via a clear and conspicuous link. Sensitive personal information limitations should be mapped against Square's actual data use practices to confirm consistency.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Collection of Payment and Financial Data high
• Sharing Data with Advertising and Analytics Partners high
• Identity Verification and Biometric-Adjacent Data Collection high
• GDPR Rights for EEA and UK Users medium
• Automatic Collection of Device and Behavioral Data medium
• Data Retention low