Hi. How can we help?

Complying with privacy laws

Privacy laws are designed to protect and empower the privacy of citizens and to reshape the way organizations across the region approach data privacy.

  • Europe's General Data Protection Regulation (GDPR) took effect on May 25, 2018
  • The California Consumer Privacy Act (CCPA) took effect on Jan 1, 2020

As a Lightspeed Retail merchant, the 6 privacy requests you need to comply with are the following:



We recommend that our merchants do their due diligence to confirm the identity of their employees and customers before completing their privacy requests. We also recommend identifying any potential reason why you might need to keep some of the personal data that your customer or employee is requesting to delete (e.g. for tax, regulatory or payment processing/chargeback reasons).

If you have Lightspeed eCom connected to your Retail inventory, you'll also need to perform required privacy actions in eCom.

Similarly, merchants that have integrated their accounts with one of our partners need to contact them directly to learn what personal data they have and how to complete privacy requests on their end.

All of our Lightspeed products support the above privacy requests. For instructions specific to your Lightspeed product, please see their respective privacy Help articles:

Privacy FAQ

  • Privacy laws aim to give citizens more control over personal data by regulating how businesses use this data. These regulations govern the viewing, storing, changing, transferring and even deleting of personal data. Personal data is defined as any information related to a natural person (or "data subject") that can be used to directly or indirectly identify them. This includes information such as names, addresses, email addresses and phone numbers.

    For more information on privacy laws and Lightspeed's efforts to comply with them:

    Lightspeed's privacy policy

    CCPA related:

  • There are currently two privacy laws:

    • GDPR - Merchants that process or control personal data for residents of the European Union (EU).
    • CCPA - Merchants that do business in California who meet at least one of these minimum thresholds:
      • Exceed a gross revenue of $25 million,
      • Collect or sell personal information of 50,000 consumers
      • Receive 50% or more of its annual revenue from selling personal information.
  • As Lightspeed is helping merchants in the processing of personal data, we are required by law to enter into a Data Processing Agreement (DPA) with our merchants affected by privacy laws. You can request to receive a form during the same process as submitting a privacy request to Support.

    Signing the DPA is fully to your benefit as it creates specific rights for you in relation to Lightspeed’s processing activities. Also, it clearly describes all the obligations that Lightspeed has towards you. Once you've signed the DPA, it is effective immediately and is legally binding. If you haven't received the DPA from us yet, it's important that you request the DPA by submitting a privacy request to Support. This will ensure that you're compliant with privacy laws and avoid fines from the privacy authorities.

    It's also important to note that upon your permission, Lightspeed shares the personal data that you control in your Retail account with partners that you've selected to integrate with. This allows our partners to pull the data they need to build their integrations and Lightspeed to offer the best business solution to you as a merchant. Because of the data-sharing nature of our partner integrations, if you're a merchant affected by privacy laws and you have integrated your Retail account, you'll also need to enter into a DPA with our partners. For more information, please contact our integration partners directly.

  • The only two reasons to submit requests to Support are Personal requests for primary users and Requests when the primary user cannot be contacted.

  • Under privacy laws, a data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."

    If the data breach relates to data Lightspeed is processing on behalf of you as a processor, we will always notify you within 36 hours after discovery. It is then your responsibility as a Lightspeed Retail merchant to make an assessment whether or not you should be notifying the supervisory authorities, your customers and your employees.

    If you've determined that the data breach is likely to result in a high risk to the rights and freedoms of your customers and/or employees, you'll need to:

    1. Notify the supervisory authorities within 72 hours after discovery.
    2. Notify the affected customers and/or employees ("data subjects") as soon as possible and include the following information:
      • a description of the nature of the breach;
      • the name and contact details of your data protection officer or other contact point;
      • a description of the likely consequences of the breach;
      • a description of the measures that you've taken or have proposed to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
    3. Keep a record of all the data breaches that have occurred, regardless of whether you're obliged to notify the authorities, your customers, or your employees.

    If any of the following conditions are met however, communications to each individual customer and/or employee wouldn't be required:

    • You've implemented appropriate technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach. In particular, measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
    • You've taken subsequent measures which ensure that the high risk to the rights and freedoms of your customers and/or employees is no longer likely to materialize.
    • Communicating to your customers and/or employees would involve disproportionate effort. In such a case, you'll be required to send a public communication or similar measure whereby they'll be informed in an equally effective manner.

    For more information on data breach notification requirements:

  • Outside of complying with the a privacy laws as a Lightspeed Retail merchant, it's easy to get overwhelmed with the amount of privacy information that's circulating and its requirements. To point you in the right direction and help you get started, below you'll find some additional resources that aim to guide merchants affected by privacy laws.

Was this article helpful?

0 out of 0 found this helpful