AWS for Industries

Preparing restaurant, catering, and food service companies for the California Consumer Privacy Act

Notice: Customers are responsible for making their own independent assessment of the information in this blog post. This post: (a) is for informational purposes only and nothing in this post constitutes (or is intended to constitute) legal guidance or advice with respect to the matters set forth herein, (b) represents current AWS product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from AWS and its affiliates, suppliers or licensors. AWS products or services are provided “as is” without warranties, representations, or conditions of any kind, whether express or implied. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

AWS understands the importance that data brings to the customers we support in the restaurant, catering, and food service industries. We wanted to discuss a topic that may impact your data use: The California Consumer Privacy Act (CCPA). The CCPA went into effect on January 1, 2020, and the regulations that will operationalize the CCPA are expected to become enforceable by the end of August 2020. This blog post summarizes the applicability of the CCPA to companies in the restaurant, catering, and food service industries, and identifies AWS services that can help support companies as they prepare themselves for the CCPA.

Brief summary of the CCPA

The CCPA grants consumers various rights with regard to personal information held by a business that is subject to the CCPA. Among other things, the CCPA grants consumers the right to request that a business disclose:

  • The categories and specific pieces of personal information collected about the consumer

Penalties include monetary fines assessed per violation, with the fines increasing if the violation is deemed to have been intentional. See the California Attorney General’s CCPA fact sheet and webpage for more details.

CCPA and the restaurant, catering, and food service industries

The restaurant, catering, and food service industries possess a mix of legacy and new technologies that make updates, data tracking, and security more challenging. While many have made full transitions to the cloud, a predominance of the industry still uses a hybrid mix of on-premises servers and cloud service providers. Many point of sale (POS) systems still operate from the back of each outlet, with many integrations to backend and above store systems. Additionally, restaurant, catering, and food service companies rely heavily on third-party suppliers for solutions such as loyalty and reward programs, payment processing, and customer relationship management (CRM). This may mean that for a single company, your guests’ personal information is stored on-premises, in the cloud, and with multiple third-party suppliers. Your business may benefit by adopting a comprehensive cloud solution to manage your data and monitor your compliance with data privacy laws like the CCPA.

AWS Support

For existing AWS customers

Three major components of the CCPA are data collection, data retrieval and deletion, and data awareness. In order to address CCPA requirements, your business can focus on these three components through the use of the following AWS services and solutions:

  1. Data collection – The following AWS services can be used to help manage the personal information you collect: Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, and Amazon Redshift. In order to manage personal information, first you need to be able to identify it, which you can do by using Amazon S3 object metadata, object tagging, and lifecycle management. Together, these techniques enable you to securely collect, identify, and manage personal information.
  2. Data retrieval and deletion – The following AWS services can be used to help retrieve and delete data upon request: Amazon S3, Amazon EMR, AWS Glue, Amazon Athena, and Amazon QuickSight. Together, these services enable you to crawl, catalog, and query your content to retrieve specific consumer data. From there, you can further visualize the data retrieved, and use AWS CloudTrail, Amazon CloudWatch, AWS Lambda, and AWS Config for deletion.
  3. Data awareness – The following AWS services can be used to help notify and inform consumers about their personal information: AWS Config, Amazon Simple Email Service (Amazon SES), Amazon Connect, and Amazon Lex. These services provide ways to notify consumers through a hosted application or by telephone.

For all companies

Compliance regulations and cybersecurity awareness are nothing new for restaurant, catering, and food service companies doing business in the digital age. Successful compliance requires an all-inclusive integration of people, processes, and technology. Employees and end users should be engaging with your policies on data privacy and cybersecurity, backed by the robust and strategic implementation of technologies. Companies may want to consider the following steps:

  • Understand the CCPA requirements and how they apply to your business.
  • Establish a cross-functional team with SMART goals that align with your company’s budget.
  • Make security updates and conduct an assessment of your technology infrastructure.
  • Create and maintain a data map to create extreme clarity for your company on how data is processed, stored, and shared.
  • Revise your data policies and procedures as necessary.
  • Revise your end-user applications (Apps & Websites).
  • Contact your third-party vendors:
    • Have them revise end user applications (Apps & Websites).
    • Create a cadence for CCPA compliance guidelines, monitoring, and system checks.
  • Prepare your staff with education about the CCPA and other new laws relating to data privacy, policies, procedures, and the handling of consumer requests.

Additional support








Whether relating to this topic or others, AWS offers a variety of resources to assist you, including:

  • Compliance & best practices – We continually stay ahead of regulatory issues including the CCPA and PCI to help you ensure your brand is compliant.
  • In-house industry expertise with a dedicated AWS Restaurants, Catering, & Food Service team.
  • Professional Services – The AWS Professional Services organization is a global team of experts that works together directly with your team and your chosen member of the AWS Partner Network.
  • APN Partner Competency – Our AWS Partner Network provides customers with specialized resources. Customers tell us that in order to maximize their investment in the cloud, they seek to work with specialized APN Partners that understand their business and demonstrate relevant technical proficiency.
  • Training & Certification – We can assist in the upskilling of your organization and resources with the AWS Training and Certification Program. It helps you to build and validate those individual skills and ensure the whole company is ready for digital transformation.
  • Industry affiliations – We are deeply embedded into the industry’s most respected associations and workgroups.

To learn more, please reach out to your account manager or visit

Steven M. Elinson

Steven M. Elinson

Steven M. Elinson is the head of worldwide restaurants and food service, the global industry practice for Amazon Web Services (AWS), with a charter to support customers as they accelerate cloud adoption. As a trusted adviser, Steven uses his broad knowledge and 32 years of experience to drive guest experiences and to increase operational efficiency.