TL;DR — Quick Summary
- 85% of merchants collect customer payment data via POS systems, but 60% are not compliant with GDPR and CCPA data privacy requirements — exposing both merchants and ISOs to fines ranging from $2,500 to $7,500 per violation.
- POS systems are at the center of data privacy compliance because they handle the most sensitive transaction data: card numbers, customer names, purchase histories, and in some cases, biometric data.
- ISOs who proactively help merchants achieve data privacy compliance differentiate from competitors and create sticky, trust-based relationships that are difficult to break.
POS Systems Are Now Data Privacy Battlegrounds
Every time a customer pays with a card at a POS terminal, a small data transaction occurs alongside the financial one: card numbers are transmitted, purchase records are created, customer profiles may be updated, and transaction histories are stored. This data is the lifeblood of modern merchant marketing — and the primary target of data privacy regulators worldwide.
According to Cisco’s 2026 Data Privacy Benchmark Report, 85% of merchants collect customer data via their POS systems, but 60% of those merchants are not fully compliant with data privacy regulations like GDPR and CCPA. This compliance gap creates significant risk — and significant opportunity — for ISOs.
The regulatory landscape has changed dramatically. GDPR (Global Data Protection Regulation) applies to any business processing data of EU residents, regardless of where the business is located. CCPA (California Consumer Privacy Act) applies to businesses with more than $25 million in annual revenue that handle data of California residents. And new state privacy laws — Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, and others — are creating an increasingly complex web of compliance requirements.
For ISOs, this creates a new value proposition: helping merchants achieve data privacy compliance is not just good ethics — it is good business. Merchants who understand their compliance obligations will pay a premium for a POS provider who makes compliance easy. And ISOs who ignore the compliance conversation will increasingly lose deals to providers who address it proactively.
What Data Privacy Laws Mean for POS Systems
GDPR (Global Data Protection Regulation)
GDPR applies to any business — regardless of location — that processes data of EU residents. For POS systems, this means that merchants who serve EU customers must comply with GDPR requirements when handling customer data. Key obligations include:
- Lawful basis for processing: Merchants must have a valid legal basis (consent, contract, legitimate interest) for collecting and processing customer payment data.
- Data minimization: Only collect the data you need for the specified purpose. Storing full card numbers beyond transaction authorization is generally prohibited.
- Right to erasure: Customers can request deletion of their data. POS systems must be capable of identifying and removing customer data on request.
- Data breach notification: Data breaches must be reported to supervisory authorities within 72 hours of discovery.
- Data Protection Impact Assessments (DPIA): Required for high-risk data processing activities, which may include certain POS data collection practices.
CCPA (California Consumer Privacy Act)
CCPA — and its successor, CPRA (California Privacy Rights Act) — applies to for-profit businesses that serve California residents, have annual revenue over $25 million, or handle data of 100,000+ consumers. Key requirements for POS merchants:
- Right to know: Consumers can request disclosure of what personal data is collected, how it is used, and who it is shared with.
- Right to delete: Consumers can request deletion of their personal information.
- Right to opt-out: Consumers can opt out of the sale of their personal information.
- Non-discrimination: Businesses cannot discriminate against consumers who exercise their privacy rights.
Emerging State Privacy Laws
Beyond GDPR and CCPA, a growing number of states have enacted or are considering comprehensive privacy laws:
- Virginia: Virginia Consumer Data Protection Act (VCDPA), effective January 2023
- Colorado: Colorado Privacy Act (CPA), effective July 2023
- Connecticut: Connecticut Data Privacy Act (CTDPA), effective July 2023
- Utah, Iowa, Indiana, Tennessee, Montana, Texas — Additional state laws in effect or coming online
| Regulation | Applicability | Max Fine | Key POS Impact |
|---|---|---|---|
| GDPR | Any business processing EU resident data | 4% of global revenue or €20M | Data minimization, consent, right to erasure |
| CCPA/CPRA | $25M+ revenue or 100K+ CA consumers | $2,500-$7,500 per violation | Right to know, delete, opt-out of sale |
| VCDPA | $25M+ revenue or 100K+ VA residents | $7,500 per violation | Right to access, correct, delete, port |
| CPA | $25M+ revenue or 100K+ CO residents | $20,000 per violation | Right to opt-out, access, correct, delete |
How POS Systems Collect and Use Customer Data
Understanding what data POS systems collect is the first step to understanding privacy compliance obligations. Modern POS systems collect data at multiple levels:
Transactional Data
Every card transaction generates data: card number (or token), transaction amount, date/time, merchant ID, terminal ID, authorization codes, and clearing records. This data is primarily regulated by PCI DSS (Payment Card Industry Data Security Standard), but CCPA and GDPR treat transaction records as personal data when they can be linked to an identifiable individual.
Customer Profile Data
Loyalty programs, online ordering accounts, and delivery services linked to POS systems create detailed customer profiles: names, email addresses, phone numbers, purchase histories, dining preferences, and behavioral patterns. This data is squarely within the scope of CCPA and GDPR.
Biometric Data
Some restaurants and hotels use POS-integrated biometric systems: fingerprint payment, facial recognition for loyalty, or voice-based ordering. Biometric data is considered a special category under GDPR (requiring explicit consent) and receives heightened protection under CCPA.
Employee Data
POS systems also process employee data: clock-in/out times, sales performance, tips, and scheduling. Employee data is also subject to privacy regulations, particularly in certain jurisdictions.
How OrderPin Helps ISOs Build Privacy-Compliant POS Solutions
PCI DSS Compliance Built-In
OrderPin’s white-label POS is PCI DSS compliant by default — tokenizing card data, minimizing data retention, and providing encrypted transaction processing that reduces merchant compliance burden.
Data Deletion Capabilities
OrderPin’s POS supports automated data deletion workflows — making it easy for merchants to comply with GDPR’s right to erasure and CCPA’s right to delete without manual database manipulation.
Privacy Policy & Consent Tools
OrderPin includes integrated consent management and privacy notice tools — helping merchants collect and document lawful consent for loyalty programs and customer data collection.
How ISOs Can Build Data Privacy Into Their Value Proposition
Data privacy compliance is no longer optional — it is a competitive differentiator. Here is how ISOs can turn privacy compliance into a selling point:
1. Offer Privacy-Compliant POS Solutions by Default
Work with POS platforms that take compliance seriously: PCI DSS compliance built in, data minimization enabled by default, encryption at rest and in transit, automated data retention policies. These are not just compliance features — they reduce liability for both the merchant and the ISO.
2. Help Merchants Conduct a Privacy Audit
Many merchants do not know what data they are collecting or how it is being used. A simple audit — what data does your POS collect? where is it stored? who has access? how long is it retained? — can reveal compliance gaps and create urgency for upgrades or replacements.
3. Bundle Privacy Compliance into Service Agreements
Position privacy compliance as a managed service: you are not just providing POS hardware and software, you are providing ongoing compliance support. This justifies premium pricing and creates annual recurring revenue opportunities.
Frequently Asked Questions
Does CCPA apply to my merchant if they only have 50 employees?
CCPA/CPRA applies based on revenue and data volume, not employee count. It applies to for-profit businesses with annual gross revenues over $25 million, businesses that buy/sell/share data of 100,000+ consumers annually, or businesses that derive 50%+ of annual revenue from selling consumer data. Most small merchants fall below these thresholds, but many of their customers (and therefore their transaction data) are covered. Additionally, other state privacy laws may apply with different thresholds. Always review current law with a privacy attorney for specific merchant situations.
What happens if a merchant’s POS is breached and customer data is stolen?
Consequences can be severe across multiple dimensions: PCI DSS fines from card networks (ranging from $5,000 to $100,000 per month depending on card data exposure), state privacy law penalties (CCPA allows $2,500-$7,500 per intentional violation), potential GDPR fines if EU residents are affected, brand damage and loss of customer trust, and potential civil lawsuits from affected customers. The ISO’s liability depends on their contract terms and whether they contributed to the breach through negligent configuration or support.
Do merchants need a privacy policy on their POS?
Yes, if they are subject to CCPA, GDPR, or similar laws. A privacy policy must disclose what data is collected, how it is used, who it is shared with, and consumer rights under applicable law. For POS systems, this means describing payment data collection, loyalty program data, and any third-party integrations that share data. Many POS providers include generic privacy policy templates that merchants can adapt for their specific use cases.
How does loyalty program data complicate POS privacy compliance?
Loyalty programs are the biggest source of customer data collection for most restaurants and retailers. When customers sign up for a loyalty program linked to POS, merchants collect names, emails, phone numbers, purchase histories, and behavioral data — all of which are subject to CCPA and GDPR. Loyalty programs also often involve third-party data sharing (email marketing platforms, analytics providers), creating additional disclosure and consent obligations. Merchants need clear consent flows for loyalty enrollment and must provide easy opt-out mechanisms.
What is the ISO’s liability if a merchant violates data privacy laws?
This is an evolving legal question. ISOs are generally not directly liable for merchant privacy violations if they are merely providing technology. However, ISO liability can arise if: (1) the ISO knew or should have known that their POS product facilitated non-compliant data collection, (2) the ISO made misrepresentations about their product’s privacy compliance, (3) the contract terms shift liability to the ISO, or (4) specific state laws impose obligations on “service providers” that process data on behalf of businesses. ISOs should have clear contractual provisions addressing data privacy liability and ensure their products meet baseline compliance standards.
Conclusion
Data privacy is not just a legal obligation — it is a business imperative for POS merchants. With 60% of merchants non-compliant with CCPA and GDPR, and regulatory enforcement accelerating, merchants need help navigating the privacy landscape. That is the ISO opportunity.
ISOs who proactively address data privacy — offering compliant POS solutions, helping merchants conduct privacy audits, and bundling privacy compliance into service agreements — will win deals against providers who ignore the issue. Compliance is not just risk mitigation; it is a premium value proposition that justifies higher pricing and creates deeper merchant relationships.
The stakes are real: CCPA fines of $2,500 to $7,500 per violation, GDPR fines up to 4% of global revenue, and the irrecoverable cost of customer trust lost to a data breach. Merchants who understand these stakes will pay for a POS provider who takes privacy seriously.
OrderPin helps ISOs build privacy-compliant POS solutions with PCI DSS compliance built in, data minimization enabled by default, automated deletion workflows, and consent management tools. Build your ISO business on a foundation of privacy compliance — and turn regulatory risk into competitive advantage.
About OrderPin
OrderPin is a white-label POS platform for ISO and MSP partners. Our privacy-by-design architecture helps ISOs build compliant, trustworthy payment solutions that protect merchants and customers alike.
Learn more about OrderPin’s ISO partner program
