Effective Date: December 31, 2019
We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and other applicable privacy laws, including the EU’s General Data Protection Regulation (GDPR). Any terms defined in the CCPA have the same meaning when used in this Notice. We have also included specific information for other applicable privacy laws so that our consumers who may be subject to those laws can be informed of their rights and the options Five Guys provides to enable the exercise of those rights.
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device (“Personal Information”). Personal Information does not include:
For the purposes of consumers subject to the GDPR, Personal Information has the same meaning as “Personal Data” under that Regulation.
In particular, we have collected the following categories of Personal Information from our consumers:
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Some Personal Information included in this category may overlap with other categories.
C. Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
D. Commercial information.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
E. Biometric information.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
F. Internet or other similar network activity.
Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
G. Geolocation data.
Physical location or movements.
H. Sensory data.
Audio, electronic, visual, thermal, olfactory, or similar information.
I. Professional or employment-related information.
Current or past job history or performance evaluations.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
K. Inferences drawn from other Personal Information.
Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
We obtain the categories of Personal Information listed above from the following categories of sources:
An "IP Address" is a number that is automatically assigned to your computer when you use the Internet. In some cases your IP address stays the same from browser session to browser session. However, if you use a consumer internet service provider, your IP address may vary from session to session. We track IP addresses solely in conjunction with session cookies to analyze our web page flow.
"Cookies" are small pieces of information that a website sends to your computer's hard drive while you are viewing a website. Five Guys uses both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer until they expire or until you delete them) to provide you with a more personal and interactive experience on the Sites. Persistent cookies can be removed by following the help directions for your internet browser. If you choose to disable all or most cookies, some areas of the Site may not work properly.
In addition to cookies, Five Guys uses "pixels" to enable certain cookies or advertisements on the Sites and to track the number of times a link or advertisement is served on a webpage. A pixel is a tiny, 1x1 image that is loaded when you visit our Sites, but instead of calling up an image, it causes a cookie or application to be downloaded. Pixels can be used to track user activities, track the number of times a user has viewed a particular link or advertisement, track and optimize website traffic, display advertisements, keep track of advertising commissions, and otherwise collect data for online marketing and website analysis. As with cookies, our Sites utilize both session pixels and persistent pixels.
The cookies that we use for functionality and security purposes are considered necessary cookies, without which the Site would not function properly. These cookies allow some of the basic functions of our Sites to work properly, such as remembering your preferences as you navigate the Sites. In addition, these cookies help us secure the Sites by preventing cross-site request forgery attacks and by throttling excessive request rates.
You have the option to manage the cookies we use in connection with the Sites through the cookie consent settings and preferences centers made available to you on the Sites.
We may use or disclose the Personal Information we collect for one or more of the following purposes:
We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
We will not perform any automated decision-making processes involving the information that we collect.
We may create Deidentified Information records from Personal Information by excluding information (such as your name and/or IP address) that would allow someone to identify a specific individual. "Deidentified Information" means information that is not associated with or linked to your Personal Information, including any feedback you may provide, which cannot be reidentified with your Personal Information. Deidentified Information does not permit the identification of individual persons. We may use this Deidentified Information to analyze request patterns and usage patterns so that we may enhance our products and services. Five Guys reserves the right to use and disclose Deidentified Information to third parties in its discretion.
In addition to the above, various privacy laws specify numerous legitimate and lawful ways that we may use the Personal Information we collect without your consent. For more information, please see the section labelled “Notice Regarding Required Consents.”
We may disclose your Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.
We share your Personal Information with the following categories of third parties:
While we may request your consent to use or share your Personal Information to fulfill or perform services regarding your orders and requests, we may also use or share your Personal Information without your consent for any legitimate purpose as allowed under the applicable laws and regulations (see the section labelled “Notice Regarding Requested Consents,” below), including fulfilling our contractual obligations to you. Five Guys has taken certain organizational and technological security measures to protect your Personal Information, described in the “How We Protect Your Information” section, and requires at least the same degree of organizational and technological security measures to be used by all third parties with whom we may share your Personal Information.
If we disclose your Personal Information to Affiliates or third parties as identified in this section, we agree to be liable for violations of your privacy rights by the Affiliates and third parties to which we have disclosed your Personal Information.
Some of our Affiliates may be international organizations or organizations that were formed in the United States. If we share your Personal Information with such Affiliates, we will use appropriate methods to transmit your information in accordance with all applicable laws and regulations. Such methods may include the Privacy Shield framework, model contract clauses, or binding corporate bylaws.
In certain circumstances, we may be required to disclose your Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In the preceding twelve (12) months, Company has disclosed the following categories of Personal Information for a business purpose:
Category A: Identifiers.
Category B: California Customer Records Personal Information categories.
Category C: Protected classification characteristics under California or federal law.
Category D: Commercial information.
Category E: Biometric information.
Category F: Internet or other similar network activity.
Category G: Geolocation data.
Category H: Sensory data.
Category I: Professional or employment-related information.
We may disclose your Personal Information for a business purpose to the following categories of third parties:
It is Five Guys’ policy not to sell the Personal Information of our consumers. As such, in the preceding twelve (12) months, we have not sold Personal Information.
To protect your Personal Information, we agree to take reasonable technical and organizational precautions in addition to following industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered, or destroyed.
Even though we have taken significant steps to ensure that your Personal Information is not intercepted, accessed, used, or disclosed to or by unauthorized persons, you should know that Five Guys cannot completely eliminate security risks associated with Personal Information.
When we are using your Personal Information on the basis of your consent, you are entitled to withdraw that consent at any time. If you revoke your consent, you will not be penalized or prejudiced for revoking your consent.
These uses, among others, may include:
When we collect, retain, or use your Personal Information based on a legitimate interest or the public interest, as described above, you may have the right to object at any time to that use of your Personal Information if your local law gives you that right.
We do not target our Sites or Services toward or intentionally gather Personal Information about visitors who are under the age of 13. Furthermore, we do not intentionally allow visitors under the age of 18 to place orders via our Sites. If a child under 13 submits Personal Information to us and we learn that the Personal Information is the information of a child under 13, we will attempt to delete that Personal Information as soon as possible. If you believe that we might have any Personal Information from a child under 13, please contact us using the information in the below “Contact Us” section.
By using this Site, you represent that you are at least the age of majority in your state, province, or country of residence, or that you are the age of majority in your state, province, or country of residence and you have given us your consent to allow any of your minor dependents to use this Site.
When you click on links on our store, they may direct you away from our Site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.
Our “Five Guys Gear” store is hosted by Shopify Inc. They provide the online e-commerce platform that allows us to sell our products and services to you.
Any Personal Information you provide through the Shopify platform, or that is otherwise collected by Shopify, is stored in Shopify’s data storage facilities, databases, and the general Shopify application on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that transaction is complete, your purchase transaction information is deleted or rendered unreadable (masked).
All direct payment gateways on Shopify adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more information about Shopify’s privacy practices and use of information, please see Shopify’s Terms of Service (https://www.shopify.com/legal/terms) and Privacy Statement (https://www.shopify.com/legal/privacy).
Phone: (877) 258-2136
Five Guys Enterprises, LLC
ATTN: Privacy Officer
10718 Richmond Highway
Lorton, VA 22079 USA
The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights.
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section labelled “Exercising Your Access, Data Portability, and Deletion Rights”), we will disclose to you:
You have the right to request that we delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section labelled “Exercising Your Access, Data Portability, and Deletion Rights”), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Submitting your request using the below webform;
Please note that our Sites are not configured to accept and respond to web browser Do Not Track (DNT) signals. As such, if you would like to exercise your privacy rights, we encourage you to do so by submitting a request using one of the methods described above.
Please also note that you are currently only permitted to submit one type of request at a time on the above webform. If you would like to submit multiple request types, please submit a separate form for each and we will work with you to process the requests in an appropriate order.
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. To designate an authorized agent, you must authorize that agent to act on your behalf and the agent must have registered with the California Secretary of State. Before processing any request received from an authorized agent, we will take reasonable efforts to confirm their identity and their authority to act on your behalf.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.
You do not need to create an account with us to exercise the rights made available to you under the CCPA. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
For instructions on exercising sale opt-out rights, see the section labeled “Personal Information Sales Opt-Out and Opt-In Rights.”
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to an additional forty-five (45) days for a total period of time not to exceed ninety (90) days from when your request was submitted), we will inform you of the reason and necessary extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically a comma separated value (.csv) file.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
If you are 16 years of age or older, you have the right to direct us to not sell your Personal Information at any time (the “right to opt-out”). It is Five Guys’ policy not to sell the Personal Information of our consumers and we do not sell the Personal Information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is at least 13 but not yet 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to Personal Information sales may opt-out of future sales at any time.
To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting the following Internet Web page link:
You may also choose to submit a request to opt-out by using the general CCPA Rights Request process as described in the section labelled “Exercising Your Access, Data Portability, and Deletion Rights.”
Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you may change your mind and opt back into Personal Information sales at any time by using the general CCPA Rights Request process as described in the section labelled “Exercising Your Access, Data Portability, and Deletion Rights.”
You do not need to create an account with us to exercise your opt-out rights or any other right made available to you under the CCPA. We will only use Personal Information provided in an opt-out request to review and comply with the request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please send an email to email@example.com or contact us using the information provided in the “Contact Us” section.
If you are a resident of the State of Nevada, you have the right to request that Five Guys not sell the Personal Information we currently have about you or that we might collect about you in the future. Although it is currently Five Guys’ policy not to sell our consumers’ Personal Information, if you would like to register an email address with Five Guys to request that we not sell your Personal Information now or in the future, please follow the below link and provide the requested information.
Following our receipt of your request, we will make reasonable efforts to verify your identity and that the request is authentic. When we have verified your request, we will confirm that your Personal Information will not be sold by Five Guys. If you change your email address in the future, please note that you will need to re-register the new email address with us so we can continue to ensure that we do not sell your Personal Information.
Five Guys will only use the information you provide in connection with your request to process that request. Because of the on-going nature of your right not to have your Personal Information sold under Nevada law, we will retain the information provided in this request until you withdraw the request.
This section describes your GDPR rights and explains how to exercise those rights.
The GDPR extends a number of rights to residents of the EU, EEA, and, through mirrored laws adopted by the UK intended to go into effect following the UK’s departure from the EU, the UK. These rights include the rights of/to: access, rectification, erasure (“the right to be forgotten”), restrict processing, data portability, and objection to profiling and automated decision-making. Individuals subject to the GDPR also have the right not to be discriminated against for exercising these rights.
You have the right to control your Personal Information as described below. In order to request access to, correct, object to our use and retention of your Personal Information, or to exercise any of your rights related to your Personal Information as described in your local law, please send a request by e-mail to firstname.lastname@example.org or by mail using the contact information listed in the “Contact Us” section above. Please include “Personal Information Request” in the subject line of your e-mail.
You can control your Personal Information in the following ways:
When you contact us to exercise any of the privacy rights described above, please provide the following:
Because we do not want your Personal Information to be exposed to someone else, we will make a reasonable effort to confirm your identity before processing your request. This identity confirmation effort may come directly from us or from a trusted vendor.
Five Guys will only use the Personal Information you provide in connection with your request to check our systems and confirm whether we possess any of your Personal Information and to process any Personal Information access or management requests we receive from you. After we have completed reviewing your request, we may store the information we provide to you for a reasonable amount of time after fulfilling your request in case you have additional inquiries. After the information is no longer necessary, we will automatically delete this information from our records or make it permanently unreadable (masked data).
Any contact information provided in connection with a request to exercise your rights related to your Personal Information will not be used for direct marketing purposes and will not be shared with others unless necessary to verify your identity and/or complete your request.
We will do our best to respond to your request as soon as possible, and, in any event, no later than 30 days after receiving your request. Please note that making multiple requests at one time may slow down our processing of your request. If additional time is required to complete your request, we will notify you of that fact and the reasons why we require additional time to fully respond to your particular request.
In certain circumstances, where we are able to do so, some requests may need to be fulfilled in a logical order. For example, if you request to see what information Five Guys has about you and at the same time request that Five Guys erase your Personal Information, we will first provide you with access to your Personal Information, then we may ask you to confirm again that you would like us to delete that information.
In some circumstances, we may not be able to comply with your requests related to your Personal Information. In those cases, we will respond as soon as possible, and, in any event, no later than 30 days after receiving your request. Our response will let you know if and why we are not able to comply and will share information with you about how you can object to the relevant Supervisory Authorities if you think our continued use or maintenance of that information is improper.
If you have a concern about our handling of your Personal Information or your request, please contact us first using the information in the “Contact Us” section below so we can try to resolve your concerns. We are committed to working with you to obtain a fair resolution to any complaint or concern you may have about our use of your Personal Information. If, however, you believe that we have not been able to assist with your request, complaint, or concern, you may have the right to lodge a complaint with the data protection authority in your country (if one exists in your country) or supervisory authority. You may also have a right to a judicial remedy if it is determined your Personal Information is being used illegally.