Paperturn's Compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

On this page, we provide information about the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act (CPRA) and the ways in which Paperturn complies with the current requirements. Given that the CPRA amends the CCPA and does not create a separate, new law, we will refer to the legislation simply as “the CCPA”.

The CCPA - What is it?

The California Consumer Privacy Act of 2018 gives consumers more control over the personal information that businesses collect about them. The CCPA provides consumers with certain rights regarding their personal information, including:

• The right to delete personal information collected from them;

• The right to know what personal information a business has collected about them and how it is used and shared;

• The right to opt-out of the sale and sharing of their personal information; and

• The right to non-discrimination for exercising their CCPA rights.

In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:

• The right to correct inaccurate personal information that a business has about them; and

• The right to limit the use and disclosure of sensitive personal information collected about them.

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and making certain disclosures to consumers about their privacy practices, such as posting a privacy policy.

Does the CCPA apply to Paperturn?

According to the legislation, the CCPA generally applies to businesses who fulfil one or more of the following conditions:

(i) have a gross revenue greater than $25 million;

(ii) annually buys, receives, sells, or shares the personal information of more than 100,000 consumers, households, or devices for commercial purposes;

 (iii) derives 50 percent or more of its annual revenue from selling and sharing consumers’ personal information.

Although the CCPA does not officially apply to Paperturn, as we do not fulfil one or more of the conditions stated above, we are still committed to compliance, as outlined below.

How is Paperturn compliant with the CCPA?

• Identified Paperturn's role as a “Service Provider” under the CCPA, where we process personal information solely on behalf of our customers (the “Business” in such cases);

• Identified Paperturn’s role as a “Business” where we process the personal information of California's consumers for our own purposes. Due to the nature of Paperturn's services, our activities are typically exempt from CCPA enforcement as Paperturn: (a) does not sell the personal information of California consumers (or of any other data subjects for that matter); (b) obtains such information in the context and course of B2B relationships and services;

• Paperturn already provides technical and organisational measures for sufficiently exercising other proposed consumer rights that are similar rights granted under the GDPR (such as the right to disclosure, deletion and opt-out);

• Updated our Privacy Policy, to ensure that it sufficiently addresses CCPA consumer rights and industry standard practices;

• Introduced additional amendments to Paperturn's Data Processing Addendum (DPA) and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA);

• Having procedures for handling suspected breaches concerning personal information, limiting use, disclosure and retention of personal information, and regularly conducting privacy training for all relevant members of our staff.

We closely follow the developments surrounding the CCPA and the AG’s Proposed Regulations. We also monitor legislative developments both in California and in other US states.

If you have any further questions concerning Paperturn's privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team at dpo@paperturn.com.