Paperturn's Compliance with the CCPA
On this page, we provide information about the California Consumer Privacy Act of 2018 (CCPA) and the ways in which Paperturn complies with its current requirements.
CCPA – what is it all about?
The CCPA, which came into effect on January 1, 2020 and became enforceable on July 1, 2020, consists of a series of bills that gave new privacy rights to consumers residing in the State of California, and imposes obligations on businesses processing their personal information.
Roles, responsibilities & exemptions
The CCPA distinguishes between three roles for companies involved in the processing of personal information:
- Business (similar to ‘data controller’ under the GDPR)
- Service Provider (similar to ‘data processor’ under the GDPR)
- Third Party (similar to a Business, but one that does not have direct interaction with the consumer)
The CCPA generally applies to Businesses who fulfil one or more of the following conditions: (i) have a gross revenue greater than $25 million; (ii) Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes; (iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The obligations imposed on ‘Businesses’ outline the limits of ‘sale’ of personal information and define specific actions that Businesses are required to perform, such as:
- Create “Do-Not-Sell-My-Personal-Information” button on your homepage
- Inform consumers of categories & specific pieces of information collected/sold of them
- Provide at least 2 methods of communications for requesting to exercise consumer rights
As the CCPA currently only applies to ‘consumers’ (and not ‘Data Subjects’ as defined by the GDPR), certain relationships were exempt from CCPA enforcement:
How is Paperturn compliant with the CCPA?
- Employee information (this includes past, current and potential employee information)
- B2B interactions (information obtained in the course of an activity between companies)
Although the CCPA does not officially apply to Paperturn, as we do not fulfill one or more of the conditions stated above, we are still committed to compliance in the following ways:
- Identified Paperturn's role as a “Service Provider” under the CCPA, where we process personal information solely on behalf of our customers (the “Business” in such cases);
- Identified Paperturn’s role as a “Business” where we process the personal information of California's consumers for our own purposes. Due to the nature of Paperturn's services, our activities are typically exempt from CCPA enforcement as Paperturn: (a) does not sell the personal information of California consumers (or of any other data subjects for that matter); (b) obtains such information in the context and course of B2B relationships and services;
- Paperturn already provides technical and organizational measures for sufficiently exercising other proposed consumer rights that are similar rights granted under the GDPR (such as the right to disclosure, deletion and opt-out);
- Introduced additional amendments to Paperturn's data processing addendum (DPA) and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA);
- Having procedures for handling suspected breaches concerning personal information, limiting use, disclosure and retention of personal information, and regularly conducting privacy training for all relevant members of our staff.
We closely follow the developments surrounding the CCPA and the AG’s Proposed Regulations. We also monitor legislative developments both in California and in other US states.
If you have any further questions concerning Paperturn's privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team at firstname.lastname@example.org.