Your business has Californian customers. The PDFs you process for them — billing, contracts, support cases — contain personal information. Under CCPA (and now CPRA), those PDFs are in scope and the tools you use to handle them are too.
What CCPA / CPRA covers
The California Consumer Privacy Act, amended by the California Privacy Rights Act, applies to businesses that:
- Have annual gross revenue over $25M, OR - Buy/sell/share personal info of 100,000+ Californians, OR - Derive 50%+ of revenue from selling personal info.
If you're in scope, Californian consumers have rights: to know, to delete, to correct, to opt out of sale/sharing, to limit use of sensitive personal info.
Personal information is broadly defined — includes anything that identifies or could be linked to a consumer or household.
Service providers and contractors
When a PDF tool processes personal info on your behalf, it's a service provider or contractor under CCPA. You need a contract restricting its use of the data to your purposes.
Similar to GDPR's DPA, the CCPA service provider contract restricts:
- Use beyond your business purpose. - Sharing or selling the data. - Retention beyond what's necessary. - Combining with data from other sources.
Reputable tool vendors publish CCPA-compliant terms. Many use the same standard contract for GDPR and CCPA.
Browser-side tools simplify CCPA
If a PDF tool processes in your browser without uploading to their servers, the tool isn't 'processing' personal info under CCPA — *you* are, on your device.
Flint is browser-based. The provider doesn't have access to file content. This minimises the service-provider footprint and simplifies your CCPA inventory.
Consumer requests
If a Californian consumer requests their data, you need to know what tools you used to process it and what each retained. Maintain a tool inventory. For server-side tools, request deletion logs from the vendor. For browser-side tools, the file is on your own systems — manage there.
Response times under CCPA are 45 days (extendable). Plan tooling and process accordingly.
FAQ
Do small businesses need to worry about CCPA?
Only if they meet the thresholds. If you handle 100,000+ Californians' data or 50%+ revenue from selling it, yes. Otherwise no — but treating it as best practice is wise.
Is CCPA stricter than GDPR?
Different rather than stricter. GDPR has broader scope and harsher fines; CCPA has unique opt-out-of-sale provisions. Compliance with one usually gets you most of the way to the other.
What's the CPRA amendment?
CPRA expanded CCPA in 2023 — added sensitive personal info, corrections rights, and the California Privacy Protection Agency as enforcer.
Does Flint sell personal information?
No. Flint processes files in your browser — no file content reaches Flint's servers. There's nothing to sell.
If California is in your customer base, CCPA touches your tool choices. Browser-based tools reduce the compliance surface.