Blog/Privacy & Security/CCPA and Your Bank Statement Data: California Privacy Rights
🔒

CCPA and Your Bank Statement Data: California Privacy Rights

8 min readMay 19, 2025

Quick Answer

California residents have the right under CCPA to know what bank statement data converters collect, request deletion, and opt out of data sales. The simplest protection: use [QuickBankConvert](/) — a browser-based tool that never receives your data, so there is nothing to request deleted.

The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives California residents meaningful rights over their personal data. For anyone using online tools to convert bank statements, these rights have direct relevance — but they are only as good as the businesses that honor them.

This guide explains your CCPA rights in the context of financial document processing and what they mean in practice.

What Is the CCPA?

The California Consumer Privacy Act took effect on January 1, 2020, and was significantly amended by the California Privacy Rights Act (CPRA) effective January 1, 2023. Together, they form the most comprehensive consumer privacy law in the United States.

CCPA/CPRA applies to businesses that:

  • Do business in California
  • Have annual gross revenues over $25 million, OR
  • Buy, sell, or receive personal information of 100,000 or more consumers annually, OR
  • Derive 50% or more of annual revenue from selling or sharing consumer personal information

Many online tools and SaaS platforms — including PDF converters — meet these thresholds, particularly those serving broad consumer audiences.

Does CCPA Apply to Bank Statement Converters?

It depends on the converter's size, revenue, and data practices.

A large, commercially operated PDF conversion platform serving millions of users likely meets CCPA thresholds. A small single-developer tool may not.

Bank statements uploaded to cloud-based converters constitute personal information under CCPA — specifically, they include:

  • Identifiers: Name, address, account number
  • Financial information: Account balances, transaction history
  • Commercial information: Purchasing history and patterns (from transaction data)
  • Geolocation data: Merchant locations implied by transactions

All of these are explicitly listed categories of personal information under CCPA Section 1798.140.

Your CCPA Rights as a California Resident

If you are a California resident who has used a cloud-based bank statement converter, you have the following rights:

Right to Know. You can request that the business disclose what personal information it has collected about you, the categories of sources, the business purpose, and any third parties the data was shared with.

Right to Delete. You can request deletion of your personal information. The business must comply unless an exception applies (e.g., completing a transaction, legal obligation).

Right to Opt Out of Sale or Sharing. If the business sells or shares your personal information, you have the right to opt out. This must be honored immediately and remain in effect for at least 12 months.

Right to Correct. Under CPRA, you can request correction of inaccurate personal information.

Right to Limit Use of Sensitive Personal Information. Financial account information is classified as "sensitive personal information" under CPRA. You have the right to limit its use to only what is necessary for the service.

Right to Non-Discrimination. The business cannot deny service, charge a higher price, or provide a lower quality of service because you exercised your privacy rights.

RightWhat It Means for Converter Users
Right to KnowFind out exactly what was collected from your uploads
Right to DeleteRequest removal of stored bank statement data
Right to Opt OutStop the converter from selling your financial data
Right to Limit UseRestrict use of your account/transaction data

How to Exercise Your CCPA Rights

Step 1: Identify what you've shared. List any cloud-based converters you have used. Check whether they are subject to CCPA (look for a "California Privacy Notice" link in their footer).

Step 2: Locate the request mechanism. CCPA requires businesses to provide at least two methods for submitting requests — typically an online form and a toll-free phone number.

Step 3: Submit a deletion request. Request deletion of all personal information, including any uploaded documents, processed data, and derived records.

Step 4: Follow up. The business has 45 days to respond. If they do not, you may file a complaint with the California Privacy Protection Agency (CPPA) or pursue civil action for data breaches.

Step 5: Document your request. Keep a record of your request, the date, and any confirmation received.

Practical reality: Many small converter tools will acknowledge a deletion request without verifying whether all data has actually been removed. For sensitive financial data, the better long-term approach is to not upload it in the first place.

CCPA vs. GDPR: Key Differences for Financial Data

If you interact with services operating internationally, understanding both frameworks helps:

AspectCCPA/CPRAGDPR
Geographic scopeCalifornia residentsEU/EEA residents
Legal basis requiredNo (opt-out model)Yes (consent, legitimate interest, etc.)
Data deletionOn requestOn request (right to erasure)
Data portabilityYesYes
FinesUp to $7,500 per intentional violationUp to 4% of global annual revenue
Sensitive dataFinancial info classified sensitiveSpecial categories (narrower)
EnforcementCPPA + private right of action (breaches)National data protection authorities

For individuals concerned about financial data, GDPR is generally more protective — it requires an affirmative legal basis to process data, rather than an opt-out model. However, both provide meaningful rights worth exercising.

The Browser-Based Advantage: No Data to Delete

The most powerful CCPA protection is one you exercise before uploading anything: choosing a tool that never collects your data.

QuickBankConvert processes all conversions in your browser. No document is transmitted to any server. No personal information is collected, stored, or processed by QuickBankConvert's infrastructure.

This means:

  • There is no deletion request to file because there is nothing stored
  • There is no opt-out to exercise because there is no data to sell
  • There is no third party to trust with your financial information

CCPA gives you rights after data has been collected. Browser-based processing gives you a guarantee that collection never happens.

Convert bank statements privately — no data collected, ever →

Frequently Asked Questions

Does CCPA apply to me if I live outside California?
CCPA specifically protects California residents. However, many businesses apply CCPA-like standards nationally due to the complexity of geolocation-based enforcement. Check whether the service has a broader privacy commitment.
Can a converter sell my bank statement data?
Under CCPA, you have the right to opt out of the sale of your personal information. If a converter sells data and you are a California resident, you must be given a clear "Do Not Sell My Personal Information" option.
How quickly must a business respond to a CCPA deletion request?
Businesses subject to CCPA must respond to deletion requests within 45 days. They may extend this by an additional 45 days with notice if reasonably necessary.
What is the difference between CCPA and CPRA?
The California Privacy Rights Act (CPRA) expanded CCPA in 2023, adding rights like data correction, limiting use of sensitive personal information, and creating the California Privacy Protection Agency (CPPA) as an enforcement body.

Ready to convert your bank statement?

Free. Private. Instant. Your files never leave your browser.

Convert Your Statement