Privacy & Data Protection

CCPA Privacy Rights: What California Consumers Need to Know

By AntiPhishers Published

CCPA Privacy Rights: What California Consumers Need to Know

The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA), gives California residents specific rights over their personal information held by businesses. These rights apply to any business that meets threshold criteria, regardless of where the business is located, if it collects personal information of California residents. As the strongest state-level privacy law in the US, CCPA/CPRA has become a de facto national standard.

Who Is Covered

The CCPA applies to for-profit businesses that collect personal information of California residents and meet any of these thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000 or more consumers or households annually, or derive 50 percent or more of annual revenue from selling or sharing personal information.

Your Rights Under CCPA/CPRA

Right to know. You can request that a business disclose what personal information it has collected about you, the sources, the purposes, and the third parties it has been shared with. The business must respond within 45 days.

Right to delete. You can request deletion of your personal information. The business must comply and direct its service providers to delete it as well, with certain exceptions (completing transactions, security, legal obligations).

Right to opt out of sale/sharing. You can direct businesses to stop selling or sharing your personal information. Businesses must provide a “Do Not Sell or Share My Personal Information” link on their website.

Right to correct. You can request correction of inaccurate personal information.

Right to limit use of sensitive information. CPRA added the right to restrict businesses from using your sensitive personal information (SSN, financial data, precise geolocation, race, ethnicity, health data) beyond what is necessary to provide the service.

Right to non-discrimination. Businesses cannot discriminate against you for exercising your CCPA rights (by charging different prices, providing different service quality, etc.).

Exercising Your Rights

Submit requests through the privacy section of the business’s website, often labeled “Do Not Sell My Personal Information” or “Privacy Choices.” Businesses must verify your identity before processing requests. You can authorize someone else to submit requests on your behalf.

Enforcement

The California Attorney General enforces CCPA, and the California Privacy Protection Agency (CPPA) has enforcement authority under CPRA. Penalties reach $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches involving unencrypted personal information.

For comparison with European privacy rights, see our GDPR compliance guide. For a global view of privacy laws, explore our privacy legislation worldwide guide.

Exercising Your Rights: A Practical Walkthrough

To submit a data access or deletion request, visit the company’s privacy page (usually linked in the website footer) and look for “Do Not Sell My Personal Information” or a privacy request form. You can also email the company’s designated privacy contact. The company must verify your identity before processing the request, typically through email verification or account login.

After submitting a request, the company has 45 days to respond (extendable by an additional 45 days in complex cases). If the company fails to respond or denies your request without adequate justification, you can file a complaint with the California Attorney General’s office.

For opt-out requests, look for the “Do Not Sell or Share My Personal Information” link, which California law requires on every covered business’s website. Global Privacy Control (GPC) is a browser-level signal that automatically communicates your opt-out preference to every website you visit. Enable GPC in your browser settings (Firefox and Brave support it natively) to automate the opt-out process.

The Expanding State Privacy Landscape

California’s CCPA/CPRA has inspired similar legislation across the US. Virginia’s Consumer Data Protection Act, Colorado’s Privacy Act, Connecticut’s Data Privacy Act, and laws in Utah, Iowa, Indiana, Tennessee, Montana, Oregon, and Texas all provide varying levels of consumer privacy rights. While each law has differences, the trend is toward consistent consumer rights of access, deletion, and opt-out across jurisdictions. Businesses operating nationally increasingly adopt CCPA-level practices as their baseline.

More in Privacy & Data Protection

Encryption Basics for Beginners: Protecting Data at Rest and in Transit Biometric Data Privacy: Fingerprints, Face Recognition, and the Law The Future of Digital Privacy: Trends, Challenges, and Predictions Social Media Privacy Settings: Platform-by-Platform Guide

View all Privacy & Data Protection articles →