Your CCPA Privacy Rights (California Consumer Privacy Act)
Five legally enforceable rights over your personal data — and how to use them.
Last verified: February 2026
Key Fact
CCPA (as amended by CPRA in 2023) gives California residents five enforceable privacy rights. Businesses that violate these rights face fines up to $7,500 per intentional violation. You don't need a lawyer to exercise these rights — a written request is enough.
What Is CCPA?
The California Consumer Privacy Act (CCPA), effective January 1, 2020, was the first comprehensive consumer privacy law in the United States. It gave California residents new rights over the personal data businesses collect about them.
In 2020, California voters passed Proposition 24, which created the California Privacy Rights Act (CPRA). The CPRA significantly expanded CCPA — adding new rights, creating the California Privacy Protection Agency (CPPA), and strengthening enforcement. The CPRA amendments took full effect on January 1, 2023.
When people say "CCPA rights," they typically mean the CCPA as amended by the CPRA — the current combined law in effect in 2026.
Who Qualifies for CCPA Rights?
CCPA applies to California residents. A "consumer" under CCPA is any person who is a California resident — meaning you live in California even temporarily, not just as a permanent domicile. If you were in California when the data was collected, you have rights.
You do NOT need to be a US citizen. The law protects all California residents regardless of immigration status.
Not in California?
19 states now have comprehensive privacy laws similar to CCPA. Use our State Rights Lookup to see what rights apply in your state.
Your 5 Core CCPA Rights
The CCPA as amended by CPRA gives California consumers five enforceable rights:
Right to Know
You can request that a business disclose what personal information it has collected about you, where it came from, why it was collected, and who it's been shared with or sold to. Businesses must respond within 45 days and can provide data for the past 12 months (CPRA extended this to cover data portability too).
What to request: categories of data, specific pieces of data, third parties it was shared with
Right to Delete
You can request that a business delete your personal information. If the business uses a service provider that processes your data, the service provider must also delete it. There are exceptions — businesses may retain data needed to complete transactions, detect security incidents, comply with legal obligations, or for certain research purposes.
This is especially powerful against data brokers — see our Data Broker Guide
Right to Opt Out of Sale or Sharing
You can tell a business to stop selling or sharing your personal information. The CPRA expanded this beyond "sale" to cover cross-context behavioral advertising even when no money changes hands. Businesses that receive opt-out requests must honor them within 15 days and cannot ask you to opt back in for 12 months.
Look for "Do Not Sell or Share My Personal Information" links on business websites
Right to Correct (CPRA Addition)
Added by the CPRA in 2023, this right lets you request that a business correct inaccurate personal information it holds about you. The business must consider the nature of the data and the purposes for which it's processed when deciding how to correct it. Useful for fixing errors in background check databases.
Especially useful for incorrect background check data, credit-adjacent records
Right to Non-Discrimination
Businesses cannot discriminate against you for exercising your CCPA rights. They cannot deny you goods or services, charge different prices, provide a different level of service, or suggest you'll receive worse treatment. Note: businesses CAN offer financial incentives for allowing data collection, but participation must be voluntary and the incentive must be disclosed upfront.
If a business treats you worse after a CCPA request, report it to the CPPA
Which Businesses Must Comply?
CCPA applies to for-profit businesses that do business in California AND meet at least one of these thresholds:
$25M+
Annual gross revenue
100K+
Consumers' or households' data bought, sold, or shared per year (CPRA raised this from 50K)
50%+
Annual revenue from selling or sharing consumers' personal information
Nonprofits and government agencies are generally exempt. Small businesses under all three thresholds do not need to comply — but many choose to voluntarily.
Even if a business is headquartered outside California, it must comply if it collects data from California residents and meets any threshold. This means most large US companies are subject to CCPA.
How to File a CCPA Request
Find the Business's Privacy Request Method
CCPA-covered businesses must offer at least two ways to submit requests: a toll-free phone number and a web form. Look for "Privacy Rights," "Do Not Sell My Personal Information," or "Consumer Privacy Request" links — usually in the website footer or privacy policy.
Verify Your Identity
Businesses are required to verify your identity before honoring requests. This protects against someone else deleting your data without permission. Typical verification: email confirmation, account login, or answering security questions. They cannot require you to create an account solely to submit a request.
Submit Your Request
State clearly what right you are exercising (know, delete, opt-out, or correct) and include your full name, email address, and any other information they need to identify your records. Use the template letter below if no web form is available.
Wait for the Response (45 Days)
Businesses must confirm receipt within 10 business days and respond within 45 calendar days. They can request a 45-day extension if needed (maximum 90 days total) — but must notify you of the extension and explain why.
Escalate if Ignored
If a business ignores or denies your request without valid reason, file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov. The CPPA has enforcement authority and can levy fines up to $7,500 per intentional violation.
Template CCPA Request Letter
Use this template if a business doesn't have a web form, or if you want a paper trail. Send via email to the company's privacy or legal contact.
CCPA Data Request — Copy and Customize
Subject: California Consumer Privacy Act (CCPA) — Request to [Know / Delete / Opt-Out / Correct]
Dear Privacy Team,
I am a California resident and am writing to exercise my rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
I am requesting: [Choose one or more]
— RIGHT TO KNOW: A full disclosure of all personal information you have collected
about me, including the categories, specific pieces, sources, purposes, and any
third parties with whom it has been shared or sold.
— RIGHT TO DELETE: Deletion of all personal information you hold about me, and
instruction to your service providers to do the same.
— RIGHT TO OPT-OUT: To opt out of the sale and sharing of my personal information.
— RIGHT TO CORRECT: Correction of the following inaccurate information: [describe].
My identifying information:
Full Name: [Your full legal name]
Email Address(es): [All email addresses associated with your records]
Mailing Address(es): [Current and past addresses, if relevant]
Phone Number: [Optional — if associated with your records]
Under CCPA, you must acknowledge this request within 10 business days and respond fully within 45 calendar days.
Thank you for your attention to this matter.
[Your Name]
[Date]
2026 CPRA Updates — What Changed
The CPRA (effective January 1, 2023, enforced from July 2023) significantly expanded consumer rights. Here's what changed from the original CCPA:
| Area | Original CCPA (2020) | CPRA Update (2023+) |
|---|---|---|
| Opt-Out Scope | Sale of personal data | Sale AND sharing (including cross-context behavioral advertising) |
| Right to Correct | Not included | New right added — correct inaccurate personal data |
| Sensitive Data | No special category | New "sensitive personal information" category with enhanced protections (SSN, health, precise geolocation, etc.) |
| Data Minimization | Not required | Businesses must limit collection to what's necessary for stated purpose |
| Threshold (records) | 50,000+ consumers or households | 100,000+ consumers or households |
| Enforcement | California AG only | New CPPA agency with dedicated enforcement authority |
| Employee Data | Exempt until 2023 | Employee and B2B data now fully covered |
| Data Portability | Not included | Added — receive your data in a portable, usable format |
CCPA vs GDPR — Key Differences
CCPA is often compared to Europe's GDPR, but they take different approaches. Understanding the differences helps you know what to expect when exercising rights with companies that operate globally.
| Area | CCPA/CPRA | GDPR |
|---|---|---|
| Who it covers | California residents | EU/EEA residents |
| Legal basis | Opt-out (default: businesses can collect unless you say no) | Opt-in (default: businesses need a lawful basis, often consent) |
| Right to object | Opt-out of sale/sharing | Object to any processing based on legitimate interests |
| Response time | 45 days (extendable to 90) | 30 days (extendable to 90) |
| Max fine | $7,500 per intentional violation | €20M or 4% of global turnover (whichever is higher) |
| Private lawsuits | Limited — only for data breaches ($100-$750 per consumer) | Broader private right of action |
| Business threshold | $25M revenue OR 100K records OR 50% revenue from data | Any organization processing EU resident data (no size threshold) |
Enforcement and Penalties
Since 2023, the California Privacy Protection Agency (CPPA) has primary enforcement authority, alongside the California AG. The CPPA can investigate complaints and initiate enforcement actions independently.
- Unintentional violations: Up to $2,500 per violation
- Intentional violations: Up to $7,500 per violation
- Children's data violations: Automatically treated as intentional ($7,500)
- Data breach private lawsuits: $100-$750 per consumer per incident, or actual damages
To report a CCPA violation, file a complaint at cppa.ca.gov/enforcement. Include documentation of your request and the company's response (or non-response).
Frequently Asked Questions
Can a business charge me a fee to process my CCPA request?
No. Businesses must process your requests for free, up to twice per 12-month period. If you submit excessive or repetitive requests, they may charge a reasonable fee — but they must tell you in advance.
What if the business says it doesn't have any data about me?
They must tell you that in writing. If you believe they do have data about you and are not being truthful, you can file a complaint with the CPPA. Document your request and their response.
Does CCPA cover data brokers?
Yes — and importantly, data brokers that meet the thresholds must comply with deletion requests even though you have no direct relationship with them. The CPRA also created the DROP portal (launching August 2026) for one-click deletion from all California-registered brokers. See our DROP Guide.
Can my employer deny my CCPA rights?
As of January 2023, employee data is fully covered by CCPA/CPRA. Your employer must respond to your requests regarding your employee data. However, there are exceptions — employers can retain data needed for employment purposes, legal compliance, or security purposes.
What counts as "personal information" under CCPA?
CCPA has a broad definition. It includes: identifiers (name, address, email, IP), commercial information (purchase history), biometric data, internet activity (browsing history, search history), geolocation data, professional information, education information, and inferences drawn from any of this to create a profile. It does NOT include publicly available government records.
Is CCPA the same as the California Privacy Rights Act?
CCPA is the original law (2020). The CPRA (2023) amended and expanded CCPA significantly. The combined law is still commonly called "CCPA" but technically it is the CCPA as amended by CPRA. Both names refer to the same current law.
How is CCPA enforced for out-of-state businesses?
Any for-profit business that collects California residents' data and meets the thresholds must comply — regardless of where the business is headquartered. The CPPA can bring enforcement actions against any qualifying company, and courts can compel compliance. Most large US businesses comply nationally rather than maintaining California-specific systems.
California DROP Portal
Launching August 2026: one request deletes you from all 500+ registered California data brokers.
Learn About DROP →Check Your State Rights
19 states have privacy laws. Look up what rights apply where you live.
State Rights Lookup →Data Broker Opt-Out Guide
Ready to exercise your deletion rights? Start with the 12 highest-priority data brokers.
View Opt-Out Guide →