CCPA CPRA Privacy Rights Demand Letters

Published: December 4, 2025 • Demand Letters
CCPA/CPRA Privacy Rights Demand Letters | California Consumer Privacy Act
CCPA/CPRA Privacy Rights Demand Letters

California Consumer Privacy Act – Rights & Enforcement

CCPA/CPRA Consumer Rights Overview
📋 California Leadership: CCPA (effective 2020) and CPRA amendments (effective 2023) give California residents strong privacy rights. Similar laws exist in other states (Virginia, Colorado, Connecticut, etc.) but California’s are most comprehensive.
Who Has Rights? Who Has Obligations?
Category Definition
Consumers with rights California residents (including temporary visitors)
Businesses with obligations For-profit entities doing business in CA that meet thresholds: (1) $25M+ annual revenue, OR (2) Buy/sell/share PI of 100k+ consumers/households, OR (3) Derive 50%+ revenue from selling/sharing PI
Covered information “Personal Information” – identifiers, commercial info, biometrics, internet activity, geolocation, inferences, sensitive PI (SSN, financial, health, precise geolocation, etc.)
Core Consumer Rights Under CCPA/CPRA

1. Right to Know / Access (§1798.100, §1798.110)

  • What categories of PI business collects about you
  • Specific pieces of PI business has collected
  • Sources of PI, purposes for collection/use, categories of third parties with whom shared
  • Business must respond within 45 days (one 45-day extension allowed)

2. Right to Delete (§1798.105)

  • Request deletion of PI business has collected from you
  • Exceptions: business can retain if needed for transaction completion, security, legal compliance, internal uses
  • Must be honored within 45 days (one extension allowed)

3. Right to Correct Inaccurate Information (§1798.106) [CPRA]

  • Request correction of inaccurate PI
  • Business must use commercially reasonable efforts to correct

4. Right to Opt Out of Sale/Sharing (§1798.120, §1798.135)

  • “Do Not Sell or Share My Personal Information” link required on homepage
  • Opt out of sale to third parties and sharing for cross-context behavioral advertising
  • Business must honor within 15 days

5. Right to Limit Use of Sensitive Personal Information (§1798.121) [CPRA]

  • Limit business’s use/disclosure of sensitive PI (SSN, financial, precise geolocation, race/ethnicity, health, sexual orientation, etc.)
  • “Limit the Use of My Sensitive Personal Information” link required if applicable

6. Right to Non-Discrimination (§1798.125)

  • Business cannot discriminate (deny goods/services, charge different prices, provide different quality) for exercising CCPA rights
  • Exception: Can offer financial incentives for PI collection if reasonably related to value of PI

7. Right to Data Portability (§1798.100(d))

  • Receive PI in portable, readily usable format that allows transmission to another entity
⚠️ Limited Private Right of Action: Most CCPA violations can ONLY be enforced by California Attorney General. Private lawsuits limited to data breach cases under §1798.150 (covered in separate guide). For other violations, you can demand compliance and report to AG.
How to Exercise CCPA/CPRA Rights
Verification Requirements

Businesses must verify your identity before responding to requests:

  • Know/Delete requests: Two-factor verification (match 2–3 data points business already has, or sign in to account)
  • Sensitive PI or deletion: May require higher verification (3+ data points, signed declaration under penalty of perjury)
  • Authorized agents: Can submit on your behalf with power of attorney or signed permission
Business Response Timelines
Request Type Response Deadline Extension Allowed
Right to Know 45 days +45 days if reasonably necessary (must notify consumer)
Right to Delete 45 days +45 days
Right to Correct 45 days +45 days
Opt Out of Sale/Share 15 business days None
Limit Sensitive PI 15 business days None
Where to Submit Requests
  • Business website: Most have “Do Not Sell/Share” and privacy request forms
  • Toll-free number: CCPA requires businesses with websites to provide toll-free number
  • Email: Send to privacy contact listed in privacy policy
  • Authorized service providers: Some companies use third-party privacy management platforms
💡 Frequency Limits: Right to Know requests limited to twice in 12-month period. Deletion, correction, opt-out have no frequency limits.
What Information You’ll Receive

For Right to Know requests, business must provide:

  • Categories report: Categories of PI collected, sources, business purposes, third parties shared with
  • Specific pieces report: Actual data points (e.g., name, email, transaction history, browsing data)
  • Lookback period: Preceding 12 months
  • Format: Portable, readily usable format (typically PDF, JSON, CSV)
Common Business Refusals & How to Challenge
Refusal Reason Is It Valid? How to Respond
“We can’t verify your identity” Sometimes valid if you can’t provide required data points Provide additional verification info; ask what specific data points they need
“Your request is excessive or repetitive” Valid if >2 Know requests in 12 months; otherwise questionable Cite §1798.145(a)(4); challenge “excessive” determination; file AG complaint
“This information is exempt” (e.g., employee data, B2B) Some exemptions exist but are narrow Request explanation of specific exemption; seek non-exempt data
“We don’t have this information” Possibly true; business only provides what it actually collected If you know they collected it, provide evidence; file AG complaint if false
“We need you to use our online form” Invalid if you prefer phone/mail and provided required info Cite §1798.130(a)(2); business must provide 2+ methods of submission
Drafting CCPA/CPRA Requests & Demands
Standard Request Letter Format

Your request should include:

  • Subject line: “CCPA/CPRA [Right to Know / Right to Delete / etc.] Request”
  • Your identity: Name, email, other identifiers business uses (account number, customer ID)
  • California residency: State that you are California resident
  • Specific request: Clearly state which right(s) you’re exercising
  • Preferred format: How you want data delivered (email, portal, specific file format)
  • Verification: Offer to provide additional verification if needed
  • Deadline reference: Note that business has 45 days to respond (15 for opt-out)
Escalation Language for Non-Compliance

If business fails to respond or improperly denies request:

  • First follow-up (after 45 days): Cite specific CCPA section violated; request immediate compliance; note you’ll file AG complaint if no response
  • Second follow-up (after 60-70 days): State you’re filing complaint with CA Attorney General; provide deadline for cure
  • AG complaint: File at oag.ca.gov/contact/consumer-complaint-against-business-or-company
⚠️ No Private Lawsuit for Most Violations: You cannot sue for failure to honor Know/Delete/Correct requests. Enforcement is through CA AG. Only §1798.150 data breach cases allow private suits. Your leverage is AG complaint and public pressure.
Special Requests – Opt Out & Limit Sensitive PI

These have shorter timelines (15 days) and are usually handled via:

  • Business website link: “Do Not Sell or Share My Personal Information”
  • Global Privacy Control (GPC): Browser signal businesses must honor (CPRA requirement)
  • Direct email/letter: If no website link or you prefer written record
Business-Side Compliance (For Companies Receiving Requests)

If your business receives CCPA request:

  • Log immediately: Track receipt date (starts 45-day clock)
  • Verify identity: Use existing customer data to match requestor (don’t collect new PI just for verification)
  • Coordinate internally: Pull data from all systems (CRM, analytics, marketing platforms, databases)
  • Apply exemptions narrowly: Only withhold truly exempt data (employee records in limited contexts, B2B)
  • Document decision: If denying, provide specific exemption or explanation
  • Respond within deadline: 45 days (or 90 if you notified extension); 15 for opt-out
  • Don’t retaliate: No discrimination for exercising rights (§1798.125)
Sample CCPA/CPRA Request Letters
Sample 1: Right to Know (Access) Request
Subject: CCPA Right to Know Request – [Your Name] [Date] To: [Company Privacy Team / Email from Privacy Policy] Dear [Company Name]: I am a California resident exercising my rights under the California Consumer Privacy Act (CCPA), California Civil Code §1798.100 et seq. I hereby request access to my personal information pursuant to my Right to Know under CCPA §1798.100 and §1798.110. MY IDENTIFYING INFORMATION: Name: [Your Full Name] Email: [Email associated with account] Account Number / Customer ID: [If applicable] Phone: [If applicable] California Address: [Your CA address] REQUEST: Please provide the following information for the preceding 12 months: 1. Categories of personal information you have collected about me (§1798.110(a)(1)); 2. Categories of sources from which my personal information was collected (§1798.110(a)(2)); 3. The business or commercial purpose for collecting or selling my personal information (§1798.110(a)(3)); 4. Categories of third parties with whom you share my personal information (§1798.110(a)(4)); 5. Specific pieces of personal information you have collected about me (§1798.110(a)(5)). If you sell or share my personal information, I also request: 6. Categories of personal information sold or shared, by category of third party (§1798.115(a)); 7. Categories of personal information disclosed for business purposes, by category of third party (§1798.115(a)(3)). DELIVERY FORMAT: Please provide this information in a portable, readily usable format via email to [your email] or through a secure download link. I prefer [JSON / CSV / PDF / other specific format]. VERIFICATION: I am providing the following information to verify my identity: [List any additional info they might need – account details, last transaction date, etc.]. Please let me know if you need additional verification. DEADLINE: Under CCPA §1798.130(a)(2), you must provide this information within 45 days of receipt of this request. If you require an extension, you must notify me within the initial 45-day period. Please confirm receipt of this request and provide the requested information within the statutory timeframe. Thank you, [Your Name] [Date]
Sample 2: Right to Delete Request
Subject: CCPA Right to Delete Request – [Your Name] [Date] To: [Company Privacy Team] Dear [Company Name]: I am a California resident exercising my Right to Deletion under California Civil Code §1798.105. IDENTIFYING INFORMATION: Name: [Your Name] Email: [Email] Account: [Account ID if applicable] California Address: [Address] REQUEST: I request that you delete all personal information you have collected from me, including but not limited to: • Account profile information (name, email, address, phone); • Transaction history and purchase records; • Browsing history, cookies, and tracking data; • Any other personal information as defined under CCPA. I understand that you may retain personal information necessary for certain exempted purposes under §1798.105(d) (completing transactions, security, legal compliance, internal uses). For any information you claim is exempt from deletion, please provide specific explanation of the exemption. THIRD-PARTY DELETION: To the extent you have disclosed my personal information to service providers or third parties, please direct them to delete my personal information as required by §1798.105(c). DEADLINE: You must comply with this request within 45 days of receipt (§1798.105(c)). Please confirm when my data has been deleted. VERIFICATION: [Provide verification information as in Sample 1] Please confirm receipt and deletion within the statutory timeframe. Sincerely, [Your Name] [Date]
Sample 3: Opt Out of Sale/Sharing
Subject: CCPA Opt Out of Sale and Sharing – [Your Name] [Date] To: [Company Privacy Team] Dear [Company Name]: I am a California resident exercising my right to opt out of the sale and sharing of my personal information under California Civil Code §§1798.120 and 1798.135. IDENTIFYING INFORMATION: Name: [Your Name] Email: [Email] Account: [Account ID] REQUEST: I opt out of: 1. Sale of my personal information to third parties (§1798.120); 2. Sharing of my personal information for cross-context behavioral advertising (§1798.120). Please immediately cease selling or sharing my personal information and ensure that no further sales or sharing occur. DEADLINE: You must honor this request within 15 business days of receipt (§1798.135(a)(4)). Please confirm compliance within the statutory timeframe and provide confirmation that my opt-out preference has been recorded in your systems. Thank you, [Your Name] [Date]
Sample 4: Follow-Up for Non-Compliance
Subject: FOLLOW-UP – CCPA Request Non-Compliance – [Your Name] [Date] To: [Company Legal Department / Privacy Team] Dear [Company Name]: On [Date – 50+ days ago], I submitted a CCPA Right to Know request (copy attached). As of today, I have not received a response. California Civil Code §1798.130(a)(2) requires you to respond to verifiable consumer requests within 45 days. You are now in violation of CCPA. IMMEDIATE DEMAND: I demand that you comply with my original request within 10 business days. If you claimed an extension, you failed to notify me within the initial 45-day period as required by law. CONSEQUENCES OF CONTINUED NON-COMPLIANCE: If you do not provide the requested information within 10 business days, I will: 1. File a formal complaint with the California Attorney General’s Office (Privacy Enforcement Section); 2. Report this violation to the California Privacy Protection Agency; 3. Post public review of your privacy violations on consumer review sites and social media; 4. [If applicable: Discontinue business relationship and advise others to do the same]. California Attorney General has enforcement authority under §1798.155 and can seek civil penalties of up to $7,500 per intentional violation. Please respond immediately. Sincerely, [Your Name] [Date] cc: California Attorney General – Privacy Enforcement [Attach original request]
Enforcement & Violations
CCPA Enforcement Mechanisms
Violation Type Who Enforces Penalties
Most CCPA violations (failure to honor rights, improper disclosures, etc.) CA Attorney General only Up to $2,500 per violation; $7,500 per intentional violation
Data breach with unreasonable security (§1798.150) Private lawsuit by consumers $100–$750 per consumer per incident OR actual damages (whichever greater); attorney’s fees
CPRA violations (2023+) CA Privacy Protection Agency + AG Same penalties; CPPA has administrative enforcement powers
Filing Complaint with California Attorney General

To report CCPA violations:

  • Online: oag.ca.gov/contact/consumer-complaint-against-business-or-company
  • Select category: “Privacy” or “Data Breach”
  • Provide details: Timeline of requests, business responses (or lack thereof), copies of correspondence
  • What AG can do: Investigate, demand compliance, seek civil penalties, injunctive relief
  • Realistic expectations: AG receives thousands of complaints; prioritizes systemic violations and high-profile cases
California Privacy Protection Agency (CPPA)

Created by CPRA (2020 ballot initiative), began enforcement 2023:

  • Mission: Dedicated privacy enforcement agency (first in US)
  • Powers: Rulemaking, investigations, administrative enforcement, civil penalties
  • Complaint portal: cppa.ca.gov (separate from AG complaints)
  • Regulations: CPPA issues detailed implementing regulations clarifying CCPA/CPRA
Common Violations & Red Flags
  • No response within 45 days: Clear violation of response timeline
  • Requiring unnecessary verification: Demanding info beyond what’s reasonably necessary
  • Charging fees: CCPA requests must be honored free of charge (with narrow exceptions for excessive requests)
  • Discriminatory treatment: Worse service, higher prices, denying services for exercising rights
  • Selling after opt-out: Continuing to sell/share PI after consumer opts out
  • No “Do Not Sell” link: Required on homepage if business sells/shares PI
  • Ignoring Global Privacy Control: CPRA requires honoring GPC browser signal as opt-out
💡 Document Everything: Keep copies of all requests, responses, and correspondence. Timestamped evidence strengthens AG complaints and demonstrates business patterns of non-compliance.
Class Actions for CCPA Violations

Private class actions limited but emerging:

  • §1798.150 only: Data breach with unreasonable security (see separate guide)
  • Other theories: Some plaintiffs assert breach of contract, unfair competition (Bus & Prof §17200) based on CCPA violations
  • Settlement pressure: Even without clear private right, businesses settle to avoid AG scrutiny and reputation harm
Attorney Services for CCPA/CPRA Matters
CCPA Rights Violation?

I assist consumers with CCPA/CPRA rights enforcement and businesses with compliance, response to requests, and defense against enforcement actions.

For Consumers
  • Draft and submit CCPA/CPRA rights requests (Know, Delete, Correct, Opt Out)
  • Escalate non-compliance issues and demand responses
  • File complaints with CA Attorney General and Privacy Protection Agency
  • Advise on §1798.150 data breach claims (separate private right of action)
  • Pursue unfair competition claims based on CCPA violations
  • Negotiate with businesses refusing to honor requests
For Businesses
  • CCPA/CPRA compliance audits and program implementation
  • Privacy policy drafting and updates
  • Consumer request intake and response processes
  • Verification procedures and exemption analysis
  • Respond to AG investigations and enforcement actions
  • Defend against consumer complaints and litigation
  • Data mapping and inventory for compliance
  • Vendor contract review for CCPA compliance (service provider agreements)
Why Legal Counsel Matters
Complex Compliance & Strategic Enforcement: For consumers, attorney guidance ensures requests are properly formatted and escalation is strategic. For businesses, CCPA compliance is complex (exemptions, verification, vendor coordination) and penalties are significant ($7,500 per intentional violation × thousands of consumers = millions in exposure).
Common CCPA Matters
  • Consumer requests ignored or improperly denied
  • Data breach §1798.150 claims (unreasonable security)
  • Discriminatory treatment after exercising rights
  • Business compliance program implementation
  • AG or CPPA investigation response
  • Class action defense (data breach or unfair competition theories)
  • Vendor/service provider agreement compliance
Schedule a Call

Book a call to discuss your CCPA/CPRA matter. I’ll review your rights request or compliance issue, assess violations, and recommend strategy for enforcement or defense.

Contact Information

Email: owner@terms.law

Frequently Asked Questions
Generally no. CCPA provides private right of action only for data breaches under §1798.150 (unreasonable security resulting in breach). For other violations (failure to honor Know/Delete/Correct requests, improper selling after opt-out), enforcement is exclusively through California Attorney General and Privacy Protection Agency. Your remedy is filing AG/CPPA complaint and public pressure. Some plaintiffs attempt unfair competition (Bus & Prof §17200) claims, but success is uncertain.
45 days for Right to Know, Delete, and Correct requests. Business can extend once for additional 45 days (90 days total) if reasonably necessary, but must notify you of extension within initial 45 days. For Opt Out of Sale/Share and Limit Sensitive PI requests, business must comply within 15 business days. These are hard deadlines; non-compliance is CCPA violation.
No, CCPA requests must be honored free of charge in almost all cases. Only exception: if your requests are “manifestly unfounded or excessive” (e.g., fourth Know request in 12 months), business can charge reasonable fee or refuse. But first two Know requests per year and all Delete/Correct/Opt-Out requests must be free. Any attempt to charge fees for standard requests violates CCPA.
CCPA applies only to California residents (including temporary residents/visitors while in CA). If you’re not a CA resident, CCPA doesn’t give you rights against CA businesses. However, check your own state—Virginia, Colorado, Connecticut, Utah, and others have similar privacy laws. Some businesses extend CCPA-like rights nationwide as matter of policy. Also, GDPR applies if you’re EU resident and business operates in EU.

More from Terms.Law