What rights do I have under the CCPA?

Under the California Consumer Privacy Act (Civil Code 1798.100-199), California residents have: (1) Right to Know what personal information is collected and how it's used, (2) Right to Delete personal information held by businesses, (3) Right to Opt-Out of the sale or sharing of personal information, (4) Right to Correct inaccurate personal information, and (5) Right to Non-Discrimination for exercising privacy rights.

Which businesses must comply with the CCPA?

The CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least one threshold: (1) annual gross revenue over $25 million, (2) buy, sell, or share personal information of 100,000+ consumers or households annually, OR (3) derive 50% or more of annual revenue from selling or sharing personal information. Non-profits and government agencies are generally exempt.

How long does a business have to respond to my CCPA request?

Businesses must acknowledge receipt of your request within 10 business days and provide a substantive response within 45 calendar days. They may extend this by an additional 45 days (90 days total) if reasonably necessary, but must notify you of the extension and the reason within the initial 45-day period.

What can I do if a business ignores my CCPA request?

If a business fails to respond to your CCPA request, you have several options: (1) send a follow-up demand citing the specific violation, (2) file a complaint with the California Attorney General at oag.ca.gov, (3) for data breaches resulting from security failures, you may have a private right of action under Civil Code 1798.150 with statutory damages of $100-$750 per consumer per incident. The California Privacy Protection Agency (CPPA) also has enforcement authority under the CPRA amendments.

Can I sue a business for CCPA violations?

The private right of action under CCPA is limited to data breaches resulting from a business's failure to implement reasonable security measures (Civil Code 1798.150). For other CCPA violations (like failing to respond to requests), enforcement is primarily through the California Attorney General and California Privacy Protection Agency. However, you can file complaints that may result in civil penalties of $2,500-$7,500 per violation against the business.

What is the difference between CCPA and CPRA?

The California Privacy Rights Act (CPRA), effective January 1, 2023, amended and expanded the CCPA. Key additions include: Right to Correct inaccurate information, Right to Limit Use of Sensitive Personal Information, creation of the California Privacy Protection Agency (CPPA) for enforcement, extended requirements for service providers and contractors, and new categories of sensitive personal information with heightened protections.

CCPA Data Privacy Demand Letters | California Consumer Privacy Act Rights

CCPA Data Privacy Demand Letters

California Consumer Privacy Act - Civil Code 1798.100-199

Your California Privacy Rights

What is the CCPA? The California Consumer Privacy Act (Civil Code 1798.100-199), as amended by the California Privacy Rights Act (CPRA), gives California residents powerful rights over their personal information. You can demand to know what data companies collect about you, request deletion, and opt out of data sales.

Core CCPA/CPRA Consumer Rights

Right to Know (Civil Code 1798.100, 1798.110)

You have the right to request that a business disclose: (1) the categories of personal information collected, (2) the specific pieces of personal information collected about you, (3) the sources from which information was collected, (4) the business purposes for collecting or selling the information, and (5) the categories of third parties with whom the information is shared.

Right to Delete (Civil Code 1798.105)

You have the right to request deletion of personal information a business has collected from you. The business must delete your information and direct any service providers to do the same, subject to certain exceptions (legal obligations, security, completing transactions, etc.).

Right to Opt-Out of Sale/Sharing (Civil Code 1798.120)

You have the right to direct a business that sells or shares your personal information to stop doing so. Businesses must provide a "Do Not Sell or Share My Personal Information" link on their website. Once you opt out, they cannot sell your data for 12 months unless you authorize it.

Right to Correct (Civil Code 1798.106 - CPRA)

Added by CPRA, you can request that a business correct inaccurate personal information it maintains about you. The business must use commercially reasonable efforts to correct the information.

Right to Limit Sensitive Information Use (Civil Code 1798.121 - CPRA)

You can limit a business's use of sensitive personal information (SSN, financial accounts, precise geolocation, racial/ethnic origin, health data, etc.) to only what's necessary for providing goods/services.

Right to Non-Discrimination (Civil Code 1798.125)

Businesses cannot discriminate against you for exercising your CCPA rights. They cannot deny goods/services, charge different prices, or provide different quality based on your privacy choices.

Which Businesses Must Comply?

The CCPA applies to for-profit businesses that collect California residents' personal information AND meet at least ONE of these thresholds:

Threshold	Details
Revenue	Annual gross revenue exceeds $25 million
Data Volume	Annually buys, sells, or shares personal information of 100,000+ California consumers/households
Revenue from Data	Derives 50%+ of annual revenue from selling or sharing California consumers' personal information

Exemptions: Non-profits, government agencies, and businesses below all thresholds are generally exempt. Certain data types have partial exemptions: employee data, B2B contacts, data covered by other laws (HIPAA, GLBA, FCRA). However, most large consumer-facing businesses must comply.

Business Response Timeline

Action	Deadline
Acknowledge receipt of request	10 business days
Substantive response (fulfill request)	45 calendar days
Extension notice (if needed)	Within initial 45 days
Maximum response time with extension	90 calendar days total

CCPA Request Checklist

Prepare these items before sending your CCPA demand. Click to check off items as you complete them.

Verify Your Eligibility

✓ Confirm you are a California resident
✓ Verify the business meets CCPA thresholds (check company size, data practices)
✓ Confirm data isn't exempt (not employee data, not B2B contact info)
✓ Identify which rights you want to exercise

Identity Verification Info

✓ Email address associated with account
✓ Account username or customer ID
✓ Phone number on file
✓ Mailing address on file

Find Company Contact

✓ Locate privacy policy (usually in website footer)
✓ Find designated CCPA request method (email, form, toll-free number)
✓ Note Data Protection Officer or Privacy contact if listed
✓ Screenshot "Do Not Sell" link if present

Document Your Interactions

✓ Screenshot account pages showing your data
✓ Save copies of privacy policy
✓ Record date and method of initial request
✓ Set calendar reminder for 45-day deadline

Identity Verification: Businesses must verify your identity before fulfilling requests. They can only ask for information reasonably necessary to verify you are who you claim to be. They cannot require you to create an account to submit a request.

Types of Personal Information Covered

Category	Examples
Identifiers	Name, email, phone, address, SSN, driver's license, IP address, account names
Commercial Information	Purchase history, products considered, consuming tendencies
Internet Activity	Browsing history, search history, interactions with website/ads
Geolocation Data	Precise location, location history
Audio/Visual	Voice recordings, photos, videos
Professional/Employment	Job history, employer information (partial exemptions apply)
Education	Education records not covered by FERPA
Inferences	Profiles reflecting preferences, characteristics, behavior, attitudes
Sensitive (CPRA)	SSN, financial accounts, precise geolocation, race/ethnicity, health, biometrics, sexual orientation

CCPA Request Templates

Template 1: Right to Know Request

[Your Name] [Your Address] [City, State ZIP] [Your Email] [Your Phone] [Date] [Company Name] Privacy Department / CCPA Requests [Company Address or Email] Re: California Consumer Privacy Act - Right to Know Request Dear Privacy Team: Pursuant to the California Consumer Privacy Act, Civil Code Sections 1798.100 and 1798.110, I am exercising my right to know what personal information [Company Name] has collected about me. I am a California resident, and I request that you provide me with the following information: 1. The categories of personal information you have collected about me; 2. The specific pieces of personal information you have collected about me; 3. The categories of sources from which my personal information was collected; 4. The business or commercial purpose for collecting or selling my personal information; 5. The categories of third parties with whom you share my personal information; 6. If you sell or share my personal information, the categories of personal information sold or shared and the categories of third parties to whom it was sold or shared. VERIFICATION INFORMATION: To help verify my identity, I provide the following information associated with my account: - Email: [your email on file] - Account/Username: [if applicable] - Phone: [phone on file] - Address: [address on file] Please respond to this request at the email address provided above. Under Civil Code Section 1798.130, you must respond within 45 days of receiving this request. If you have questions about verifying my identity, please contact me at the email above. Please do not require me to create an account to verify my identity, as this is prohibited under the CCPA. Sincerely, [Your Signature] [Your Printed Name] [Date]

Template 2: Right to Delete Request

[Your Name] [Your Address] [City, State ZIP] [Your Email] [Your Phone] [Date] [Company Name] Privacy Department / CCPA Requests [Company Address or Email] Re: California Consumer Privacy Act - Right to Delete Request Dear Privacy Team: Pursuant to the California Consumer Privacy Act, Civil Code Section 1798.105, I am exercising my right to request deletion of my personal information. I am a California resident, and I request that [Company Name] delete all personal information collected from me and about me. Please also direct all service providers with whom you have shared my information to delete my data. SCOPE OF DELETION REQUEST: I request deletion of ALL categories of personal information you hold about me, including but not limited to: - Identifiers (name, email, phone, address, account information) - Commercial information (purchase history, preferences) - Internet activity (browsing history, search history, interactions) - Geolocation data - Inferences drawn from any of the above - Any other personal information collected VERIFICATION INFORMATION: To verify my identity: - Email: [your email on file] - Account/Username: [if applicable] - Phone: [phone on file] - Address: [address on file] I understand that certain information may be retained if necessary to: - Complete a transaction or provide a service I requested - Detect security incidents or protect against fraud - Comply with a legal obligation - Use internally in ways reasonably aligned with my expectations However, please delete all information not subject to these exceptions and confirm what, if any, information is retained and under which exception. Please respond within 45 days as required by Civil Code Section 1798.130. Sincerely, [Your Signature] [Your Printed Name] [Date]

Template 3: Right to Opt-Out of Sale/Sharing

[Your Name] [Your Address] [City, State ZIP] [Your Email] [Date] [Company Name] Privacy Department [Company Address or Email] Re: California Consumer Privacy Act - Opt-Out of Sale and Sharing of Personal Information Dear Privacy Team: Pursuant to the California Consumer Privacy Act, Civil Code Section 1798.120, I am exercising my right to opt out of the sale and sharing of my personal information. I am a California resident, and I direct [Company Name] to: 1. STOP SELLING my personal information to third parties; 2. STOP SHARING my personal information for cross-context behavioral advertising; 3. NOT sell or share my personal information in the future unless I provide express authorization. This opt-out applies to all categories of my personal information, including data collected through cookies, tracking technologies, data brokers, and any other means. VERIFICATION INFORMATION: - Email: [your email on file] - Account/Username: [if applicable] Under Civil Code Section 1798.120(d), you must wait at least 12 months before requesting that I authorize sale of my personal information again. Please confirm receipt of this opt-out request and your compliance within 15 business days. Sincerely, [Your Signature] [Your Printed Name] [Date]

Template 4: Follow-Up Demand (Non-Response)

[Your Name] [Your Address] [City, State ZIP] [Your Email] [Date] [Company Name] Privacy Department / Legal Department [Company Address or Email] Re: SECOND NOTICE - CCPA Request Violation - Original Request Dated [Date] Dear Privacy Team: On [original request date], I submitted a [Right to Know / Right to Delete / Opt-Out] request pursuant to the California Consumer Privacy Act. More than 45 days have passed, and I have not received a substantive response to my request. Under Civil Code Section 1798.130(a)(2), businesses must respond to consumer requests within 45 calendar days. Your failure to respond constitutes a violation of the CCPA. ORIGINAL REQUEST SUMMARY: - Request Type: [Right to Know / Delete / Opt-Out] - Date Submitted: [date] - Method: [email/form/mail] - [Attach or reference original request] DEMAND: 1. Immediately fulfill my original request; 2. Provide written explanation for the delay; 3. Confirm your compliance with CCPA requirements going forward. NOTICE OF ENFORCEMENT OPTIONS: If I do not receive a satisfactory response within 15 days of this letter, I intend to: 1. File a complaint with the California Attorney General's Office (oag.ca.gov/privacy); 2. File a complaint with the California Privacy Protection Agency (cppa.ca.gov); 3. Publicize your non-compliance with CCPA consumer rights. Under Civil Code Section 1798.155, the Attorney General may impose civil penalties of $2,500 per violation, or $7,500 per intentional violation. Each affected consumer and each day of non-compliance may constitute a separate violation. I expect your immediate attention to this matter. Sincerely, [Your Signature] [Your Printed Name] [Date] Enclosure: Copy of original CCPA request

Authorized Agent Requests: If you are submitting a request on behalf of another consumer as an authorized agent, you must provide: (1) written authorization signed by the consumer, (2) proof the agent is registered with the California Secretary of State (for businesses), OR (3) power of attorney. The business may also directly verify the consumer's identity.

CCPA Legal Framework

Key Statutory Provisions

Section	Subject	Key Requirements
1798.100	Right to Know (General)	Businesses must disclose data collection and use practices
1798.105	Right to Delete	Consumers can request deletion; business must comply within 45 days
1798.106	Right to Correct	Consumers can request correction of inaccurate information (CPRA)
1798.110	Right to Know (Specific)	Right to request specific pieces of personal information collected
1798.115	Disclosure of Sales	Right to know categories sold and to whom
1798.120	Right to Opt-Out	Right to direct business to stop selling/sharing personal information
1798.121	Limit Sensitive Info	Right to limit use of sensitive personal information (CPRA)
1798.125	Non-Discrimination	Cannot discriminate against consumers who exercise rights
1798.130	Business Obligations	Response timelines, verification, methods for requests
1798.150	Private Right of Action	Data breach lawsuits: $100-$750 per consumer per incident
1798.155	Administrative Enforcement	AG/CPPA penalties: $2,500-$7,500 per violation

Enforcement Mechanisms

Limited Private Right of Action: Under Civil Code 1798.150, consumers can only sue directly for data breaches resulting from a business's failure to implement reasonable security measures. For other CCPA violations (failure to respond to requests, unlawful sale of data, etc.), enforcement is through the California Attorney General and California Privacy Protection Agency.

Data Breach Private Right of Action (1798.150):

Applies to unauthorized access due to business's failure to implement reasonable security
Statutory damages: $100-$750 per consumer per incident, OR actual damages (whichever greater)
Must provide 30-day written notice before filing suit to allow business to cure (for injunctive relief only; damages claims proceed regardless)
Class actions are common for large breaches

Attorney General / CPPA Enforcement (1798.155, 1798.199.90):

Civil penalties: $2,500 per violation, $7,500 per intentional violation or violations involving minors
Each affected consumer may constitute separate violation
30-day cure period before AG action (eliminated for CPPA under CPRA)
File complaints at: oag.ca.gov/privacy and cppa.ca.gov

Exceptions to Deletion and Disclosure

Businesses may deny certain requests if the information is needed to:

Complete a transaction or provide a requested service
Detect security incidents, protect against fraud or illegal activity
Debug or identify errors that impair functionality
Exercise free speech or another legal right
Comply with the California Electronic Communications Privacy Act
Engage in research in the public interest (with consumer consent)
Enable solely internal uses reasonably aligned with consumer expectations
Comply with a legal obligation
Otherwise use information internally in a lawful manner compatible with the context of collection

CPRA Amendments (Effective Jan 1, 2023)

The California Privacy Rights Act (Proposition 24) strengthened and expanded the CCPA:

New Rights: Right to Correct, Right to Limit Sensitive Information Use
New Agency: California Privacy Protection Agency (CPPA) with independent enforcement authority
Sensitive Personal Information: New category with heightened protections (SSN, financial, health, biometrics, precise geolocation, etc.)
Extended Applicability: Now covers service providers and contractors more explicitly
No Cure Period for CPPA: CPPA can enforce without giving businesses 30-day cure period
Automated Decision-Making: Rights related to profiling and automated decisions

Data Broker Registration: Under Civil Code 1798.99.80 (separate from CCPA), data brokers must register with the California Attorney General. Consumers can request deletion from registered data brokers, and an "accessible deletion mechanism" requirement takes effect in 2026. Check the AG's data broker registry at oag.ca.gov/data-brokers.

Need Help with Privacy Rights?

Complex privacy disputes, data breach claims, or businesses refusing to comply with CCPA requests may benefit from legal counsel. Schedule a consultation to discuss your privacy rights and enforcement options.

Contact Information

Email: owner@terms.law

Frequently Asked Questions

A company must comply with CCPA if it's a for-profit business collecting California residents' personal information AND meets at least one threshold: $25M+ annual revenue, buys/sells/shares data of 100,000+ consumers annually, or derives 50%+ revenue from selling data. Most large consumer-facing companies meet these thresholds. When in doubt, submit your request - the company must inform you if they're exempt.

Generally, no. Businesses must provide the first two Right to Know requests within a 12-month period free of charge. They may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests, but must notify you first and justify the charge. They cannot charge for deletion or opt-out requests. If a company tries to charge for a standard request, cite Civil Code 1798.130(a)(1) and consider filing a complaint.

CCPA rights apply to California residents at the time of the request, not at the time of data collection. If you moved out of California, you may lose CCPA rights (though you might have rights under other state laws like Virginia's VCDPA or Colorado's CPA). Some companies voluntarily extend CCPA-like rights to all U.S. customers, so it's worth asking. Your residency is determined by your domicile, not just physical presence.

"Sale" under CCPA is broadly defined as selling, renting, releasing, disclosing, making available, or transferring personal information for monetary OR other valuable consideration. This includes many advertising arrangements where data is shared for ad targeting, even without direct payment. CPRA added "sharing" which covers cross-context behavioral advertising even without valuable consideration. Many companies now disclose that they "sell" or "share" data due to these broad definitions.

Yes, with limitations. A personal representative or executor of a deceased consumer's estate can exercise CCPA rights on behalf of the deceased. You'll need to provide documentation of your authority (e.g., letters of administration, death certificate). The request should identify you as the personal representative and include your authority documentation. Some businesses may have specific procedures for deceased consumer requests.

Deletion (1798.105) removes existing data the company holds about you. Opt-out (1798.120) stops future sale or sharing of your data but doesn't delete existing data. For comprehensive protection, do both: request deletion of existing data AND opt out of future sales. Note that after deletion, if you continue using the company's services, they may collect new data - but your opt-out should prevent them from selling it.