Can I sue a business for not responding to my CCPA request?

Generally no. CCPA provides a private right of action only for data breaches under Section 1798.150 involving unreasonable security. For other violations like failure to honor Know, Delete, or Correct requests and improper selling after opt-out, enforcement is exclusively through the California Attorney General and Privacy Protection Agency. Your remedy is filing AG/CPPA complaints and applying public pressure. Some plaintiffs attempt unfair competition claims under Business and Professions Code Section 17200, but success is uncertain.

How long does a business have to respond to my CCPA request?

Businesses have 45 days for Right to Know, Delete, and Correct requests. They can extend once for an additional 45 days (90 days total) if reasonably necessary, but must notify you of the extension within the initial 45 days. For Opt Out of Sale/Share and Limit Sensitive Personal Information requests, businesses must comply within 15 business days. These are hard deadlines and non-compliance is a CCPA violation.

Can a business charge me for responding to my CCPA request?

No, CCPA requests must be honored free of charge in almost all cases. The only exception is if your requests are 'manifestly unfounded or excessive' such as a fourth Know request in 12 months, in which case the business can charge a reasonable fee or refuse. But the first two Know requests per year and all Delete, Correct, and Opt-Out requests must be free. Any attempt to charge fees for standard requests violates CCPA.

What if I'm not a California resident but the business operates in California?

CCPA applies only to California residents, including temporary residents and visitors while in California. If you're not a California resident, CCPA doesn't give you rights against California businesses. However, check your own state's laws as Virginia, Colorado, Connecticut, Utah, and others have similar privacy laws. Some businesses extend CCPA-like rights nationwide as a matter of policy, and GDPR applies if you're an EU resident.

What are my core privacy rights under CCPA and CPRA?

California residents have seven core rights: the Right to Know what personal information businesses collect, the Right to Delete your data, the Right to Correct inaccurate information (added by CPRA), the Right to Opt Out of data sales and sharing, the Right to Limit Use of Sensitive Personal Information (added by CPRA), the Right to Non-Discrimination for exercising rights, and the Right to Data Portability to receive your data in a usable format.

What should I do if a business refuses my CCPA request?

First, send a follow-up demand letter citing the specific CCPA section violated and requesting immediate compliance. Warn that you will file a complaint if there's no response. If still no compliance after 60-70 days, file formal complaints with the California Attorney General at oag.ca.gov and the California Privacy Protection Agency at cppa.ca.gov. The AG can seek civil penalties of up to $2,500 per violation or $7,500 per intentional violation.

CCPA/CPRA Privacy Rights Demand Letters | California Consumer Privacy Act

CCPA/CPRA Privacy Rights Demand Letters

California Consumer Privacy Act – Rights & Enforcement

CCPA/CPRA Consumer Rights Overview

📋 California Leadership: CCPA (effective 2020) and CPRA amendments (effective 2023) give California residents strong privacy rights. Similar laws exist in other states (Virginia, Colorado, Connecticut, etc.) but California's are most comprehensive.

Who Has Rights? Who Has Obligations?

Category	Definition
Consumers with rights	California residents (including temporary visitors)
Businesses with obligations	For-profit entities doing business in CA that meet thresholds: (1) $25M+ annual revenue, OR (2) Buy/sell/share PI of 100k+ consumers/households, OR (3) Derive 50%+ revenue from selling/sharing PI
Covered information	"Personal Information" – identifiers, commercial info, biometrics, internet activity, geolocation, inferences, sensitive PI (SSN, financial, health, precise geolocation, etc.)

Core Consumer Rights Under CCPA/CPRA

1. Right to Know / Access (§1798.100, §1798.110)

What categories of PI business collects about you
Specific pieces of PI business has collected
Sources of PI, purposes for collection/use, categories of third parties with whom shared
Business must respond within 45 days (one 45-day extension allowed)

2. Right to Delete (§1798.105)

Request deletion of PI business has collected from you
Exceptions: business can retain if needed for transaction completion, security, legal compliance, internal uses
Must be honored within 45 days (one extension allowed)

3. Right to Correct Inaccurate Information (§1798.106) [CPRA]

Request correction of inaccurate PI
Business must use commercially reasonable efforts to correct

4. Right to Opt Out of Sale/Sharing (§1798.120, §1798.135)

"Do Not Sell or Share My Personal Information" link required on homepage
Opt out of sale to third parties and sharing for cross-context behavioral advertising
Business must honor within 15 days

5. Right to Limit Use of Sensitive Personal Information (§1798.121) [CPRA]

Limit business's use/disclosure of sensitive PI (SSN, financial, precise geolocation, race/ethnicity, health, sexual orientation, etc.)
"Limit the Use of My Sensitive Personal Information" link required if applicable

6. Right to Non-Discrimination (§1798.125)

Business cannot discriminate (deny goods/services, charge different prices, provide different quality) for exercising CCPA rights
Exception: Can offer financial incentives for PI collection if reasonably related to value of PI

7. Right to Data Portability (§1798.100(d))

Receive PI in portable, readily usable format that allows transmission to another entity

⚠️ Limited Private Right of Action: Most CCPA violations can ONLY be enforced by California Attorney General. Private lawsuits limited to data breach cases under §1798.150 (covered in separate guide). For other violations, you can demand compliance and report to AG.

How to Exercise CCPA/CPRA Rights

Verification Requirements

Businesses must verify your identity before responding to requests:

Know/Delete requests: Two-factor verification (match 2–3 data points business already has, or sign in to account)
Sensitive PI or deletion: May require higher verification (3+ data points, signed declaration under penalty of perjury)
Authorized agents: Can submit on your behalf with power of attorney or signed permission

Business Response Timelines

Request Type	Response Deadline	Extension Allowed
Right to Know	45 days	+45 days if reasonably necessary (must notify consumer)
Right to Delete	45 days	+45 days
Right to Correct	45 days	+45 days
Opt Out of Sale/Share	15 business days	None
Limit Sensitive PI	15 business days	None

Where to Submit Requests

Business website: Most have "Do Not Sell/Share" and privacy request forms
Toll-free number: CCPA requires businesses with websites to provide toll-free number
Email: Send to privacy contact listed in privacy policy
Authorized service providers: Some companies use third-party privacy management platforms

💡 Frequency Limits: Right to Know requests limited to twice in 12-month period. Deletion, correction, opt-out have no frequency limits.

What Information You'll Receive

For Right to Know requests, business must provide:

Categories report: Categories of PI collected, sources, business purposes, third parties shared with
Specific pieces report: Actual data points (e.g., name, email, transaction history, browsing data)
Lookback period: Preceding 12 months
Format: Portable, readily usable format (typically PDF, JSON, CSV)

Common Business Refusals & How to Challenge

Refusal Reason	Is It Valid?	How to Respond
"We can't verify your identity"	Sometimes valid if you can't provide required data points	Provide additional verification info; ask what specific data points they need
"Your request is excessive or repetitive"	Valid if >2 Know requests in 12 months; otherwise questionable	Cite §1798.145(a)(4); challenge "excessive" determination; file AG complaint
"This information is exempt" (e.g., employee data, B2B)	Some exemptions exist but are narrow	Request explanation of specific exemption; seek non-exempt data
"We don't have this information"	Possibly true; business only provides what it actually collected	If you know they collected it, provide evidence; file AG complaint if false
"We need you to use our online form"	Invalid if you prefer phone/mail and provided required info	Cite §1798.130(a)(2); business must provide 2+ methods of submission

Drafting CCPA/CPRA Requests & Demands

Standard Request Letter Format

Your request should include:

Subject line: "CCPA/CPRA [Right to Know / Right to Delete / etc.] Request"
Your identity: Name, email, other identifiers business uses (account number, customer ID)
California residency: State that you are California resident
Specific request: Clearly state which right(s) you're exercising
Preferred format: How you want data delivered (email, portal, specific file format)
Verification: Offer to provide additional verification if needed
Deadline reference: Note that business has 45 days to respond (15 for opt-out)

Escalation Language for Non-Compliance

If business fails to respond or improperly denies request:

First follow-up (after 45 days): Cite specific CCPA section violated; request immediate compliance; note you'll file AG complaint if no response
Second follow-up (after 60-70 days): State you're filing complaint with CA Attorney General; provide deadline for cure
AG complaint: File at oag.ca.gov/contact/consumer-complaint-against-business-or-company

⚠️ No Private Lawsuit for Most Violations: You cannot sue for failure to honor Know/Delete/Correct requests. Enforcement is through CA AG. Only §1798.150 data breach cases allow private suits. Your leverage is AG complaint and public pressure.

Special Requests – Opt Out & Limit Sensitive PI

These have shorter timelines (15 days) and are usually handled via:

Business website link: "Do Not Sell or Share My Personal Information"
Global Privacy Control (GPC): Browser signal businesses must honor (CPRA requirement)
Direct email/letter: If no website link or you prefer written record

Business-Side Compliance (For Companies Receiving Requests)

If your business receives CCPA request:

Log immediately: Track receipt date (starts 45-day clock)
Verify identity: Use existing customer data to match requestor (don't collect new PI just for verification)
Coordinate internally: Pull data from all systems (CRM, analytics, marketing platforms, databases)
Apply exemptions narrowly: Only withhold truly exempt data (employee records in limited contexts, B2B)
Document decision: If denying, provide specific exemption or explanation
Respond within deadline: 45 days (or 90 if you notified extension); 15 for opt-out
Don't retaliate: No discrimination for exercising rights (§1798.125)

Sample CCPA/CPRA Request Letters

Sample 1: Right to Know (Access) Request

Subject: CCPA Right to Know Request – [Your Name] [Date] To: [Company Privacy Team / Email from Privacy Policy] Dear [Company Name]: I am a California resident exercising my rights under the California Consumer Privacy Act (CCPA), California Civil Code §1798.100 et seq. I hereby request access to my personal information pursuant to my Right to Know under CCPA §1798.100 and §1798.110. MY IDENTIFYING INFORMATION: Name: [Your Full Name] Email: [Email associated with account] Account Number / Customer ID: [If applicable] Phone: [If applicable] California Address: [Your CA address] REQUEST: Please provide the following information for the preceding 12 months: 1. Categories of personal information you have collected about me (§1798.110(a)(1)); 2. Categories of sources from which my personal information was collected (§1798.110(a)(2)); 3. The business or commercial purpose for collecting or selling my personal information (§1798.110(a)(3)); 4. Categories of third parties with whom you share my personal information (§1798.110(a)(4)); 5. Specific pieces of personal information you have collected about me (§1798.110(a)(5)). If you sell or share my personal information, I also request: 6. Categories of personal information sold or shared, by category of third party (§1798.115(a)); 7. Categories of personal information disclosed for business purposes, by category of third party (§1798.115(a)(3)). DELIVERY FORMAT: Please provide this information in a portable, readily usable format via email to [your email] or through a secure download link. I prefer [JSON / CSV / PDF / other specific format]. VERIFICATION: I am providing the following information to verify my identity: [List any additional info they might need - account details, last transaction date, etc.]. Please let me know if you need additional verification. DEADLINE: Under CCPA §1798.130(a)(2), you must provide this information within 45 days of receipt of this request. If you require an extension, you must notify me within the initial 45-day period. Please confirm receipt of this request and provide the requested information within the statutory timeframe. Thank you, [Your Name] [Date]

Sample 2: Right to Delete Request

Subject: CCPA Right to Delete Request – [Your Name] [Date] To: [Company Privacy Team] Dear [Company Name]: I am a California resident exercising my Right to Deletion under California Civil Code §1798.105. IDENTIFYING INFORMATION: Name: [Your Name] Email: [Email] Account: [Account ID if applicable] California Address: [Address] REQUEST: I request that you delete all personal information you have collected from me, including but not limited to: • Account profile information (name, email, address, phone); • Transaction history and purchase records; • Browsing history, cookies, and tracking data; • Any other personal information as defined under CCPA. I understand that you may retain personal information necessary for certain exempted purposes under §1798.105(d) (completing transactions, security, legal compliance, internal uses). For any information you claim is exempt from deletion, please provide specific explanation of the exemption. THIRD-PARTY DELETION: To the extent you have disclosed my personal information to service providers or third parties, please direct them to delete my personal information as required by §1798.105(c). DEADLINE: You must comply with this request within 45 days of receipt (§1798.105(c)). Please confirm when my data has been deleted. VERIFICATION: [Provide verification information as in Sample 1] Please confirm receipt and deletion within the statutory timeframe. Sincerely, [Your Name] [Date]

Sample 3: Opt Out of Sale/Sharing

Subject: CCPA Opt Out of Sale and Sharing – [Your Name] [Date] To: [Company Privacy Team] Dear [Company Name]: I am a California resident exercising my right to opt out of the sale and sharing of my personal information under California Civil Code §§1798.120 and 1798.135. IDENTIFYING INFORMATION: Name: [Your Name] Email: [Email] Account: [Account ID] REQUEST: I opt out of: 1. Sale of my personal information to third parties (§1798.120); 2. Sharing of my personal information for cross-context behavioral advertising (§1798.120). Please immediately cease selling or sharing my personal information and ensure that no further sales or sharing occur. DEADLINE: You must honor this request within 15 business days of receipt (§1798.135(a)(4)). Please confirm compliance within the statutory timeframe and provide confirmation that my opt-out preference has been recorded in your systems. Thank you, [Your Name] [Date]

Sample 4: Follow-Up for Non-Compliance

Subject: FOLLOW-UP – CCPA Request Non-Compliance – [Your Name] [Date] To: [Company Legal Department / Privacy Team] Dear [Company Name]: On [Date - 50+ days ago], I submitted a CCPA Right to Know request (copy attached). As of today, I have not received a response. California Civil Code §1798.130(a)(2) requires you to respond to verifiable consumer requests within 45 days. You are now in violation of CCPA. IMMEDIATE DEMAND: I demand that you comply with my original request within 10 business days. If you claimed an extension, you failed to notify me within the initial 45-day period as required by law. CONSEQUENCES OF CONTINUED NON-COMPLIANCE: If you do not provide the requested information within 10 business days, I will: 1. File a formal complaint with the California Attorney General's Office (Privacy Enforcement Section); 2. Report this violation to the California Privacy Protection Agency; 3. Post public review of your privacy violations on consumer review sites and social media; 4. [If applicable: Discontinue business relationship and advise others to do the same]. California Attorney General has enforcement authority under §1798.155 and can seek civil penalties of up to $7,500 per intentional violation. Please respond immediately. Sincerely, [Your Name] [Date] cc: California Attorney General - Privacy Enforcement [Attach original request]

Enforcement & Violations

CCPA Enforcement Mechanisms

Violation Type	Who Enforces	Penalties
Most CCPA violations (failure to honor rights, improper disclosures, etc.)	CA Attorney General only	Up to $2,500 per violation; $7,500 per intentional violation
Data breach with unreasonable security (§1798.150)	Private lawsuit by consumers	$100–$750 per consumer per incident OR actual damages (whichever greater); attorney's fees
CPRA violations (2023+)	CA Privacy Protection Agency + AG	Same penalties; CPPA has administrative enforcement powers

Filing Complaint with California Attorney General

To report CCPA violations:

Online: oag.ca.gov/contact/consumer-complaint-against-business-or-company
Select category: "Privacy" or "Data Breach"
Provide details: Timeline of requests, business responses (or lack thereof), copies of correspondence
What AG can do: Investigate, demand compliance, seek civil penalties, injunctive relief
Realistic expectations: AG receives thousands of complaints; prioritizes systemic violations and high-profile cases

California Privacy Protection Agency (CPPA)

Created by CPRA (2020 ballot initiative), began enforcement 2023:

Mission: Dedicated privacy enforcement agency (first in US)
Powers: Rulemaking, investigations, administrative enforcement, civil penalties
Complaint portal: cppa.ca.gov (separate from AG complaints)
Regulations: CPPA issues detailed implementing regulations clarifying CCPA/CPRA

Common Violations & Red Flags

No response within 45 days: Clear violation of response timeline
Requiring unnecessary verification: Demanding info beyond what's reasonably necessary
Charging fees: CCPA requests must be honored free of charge (with narrow exceptions for excessive requests)
Discriminatory treatment: Worse service, higher prices, denying services for exercising rights
Selling after opt-out: Continuing to sell/share PI after consumer opts out
No "Do Not Sell" link: Required on homepage if business sells/shares PI
Ignoring Global Privacy Control: CPRA requires honoring GPC browser signal as opt-out

💡 Document Everything: Keep copies of all requests, responses, and correspondence. Timestamped evidence strengthens AG complaints and demonstrates business patterns of non-compliance.

Class Actions for CCPA Violations

Private class actions limited but emerging:

§1798.150 only: Data breach with unreasonable security (see separate guide)
Other theories: Some plaintiffs assert breach of contract, unfair competition (Bus & Prof §17200) based on CCPA violations
Settlement pressure: Even without clear private right, businesses settle to avoid AG scrutiny and reputation harm

Attorney Services for CCPA/CPRA Matters

CCPA Rights Violation?

I assist consumers with CCPA/CPRA rights enforcement and businesses with compliance, response to requests, and defense against enforcement actions.

For Consumers

Draft and submit CCPA/CPRA rights requests (Know, Delete, Correct, Opt Out)
Escalate non-compliance issues and demand responses
File complaints with CA Attorney General and Privacy Protection Agency
Advise on §1798.150 data breach claims (separate private right of action)
Pursue unfair competition claims based on CCPA violations
Negotiate with businesses refusing to honor requests

For Businesses

CCPA/CPRA compliance audits and program implementation
Privacy policy drafting and updates
Consumer request intake and response processes
Verification procedures and exemption analysis
Respond to AG investigations and enforcement actions
Defend against consumer complaints and litigation
Data mapping and inventory for compliance
Vendor contract review for CCPA compliance (service provider agreements)

Why Legal Counsel Matters

Complex Compliance & Strategic Enforcement: For consumers, attorney guidance ensures requests are properly formatted and escalation is strategic. For businesses, CCPA compliance is complex (exemptions, verification, vendor coordination) and penalties are significant ($7,500 per intentional violation × thousands of consumers = millions in exposure).

Common CCPA Matters

Consumer requests ignored or improperly denied
Data breach §1798.150 claims (unreasonable security)
Discriminatory treatment after exercising rights
Business compliance program implementation
AG or CPPA investigation response
Class action defense (data breach or unfair competition theories)
Vendor/service provider agreement compliance

Schedule a Call

Book a call to discuss your CCPA/CPRA matter. I'll review your rights request or compliance issue, assess violations, and recommend strategy for enforcement or defense.

Contact Information

Email: owner@terms.law

Frequently Asked Questions

Generally no. CCPA provides private right of action only for data breaches under §1798.150 (unreasonable security resulting in breach). For other violations (failure to honor Know/Delete/Correct requests, improper selling after opt-out), enforcement is exclusively through California Attorney General and Privacy Protection Agency. Your remedy is filing AG/CPPA complaint and public pressure. Some plaintiffs attempt unfair competition (Bus & Prof §17200) claims, but success is uncertain.

45 days for Right to Know, Delete, and Correct requests. Business can extend once for additional 45 days (90 days total) if reasonably necessary, but must notify you of extension within initial 45 days. For Opt Out of Sale/Share and Limit Sensitive PI requests, business must comply within 15 business days. These are hard deadlines; non-compliance is CCPA violation.

No, CCPA requests must be honored free of charge in almost all cases. Only exception: if your requests are "manifestly unfounded or excessive" (e.g., fourth Know request in 12 months), business can charge reasonable fee or refuse. But first two Know requests per year and all Delete/Correct/Opt-Out requests must be free. Any attempt to charge fees for standard requests violates CCPA.

CCPA applies only to California residents (including temporary residents/visitors while in CA). If you're not a CA resident, CCPA doesn't give you rights against CA businesses. However, check your own state—Virginia, Colorado, Connecticut, Utah, and others have similar privacy laws. Some businesses extend CCPA-like rights nationwide as matter of policy. Also, GDPR applies if you're EU resident and business operates in EU.