CCPA Rights FAQ

The California Consumer Privacy Act (CCPA), codified in California Civil Code Sections 1798.100-1798.199.100, is a comprehensive privacy law that grants California residents significant rights over their personal information. Effective January 1, 2020, and amended by the California Privacy Rights Act (CPRA) in 2023, the CCPA regulates how businesses collect, use, share, and sell the personal information of California consumers.

The law applies to for-profit businesses that do business in California and meet certain thresholds: annual gross revenues exceeding 25 million dollars, buying or selling the personal information of 100,000 or more California residents, households, or devices annually, or deriving 50 percent or more of annual revenues from selling or sharing California residents' personal information.

The CCPA gives consumers the right to know what personal information businesses collect about them, the right to delete personal information, the right to opt out of the sale or sharing of personal information, the right to correct inaccurate information, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising these rights.

As a California consumer, the CCPA grants you several important privacy rights. First, the right to know allows you to request that a business disclose what personal information it has collected about you, the sources of that information, the purposes for collection, the categories of third parties with whom the information is shared, and the specific pieces of personal information collected.

Second, the right to delete allows you to request that a business delete personal information it has collected from you, subject to certain exceptions. Third, the right to opt out allows you to direct businesses not to sell or share your personal information with third parties. Fourth, the right to correct allows you to request that businesses correct inaccurate personal information they maintain about you.

Fifth, the right to limit use of sensitive personal information allows you to direct businesses to limit their use of sensitive information such as Social Security numbers, precise geolocation, or health information. Sixth, the right to non-discrimination protects you from being penalized for exercising your privacy rights through denial of goods or services, different prices, or different quality of service.

To submit a CCPA request to a business, you should follow the methods the business has designated for receiving requests. Under California Civil Code Section 1798.130, businesses must provide at least two methods for consumers to submit requests, including a toll-free telephone number and, if the business has a website, a website address. Many businesses also provide online forms, email addresses, or physical mail addresses for CCPA requests.

When submitting a request, you should clearly state what type of request you are making, such as access, deletion, or opt-out. Provide information to help the business verify your identity, such as your name, email address, account information, or other details the business may use to identify you. Be specific about what you are requesting. Keep records of your request including dates and method of submission.

The business must acknowledge receipt of your request within 10 business days and respond substantively within 45 days, with the possibility of a 45-day extension if reasonably necessary. For opt-out requests, businesses must comply within 15 business days. Businesses cannot require you to create an account to submit a request, and they cannot charge fees for processing most requests.

The CCPA defines personal information very broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. California Civil Code Section 1798.140(v) provides numerous examples of personal information including identifiers such as name, alias, postal address, email address, Social Security number, driver's license number, passport number, and online identifiers; commercial information such as records of purchases, products or services obtained, and purchasing histories; biometric information; internet or network activity information including browsing history, search history, and information regarding interactions with websites or applications; geolocation data; audio, electronic, visual, thermal, olfactory, or similar information; professional or employment-related information; education information; and inferences drawn from any of the above to create a profile about a consumer.

The CCPA also recognizes a special category of sensitive personal information that receives additional protections, including Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data, health information, and sexual orientation.

Opting out of the sale or sharing of personal information under the CCPA means directing a business not to sell or share your personal information with third parties. Under California Civil Code Section 1798.120, consumers have the right to opt out, and businesses must respect this choice. The CCPA defines "sale" broadly to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information for monetary or other valuable consideration. "Sharing" refers to making personal information available to third parties for cross-context behavioral advertising purposes.

When you opt out, the business must stop selling or sharing your personal information within 15 business days. Businesses that sell or share personal information must display a clear and conspicuous link on their homepage titled "Do Not Sell or Share My Personal Information" and must honor opt-out preference signals such as the Global Privacy Control.

Opting out does not prevent businesses from sharing information with service providers who process data on the business's behalf under contract, sharing information necessary to complete transactions you have requested, or continuing to use information for internal purposes.

Under the CCPA, businesses have specific deadlines for responding to consumer requests. For requests to know or requests to delete, the business must acknowledge receipt within 10 business days, informing you how the request will be processed and providing information about the verification process. The business must then provide a substantive response within 45 calendar days from receipt of the verifiable request. If reasonably necessary, the business may extend this period by an additional 45 days, but must notify you of the extension and the reason within the initial 45-day period.

For opt-out requests, businesses must comply within 15 business days of receiving the request. They must also notify any service providers or third parties who received your information that you have opted out and direct them to comply.

For requests to correct inaccurate information, the timeline mirrors the request to know, with a 45-day response period and possible 45-day extension. Businesses cannot charge a fee for processing requests unless the requests are manifestly unfounded or excessive. If you believe a business has not responded appropriately, you can file a complaint with the California Attorney General or the California Privacy Protection Agency.

While the CCPA provides consumers with the right to request deletion of their personal information, California Civil Code Section 1798.105 includes several exceptions allowing businesses to retain information in certain circumstances. A business may deny a deletion request if the information is necessary to complete a transaction or provide a service you requested, detect security incidents or protect against malicious or illegal activity, debug to identify and repair errors, exercise free speech or ensure another consumer's right to free speech, comply with the California Electronic Communications Privacy Act, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to applicable ethics and privacy laws, enable solely internal uses reasonably aligned with consumer expectations based on the consumer's relationship with the business, or comply with a legal obligation.

Additionally, information may be retained if necessary to make other internal and lawful uses of the information that are compatible with the context in which you provided it. When a business denies a deletion request based on an exception, it must inform you of the specific exception that applies.

Private lawsuits under the CCPA are limited to specific circumstances involving data breaches. California Civil Code Section 1798.150 provides consumers with a private right of action only when their nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures. In such cases, consumers may recover statutory damages of 100 to 750 dollars per consumer per incident or actual damages, whichever is greater, injunctive or declaratory relief, and any other relief the court deems proper.

Before filing suit for statutory damages, you must provide the business with 30 days written notice identifying the specific CCPA provisions violated and give the business an opportunity to cure. If the business cures and provides written statement that the violations have been cured and no further violations will occur, no suit for statutory damages may be filed.

For violations of other CCPA provisions not involving data breaches, enforcement is through the California Attorney General or the California Privacy Protection Agency, not private lawsuits. You can file complaints with these agencies, and they may seek civil penalties of up to 2,500 dollars per violation or 7,500 dollars per intentional violation.

The CCPA includes strong anti-discrimination protections for consumers who exercise their privacy rights. California Civil Code Section 1798.125 prohibits businesses from discriminating against consumers for exercising their CCPA rights. Specifically, businesses cannot deny goods or services to consumers who exercise their rights, charge different prices or rates for goods or services, provide a different level or quality of goods or services, or suggest that exercising rights will result in different prices, rates, or quality.

However, the law does allow businesses to offer financial incentives for the collection, sale, or deletion of personal information, and to charge different prices or provide different services if the difference is reasonably related to the value provided by the consumer's data. For example, a business might offer a loyalty program that provides discounts in exchange for allowing the business to collect and use data about purchases.

These programs must be voluntary, and businesses must clearly disclose the material terms and obtain the consumer's opt-in consent. The consumer must be able to revoke consent at any time. Businesses cannot use financial incentives that are unjust, unreasonable, coercive, or usurious in nature.

If a business does not respond to your CCPA request within the required timeframes, you have several options for escalation. First, follow up directly with the business. Sometimes requests are missed or delayed, and a follow-up communication may prompt a response. Document your original request and your follow-up attempts, including dates and methods of communication.

Second, submit a complaint to the California Privacy Protection Agency (CPPA), which is the state agency responsible for enforcing the CCPA. The CPPA investigates complaints and can take enforcement action against businesses that violate the law. You can file a complaint on the CPPA's website. Third, file a complaint with the California Attorney General's Office, which also has authority to enforce the CCPA. The Attorney General can seek civil penalties against businesses that violate the law.

Fourth, if your complaint involves a data breach resulting from the business's failure to maintain reasonable security, you may have grounds for a private lawsuit under California Civil Code Section 1798.150 after providing the required notice. Fifth, consider consulting with a privacy attorney who can advise on your specific situation and potential legal remedies. Documentation is important throughout this process, so keep records of all requests, responses, and follow-up communications.