The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), gives California residents comprehensive control over their personal information. If you're a California resident, these laws grant you significant rights regardless of where the businesses collecting your data are located. Understanding CCPA helps you exercise meaningful control over your personal information.

CCPA was the first comprehensive state privacy law in the U.S. and remains among the strongest consumer privacy protections available.

Who CCPA Protects

CCPA protects California residents—people who are in California for other than a temporary purpose or who are domiciled in California but temporarily outside the state. If you live in California, CCPA rights apply to you regardless of where the business is located.

CCPA applies to businesses meeting certain thresholds: annual gross revenue over 5 million, buying/selling/sharing personal information of 100,000+ consumers annually, or deriving 50%+ of revenue from selling personal information.

Smaller businesses and certain nonprofit organizations may not be covered. But most companies with significant online presence meet the thresholds.

Your Right to Know

You can request that businesses disclose what personal information they've collected about you, where they got it, why they collected it, and who they've shared it with.

Businesses must provide the specific pieces of information collected about you upon request. This goes beyond general descriptions—you're entitled to your actual data.

Requests can be made twice per 12-month period. Businesses must respond within 45 days (extendable to 90 days with notice).

Your Right to Delete

You can request that businesses delete personal information they've collected from you. Upon receiving a valid request, businesses must delete your information and direct their service providers to do the same.

Exceptions exist for data needed to complete transactions, perform contracts, comply with legal obligations, detect security incidents, exercise free speech, and conduct research. Businesses can refuse deletion for these reasons but must explain why.

Deletion requests don't affect data collected before CCPA took effect in certain circumstances, and don't require deletion from archived backups in all cases.

Your Right to Opt Out of Sale/Sharing

You can direct businesses to stop selling or sharing your personal information. "Sale" under CCPA is broadly defined—it includes exchanging data for money or other valuable consideration.

Businesses that sell personal information must display a "Do Not Sell or Share My Personal Information" link on their website. Clicking this and following the process exercises your opt-out right.

CPRA expanded this to include "sharing" for cross-context behavioral advertising even without traditional sale. Targeted advertising based on your activity often involves "sharing" that you can opt out of.

Your Right to Non-Discrimination

Businesses cannot discriminate against you for exercising CCPA rights. They can't deny goods or services, charge different prices, or provide different quality because you exercised privacy rights.

However, businesses can offer financial incentives for allowing data collection. You can choose to participate in loyalty programs or discounts in exchange for data use—but participation must be voluntary.

How to Exercise CCPA Rights

Businesses must provide at least two methods for submitting requests—typically a web form and either email or toll-free phone number. Look for "Privacy" links on websites.

Businesses will verify your identity before fulfilling requests. They'll ask you to confirm information they already have about you. For sensitive requests, higher verification standards apply.

You can authorize someone else to submit requests on your behalf, but businesses may require proof of authorization.

Enforcement and Penalties

The California Attorney General enforces CCPA, with fines up to ,500 per intentional violation. The California Privacy Protection Agency (CPPA) now also has enforcement authority under CPRA.

Consumers have a private right of action for data breaches involving unencrypted or nonredacted personal information. You can sue for statutory damages of 00-50 per incident (or actual damages if higher).

For non-breach CCPA violations, you can file complaints with the Attorney General or CPPA but cannot sue directly.

Getting Legal Help

If a business fails to honor your CCPA rights or you've suffered harm from a data breach involving California consumer data, a privacy attorney can help you understand your options and pursue appropriate remedies. For data breaches, the private right of action and statutory damages make individual and class action lawsuits viable. Privacy law specialists help consumers hold companies accountable for violations.