Your Privacy Rights Under CCPA

The CCPA grants California consumers seven fundamental privacy rights that businesses must honor. This guide walks you through each right, how to exercise it, and what to expect from businesses.

Understanding Your CCPA Rights

California consumers have the following rights under Civil Code Title 1.81.5:

1. Right to Know What Information is Collected (§1798.110)
2. Right to Access Personal Information (§1798.110)
3. Right to Know What is Sold or Shared (§1798.115)
4. Right to Delete Personal Information (§1798.105)
5. Right to Correct Inaccurate Information (§1798.106)
6. Right to Opt Out of Sale or Sharing (§1798.120)
7. Right to Limit Use of Sensitive Personal Information (§1798.121)
8. Right of No Retaliation (§1798.125)

Each right has specific procedures and limitations. The sections below explain how to exercise each right effectively.

---

Step 1: Right to Know What Information is Being Collected

Legal Basis: Section 1798.110

What This Right Covers

You have the right to request that a business disclose:

1. The categories of personal information it has collected about you
2. The categories of sources from which the information was collected
3. The business or commercial purpose for collecting, selling, or sharing the information
4. The categories of third parties to whom the business discloses personal information
5. The specific pieces of personal information the business has collected about you

How Businesses Must Respond

When you submit a verifiable consumer request, a business must disclose:

• The categories and sources of personal information collected
• The purposes for collection
• Third parties who receive your information
• Specific data points collected about you (upon request)

Businesses may satisfy disclosure requirements for categories 1-4 by directing you to their annual privacy disclosure (which they must publish pursuant to §1798.130(c)).

What to Expect

Businesses must respond to your request within 45 days, with a possible 45-day extension if reasonably necessary. They must deliver the information free of charge, using a format that is portable and, to the extent technically feasible, in a readily usable format.

Next Step: To request specific data points, proceed to the Right to Access section below.

---

Step 2: Right to Access Personal Information

Legal Basis: Section 1798.110(a)(5)

What This Right Covers

Beyond learning what categories of data a business collects, you can request the specific pieces of personal information the business has collected about you. This is the most granular disclosure right under the CCPA.

How to Exercise This Right

1. Submit a verifiable consumer request to the business
2. Specify that you are requesting specific data points (not just categories)
3. Provide sufficient identifying information to allow the business to verify your identity

Business Response Requirements

Upon verification, the business must disclose the actual data points—for example:

• Your name, email address, phone number
• Purchase history
• Browsing behavior records
• Geolocation data
• Inferences drawn about you

The business may deliver this information via a password-protected account or secure download link.

Next Step: If you discover your information has been sold or shared, proceed to the Right to Know What is Sold or Shared.

---

Step 3: Right to Know What is Sold or Shared

Legal Basis: Section 1798.115

What This Right Covers

If a business sells or shares your personal information (or discloses it for a business purpose), you have the right to know:

1. The categories of personal information the business collected about you
2. The categories of personal information the business sold or shared, and the categories of third parties to whom it was sold or shared
3. The categories of personal information the business disclosed for a business purpose, and the categories of persons to whom it was disclosed

How Businesses Must Respond

Businesses must disclose:

• Whether they sell or share personal information (if not, they must affirmatively state they do not)
• Categories of personal information sold/shared, broken down by recipient category
• Categories of personal information disclosed for business purposes, broken down by recipient category

Annual Disclosure Requirement

Businesses that sell or share personal information must publish an annual disclosure listing:

• Categories of consumers' personal information sold or shared (or a statement that they do not sell/share)
• Categories of personal information disclosed for a business purpose (or a statement that they do not disclose)

You can find this information in a business's privacy policy or "Notice at Collection."

Third-Party Resale Prohibition

Section 1798.115(d) prohibits third parties from selling or sharing personal information they received from another business unless:

"the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out"

Next Step: If you want to stop the sale or sharing of your information, proceed to the Right to Opt Out.

---

Step 4: Right to Opt Out of Sale or Sharing

Legal Basis: Section 1798.120

What This Right Covers

You have the right to direct a business not to sell or share your personal information to third parties. This is often called the "right to opt out of sale or sharing."

How to Exercise This Right

1. Look for a "Do Not Sell or Share My Personal Information" link on the business's homepage (required by §1798.135)
2. Click the link and follow the opt-out process
3. The business may not require you to create an account to opt out
4. You may also use a browser or device signal (such as the Global Privacy Control) to opt out (§1798.136)

Special Protections for Minors

If you are under 16 years old:

• Businesses cannot sell or share your personal information unless:
  • You are 13-15 years old and affirmatively authorize the sale/sharing yourself, OR
  • You are under 13 and your parent or guardian affirmatively authorizes the sale/sharing

A business that willfully disregards a consumer's age is deemed to have had actual knowledge of the age.

Effect of Opting Out

Once you opt out:

• The business is prohibited from selling or sharing your personal information (§1798.120(d))
• This prohibition continues unless you later provide explicit consent to resume sale/sharing
• If a business acquires another business's assets (e.g., through merger or bankruptcy), the acquiring business must honor your opt-out direction (§1798.120(a)(2))

Waiting Period for Re-Requests

If you refuse to opt in to a financial incentive program, the business must wait at least 12 months before requesting opt-in consent again (§1798.125(b)(3)).

Next Step: If the business collects sensitive personal information about you, you may also want to limit its use—proceed to the Right to Limit Use of Sensitive Personal Information.

---

Step 5: Right to Limit Use of Sensitive Personal Information

Legal Basis: Section 1798.121

What This Right Covers

If a business collects sensitive personal information (e.g., Social Security number, precise geolocation, health data, financial account credentials), you can direct the business to limit its use to:

• Uses necessary to perform services or provide goods you reasonably expect
• Uses necessary to perform certain enumerated services (security, debugging, short-term transient use, quality control)
• Uses authorized by CPPA regulations

Sensitive personal information is defined in §1798.140(ae) and includes 11 specific categories (see /key-definitions/personal-information).

How to Exercise This Right

1. Look for a "Limit the Use of My Sensitive Personal Information" link on the business's homepage (required if the business uses sensitive PI for purposes beyond those in §1798.121(a))
2. Click the link and submit your request
3. The business may not require you to create an account to submit the request

Business Response Requirements

Once a business receives your direction:

• It is prohibited from using or disclosing your sensitive personal information for any purpose other than those specified in §1798.121(a)
• This prohibition continues unless you later provide consent for additional uses
• Service providers and contractors working with the business must also limit their use of your sensitive personal information (§1798.121(c))

Exception: Inference Purposes

Sensitive personal information collected or processed without the purpose of inferring characteristics about you is not subject to this limitation right. Such information is treated as regular personal information for all other CCPA purposes (§1798.121(d)).

Next Step: If you discover inaccurate information about yourself, proceed to the Right to Correct.

---

Step 6: Right to Correct Inaccurate Personal Information

Legal Basis: Section 1798.106 (as amended by Stats. 2024, Ch. 121, effective January 1, 2025)

What This Right Covers

You have the right to request that a business correct inaccurate personal information it maintains about you. The business must take into account:

• The nature of the personal information
• The purposes for which the information is processed

How to Exercise This Right

1. Submit a verifiable consumer request to the business
2. Identify the specific inaccurate information
3. Provide the correct information
4. Include sufficient detail to allow the business to verify your identity

Business Response Requirements

The business must:

• Use commercially reasonable efforts to correct the inaccurate information as you direct
• Comply with correction procedures established by CPPA regulations (§1798.185(a)(7))
• Respond within the timeframes required by §1798.130

Businesses are not required to correct information if doing so would be impossible or involve disproportionate effort, though such exceptions are narrow.

Next Step: If you want the business to delete your information entirely, proceed to the Right to Delete.

---

Step 7: Right to Delete Personal Information

Legal Basis: Section 1798.105

What This Right Covers

You have the right to request that a business delete any personal information it has collected from you.

How to Exercise This Right

1. Submit a verifiable consumer request to the business
2. Specify that you are requesting deletion
3. The business must verify your identity before complying

Business Response Requirements

When a business receives a verified deletion request, it must:

1. Delete the information from its own records
2. Notify service providers and contractors to delete the information from their records
3. Notify third parties to whom the business sold or shared the information to delete it (unless this is impossible or involves disproportionate effort)

The business may maintain a confidential record of deletion requests solely to prevent re-collection of the same information or for compliance purposes (§1798.105(c)(2)).

Exceptions to Deletion

A business is not required to delete your information if it is reasonably necessary to:

1. Complete a transaction or fulfill a contract with you
2. Ensure security and integrity (to the extent reasonably necessary)
3. Debug to identify and repair errors
4. Exercise free speech or ensure another consumer's free speech rights
5. Comply with the California Electronic Communications Privacy Act (Penal Code §1546 et seq.)
6. Engage in public or peer-reviewed scientific, historical, or statistical research (with informed consent, if deletion would render research impossible)
7. Enable internal uses reasonably aligned with consumer expectations
8. Comply with a legal obligation

These exceptions are narrowly construed to protect consumer privacy while allowing legitimate business needs.

Service Provider and Contractor Obligations

Service providers and contractors must:

• Cooperate with the business in responding to deletion requests
• Delete information at the direction of the business
• Notify their own service providers or contractors to delete the information
• Notify third parties who accessed the information (unless accessed at the business's direction)

Service providers are not required to respond to deletion requests submitted directly by consumers—only those transmitted through the business they serve (§1798.105(c)(3)).

Next Step: After exercising your rights, understand your protection against retaliation—proceed to the Right of No Retaliation.

---

Step 8: Right of No Retaliation

Legal Basis: Section 1798.125

What This Right Covers

Businesses are prohibited from discriminating against you for exercising any CCPA rights. Discrimination includes:

• Denying goods or services to you
• Charging different prices or rates, including through discounts, benefits, or penalties
• Providing a different level or quality of goods or services
• Suggesting that you will receive different treatment
• Retaliating against employees, job applicants, or independent contractors for exercising CCPA rights

Permitted Practices

Businesses may offer different prices or service levels if the difference is reasonably related to the value provided by your data (§1798.125(a)(2)).

Businesses may also offer:

• Loyalty programs
• Rewards programs
• Premium features
• Discounts
• Club card programs

These programs are permitted as long as they comply with CCPA requirements (§1798.125(a)(3)).

Financial Incentives

Businesses may offer financial incentives (including payments) for:

• Collection of personal information
• Sale or sharing of personal information
• Retention of personal information

However, businesses must:

1. Notify consumers of the financial incentive terms (§1798.125(b)(2))
2. Obtain prior opt-in consent that clearly describes material terms (§1798.125(b)(3))
3. Allow consumers to revoke consent at any time
4. Wait at least 12 months before re-requesting opt-in consent after a consumer refuses
5. Avoid financial incentives that are unjust, unreasonable, coercive, or usurious (§1798.125(b)(4))

What to Do If You Experience Retaliation

If a business discriminates against you for exercising your CCPA rights:

1. Document the discriminatory conduct
2. File a complaint with the California Privacy Protection Agency (see /cppa-oversight/agency-structure)
3. Consider consulting an attorney, as the CCPA provides for administrative penalties and potential civil remedies

---

Verifiable Consumer Requests: What You Need to Know

To exercise most CCPA rights, you must submit a verifiable consumer request. Businesses use verification to confirm your identity and protect against fraudulent requests.

Verification Requirements

Businesses may require you to:

• Provide identifying information (name, email, account number)
• Match information you provide with information the business already has
• Complete multi-factor authentication if you have an account
• Provide a signed declaration under penalty of perjury (for highly sensitive requests)

The level of verification must correspond to the sensitivity of the information requested and the risk of harm from fraudulent requests.

Authorized Agents

You may designate an authorized agent to submit requests on your behalf. The business may require:

• Written proof that the agent is authorized to act on your behalf
• Verification of your own identity (even when using an agent)
• Direct confirmation from you that you authorized the agent

Response Timeframes

Businesses must respond to verifiable consumer requests within:

• 45 days of receipt
• An additional 45 days if reasonably necessary (with notice to you)

Businesses must deliver information free of charge and in a portable, readily usable format (to the extent technically feasible).

---

Summary: Your CCPA Rights Workflow

1. Right to Know (Categories) [§1798.110]
   ↓
2. Right to Access (Specific Data) [§1798.110(a)(5)]
   ↓
3. Right to Know (Sales/Sharing) [§1798.115]
   ↓
4. Right to Opt Out (Sale/Sharing) [§1798.120]
   ↓
5. Right to Limit Use (Sensitive PI) [§1798.121]
   ↓
6. Right to Correct (Inaccurate Data) [§1798.106]
   ↓
7. Right to Delete [§1798.105]
   ↓
8. Right of No Retaliation [§1798.125]

You may exercise these rights in any order or combination. Businesses must provide at least two methods for submitting requests, including a toll-free phone number and, if the business operates a website, a web form.

For businesses implementing these requirements, see /implementing-ccpa-compliance/opt-out-mechanisms. For enforcement details, see /enforcement-and-penalties/penalties-and-damages.