- California Consumer Privacy Act (CCPA)
Updated on March 13, 2024
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
CPRA amends the CCPA; it does not create a separate, new law. As a result, our office typically refers to the law as “CCPA” or “CCPA, as amended.”
Links to Topics
- A. GENERAL INFORMATION ABOUT THE CCPA
- B. RIGHT TO OPT-OUT OF SALE OR SHARING
- C. REQUESTS TO KNOW
- D. REQUESTS TO DELETE
- E. REQUESTS TO CORRECT
- F. REQUESTS TO LIMIT USE OF PERSONAL INFORMATION
- G. RIGHT TO NON-DISCRIMINATION
- H. REQUIRED NOTICES
- I. DATA BROKERS AND THE CCPA
- Other Consumer Resources on CCPA
Frequently Asked Questions (FAQs)
These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.
A. GENERAL INFORMATION ABOUT THE CCPA
1. What rights do I have under the CCPA?
If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, to direct businesses not to sell or share your personal information, to correct inaccurate information that they have about you, and to limit businesses’ use and disclosure of your sensitive personal information:
- Right to know: You can request that a business disclose to you: (1) the categories and/or specific pieces of personal information they have collected about you, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. You can make a request to know up to twice a year, free of charge.
- Right to delete: You can request that businesses delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
- Right to opt-out of sale or sharing: You may request that businesses stop selling or sharing your personal information (“opt-out”), including via a user-enabled global privacy control. Businesses cannot sell or share your personal information after they receive your opt-out request unless you later authorize them to do so again.
- Right to correct: You may ask businesses to correct inaccurate information that they have about you.
- Right to limit use and disclosure of sensitive personal information: You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.
You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.
2. What if I am not a California resident?
3. What is considered personal information and sensitive personal information under the CCPA?
4. What is not considered personal information under the CCPA?
5. What businesses does the CCPA apply to?
6. Does the CCPA apply to nonprofits or government agencies?
7. What can I do if I think a business violated the CCPA?
8. What kind of data breach can I sue a business for under the CCPA?
9. Do businesses need to comply with the statutory CPRA amendments to the CCPA that went into effect on January 1, 2023?
10. Are there any CCPA regulations currently in effect?
11. Are the statutory exemptions for employee data and business-to-business transactions still in effect?
12. Can I use an authorized agent to submit a request?
B. RIGHT TO OPT-OUT OF SALE OR SHARING
1. What is the right to opt-out?
You may request that businesses stop selling or sharing your personal information (“opt-out”). Note that sharing refers specifically to sharing for cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.
2. Can businesses sell a child’s personal information?
3. How do I submit my opt-out request?
4. How long does the business have to respond to my opt-out request?
5. Why is the business asking me for more information?
6. Why did the business deny my opt-out request?
7. Why did I get a response that the business is a service provider that does not have to act on my request?
8. What is the GPC?
9. How do I submit my opt-out request using the GPC?
C. REQUESTS TO KNOW
1. What is the right to know?
You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:
- The categories of personal information collected
- Specific pieces of personal information collected
- The categories of sources from which the business collected personal information
- The purposes for which the business uses the personal information
- The categories of third parties with whom the business shares the personal information
- The categories of information that the business sells or discloses to third parties
Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.
2. How do I submit my request to know?
3. How long does the business have to respond to my request to know?
4. Why is the business asking me for more information?
5. Why did the business deny my request to know?
6. Why did I get a response that the business is a service provider that does not have to act on my request?
D. REQUESTS TO DELETE
1. What is my right to delete personal information?
You may request that businesses delete personal information they collected from you and to tell their service providers to do the same. However, there are many exceptions (see FAQ D.5) that allow businesses to keep your personal information.
2. How do I submit my right to delete?
3. How long does the business have to respond to my request to delete?
4. Why is the business asking me for more information?
5. Why did the business deny my request to delete?
6. Why did I get a response that the business is a service provider that does not have to act on my request?
7. Why is a debt collector still calling me about my debt even though I asked it to delete my information?
8. Why is a credit reporting agency still giving out my credit information even though I asked it to delete my information?
E. REQUESTS TO CORRECT (RIGHT TO CORRECT)
1. What is the right to correct?
You may ask businesses to correct inaccurate information that they have about you.
The California Privacy Protection Agency is currently engaged in a formal rulemaking process and has proposed CCPA regulations pertaining to the right to correct, but these are not currently final or effective.
2. How do I submit my request to correct?
3. How long does the business have to respond to my request to correct?
4. Why is the business asking me for more information?
5. Why did the business deny my request to correct?
F. REQUESTS TO LIMIT USE OF PERSONAL INFORMATION (RIGHT TO LIMIT)
1. What is the right to limit?
You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.
The California Privacy Protection Agency is currently engaged in a formal rulemaking process and has proposed CCPA regulations pertaining to the right to limit, but these are not currently final or effective.
G. RIGHT TO NON-DISCRIMINATION
Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.
However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.
Businesses can also offer you promotions, discounts and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.
H. REQUIRED NOTICES
1. What is a notice at collection?
The CCPA requires businesses to give consumers certain information in a “notice at collection.” A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. (To find out how you can learn what specific information a business has collected about you, see the Right to Know section.) If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell or Share link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.
2. Where can I find a business’s notice at collection?
3. What is a privacy policy?
4. Where can I find a business’s privacy policy?
I. DATA BROKERS AND THE CCPA
1. What is a data broker?
Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This law exempts certain businesses that are regulated by other laws from this definition. Exempted businesses include consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.
Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyzes and packages the data for sale to other businesses.
2. How can I find data brokers that collect and sell my personal information?
3. How can I stop a data broker from selling my personal information?
Other Consumer Resources on CCPA
California Privacy Protection Agency’s FAQ on the CCPA