Understanding Your CCPA Rights

What Is the CCPA?

The California Consumer Privacy Act (CCPA) is a data privacy law that took effect in 2020 and was expanded by the California Privacy Rights Act (CPRA) in 2023. It applies to for-profit businesses that meet certain thresholds and collect personal information from California residents.

According to the California Attorney General's office, covered businesses must have either:

• Gross annual revenue exceeding $25.625 million (as of January 2025)
• Buy, sell, or share personal information of 100,000 or more California residents or households
• Derive 50% or more of annual revenue from selling or sharing personal information

Your Six Core Rights Under the CCPA

The California Privacy Protection Agency (CalPrivacy) summarizes consumer rights with the acronym KEDSOL:

K – Right to Know

You can request that a business disclose:

• The categories and specific pieces of personal information they've collected about you
• The sources of that information (including whether data came from data brokers)
• The purposes for which the information is used
• The categories of third parties with whom the information is shared
• The categories of information sold or disclosed to third parties

You can make a request to know up to twice per year, free of charge.

E – Right to Equal Treatment

Businesses cannot discriminate against you for exercising your CCPA rights. They cannot deny services, charge different prices, or provide a different quality of service because you opted out of data sales.

D – Right to Delete

You can request that businesses delete personal information they collected from you and instruct their service providers to do the same. Businesses must comply within 45 days, with a possible 45-day extension for complex requests.

Some exemptions apply—businesses can retain information needed to:

• Complete transactions
• Comply with legal obligations
• Exercise legal claims or rights
• Detect security incidents

S – Right to Opt-Out of Sale or Sharing

You can direct businesses to stop selling or sharing your personal information. Businesses must honor opt-out preference signals from your browser or device. Look for "Do Not Sell or Share My Personal Information" links on websites.

O – Right to Opt-Out of Automated Decision-Making

New regulations effective January 2026 establish your right to access information about and opt out of businesses' use of automated decision-making technology (ADMT) that significantly affects you.

L – Right to Limit Use of Sensitive Information

You can limit how businesses use sensitive personal information, including:

• Social Security number
• Financial account information
• Precise geolocation
• Racial or ethnic origin
• Religious beliefs
• Health information
• Sexual orientation

How to Exercise Your Rights

Step 1: Find the Privacy Policy

Every covered business must post a privacy policy that includes information about consumer rights and how to exercise them. Look for links labeled "Privacy," "California Privacy Rights," or "Your Privacy Choices" at the bottom of websites.

Step 2: Submit Your Request

Businesses must provide at least two methods for submitting requests:

• A toll-free phone number
• A website form or email address

When submitting a request, you'll need to verify your identity. Businesses may ask for information they already have on file to confirm you are who you claim to be.

Step 3: Wait for Response

Businesses must respond within 45 days. If they need more time, they can extend this by another 45 days with notice to you.

Data Brokers and the CCPA

Data brokers are subject to the CCPA. California law defines a data broker as "a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship."

CalPrivacy maintains a Data Broker Registry where you can find contact information and links to each registered broker's opt-out instructions.

The Delete Act and DROP Platform

California's Delete Act, passed in 2023, created additional requirements specifically for data brokers. The centerpiece is DROP—the Delete Request and Opt-out Platform—which launched January 1, 2026.

DROP allows California residents to:

• Submit a single deletion request to all registered data brokers at once
• Request recurring deletions to address data that reappears
• Track the status of their requests

Starting August 1, 2026, data brokers must check DROP every 45 days and process consumer deletion requests. Non-compliance can result in penalties of $200 per day per consumer.

To use DROP, visit privacy.ca.gov/data-brokers/.

Recent Enforcement Actions

CalPrivacy has been actively enforcing California's privacy laws. Recent actions include:

• Tractor Supply Company: $1.35 million fine for CCPA violations
• American Honda Motor Co.: $632,500 fine for CCPA violations
• Todd Snyder, Inc.: $345,178 fine for CCPA violations
• Background Alert: Settlement requiring the data broker to shut down or pay steep fines

The agency has also launched a Data Broker Enforcement Strike Force targeting unregistered data brokers.

What If You're Not in California?

While the CCPA only applies to California residents, its influence extends beyond state borders:

• Many companies apply CCPA-like protections nationwide rather than maintaining separate systems
• Other states have enacted their own privacy laws modeled on California's approach
• Federal privacy legislation continues to be discussed in Congress

Even if you don't live in California, you can often exercise similar rights by submitting requests directly to companies' privacy teams.

Filing a Complaint

If a business refuses to honor your CCPA rights, you can file a complaint with CalPrivacy at cppa.ca.gov. Include:

• The name of the business
• What right you tried to exercise
• How the business responded (or failed to respond)
• Any documentation of your request