California Consumer Privacy Act (CCPA) (2024)

• A. GENERAL INFORMATION ABOUT THE CCPA
• B. RIGHT TO OPT-OUT OF SALE OR SHARING
• C. REQUESTS TO KNOW
• D. REQUESTS TO DELETE
• E. REQUESTS TO CORRECT

• F. REQUESTS TO LIMIT USE OF PERSONAL INFORMATION
• G. RIGHT TO NON-DISCRIMINATION
• H. REQUIRED NOTICES
• I. DATA BROKERS AND THE CCPA
• Other Consumer Resources on CCPA

If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, to direct businesses not to sell or share your personal information, to correct inaccurate information that they have about you, and to limit businesses’ use and disclosure of your sensitive personal information:

• Right to know: You can request that a business disclose to you: (1) the categories and/or specific pieces of personal information they have collected about you, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. You can make a request to know up to twice a year, free of charge.
• Right to delete: You can request that businesses delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
• Right to opt-out of sale or sharing: You may request that businesses stop selling or sharing your personal information (“opt-out”), including via a user-enabled global privacy control. Businesses cannot sell or share your personal information after they receive your opt-out request unless you later authorize them to do so again.
• Right to correct: You may ask businesses to correct inaccurate information that they have about you.
• Right to limit use and disclosure of sensitive personal information: You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.

You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

Sensitive personal information is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.

Personal information does not include publicly available information (including public real estate/property records) and certain types of information.

Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records. The definition of publicly available information also includes information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or certain information disclosed by a consumer and made available if the consumer has not restricted the information to a specific audience.

The CCPA also exempts certain types of information such as certain medical information and consumer credit reporting information.

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

• Have a gross annual revenue of over $25 million;
• Buy, sell, or share the personal information of 100,000 or more California residents or households; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.

You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circ*mstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.

For all other violations of the CCPA, only the Attorney General or the California Privacy Protection Agency may take legal action against non-compliant entities. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint. Starting on July 1, 2023, you also will be able to file complaints with the California Privacy Protection Agency for violations of the CCPA, as amended, occurring on or after that date.

You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:

• Your social security number
• Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
• Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
• Your medical or health insurance information
• Your fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)

This personal information must have been stolen in nonencrypted and nonredacted form. In addition, the personal information must have been stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.

Yes. You may authorize another person to submit a CCPA request on your behalf. You may also authorize a business entity registered with the California Secretary of State to submit a request on your behalf.

Please note that if you use an authorized agent, businesses may require more information from either the authorized agent or from you to verify that you are the person directing the agent. For example, for requests to know or delete your personal information, the business may require the authorized agent to provide proof that you gave that agent signed permission to submit the request. Businesses may also require you to verify your identity directly with the business or directly confirm with the business that you gave the authorized agent permission to submit the request.

Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request. Businesses also should not require you to verify your identity, though they can ask you basic questions to identify which personal information is associated with you.

You can also submit an opt-out request via a user-enabled global privacy control, like the GPC, discussed in FAQ 8 & 9 below. If you can’t find a business’s “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy.

If a business’s "Do Not Sell My Personal Information" link or other designated method of submitting opt-out requests is not working or difficult to find, you may report the business to our office (https://oag.ca.gov/contact/consumer-complaint-against-business-or-company).

There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling your personal information include:

• Sale or sharing is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
• The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

See Civil Code section 1798.145 for more exceptions.

If you do not know why a business denied your opt-out request, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to opt-out to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:

• The categories of personal information collected
• Specific pieces of personal information collected
• The categories of sources from which the business collected personal information
• The purposes for which the business uses the personal information
• The categories of third parties with whom the business shares the personal information
• The categories of information that the business sells or discloses to third parties

Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.

Businesses must designate at least two methods for you to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know.

Businesses cannot make you create an account just to submit a request to know, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your request to know through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.

If a business’s designated method of submitting requests to know is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to know and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

There are some exceptions to the right to know. Common reasons why businesses may refuse to disclose your personal information include:

• The business cannot verify your request
• The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period
• Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information
• Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims
• If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code section 1798.145 for more exceptions.

If you do not know why a business denied your request to know, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to know to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Review the business’s privacy policy, which must include instructions on how you can submit your request to delete.

Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests.

Businesses cannot make you create an account just to submit a deletion request, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your deletion request through one of the business’s designated methods, which may be different from its normal customer service contact information.

If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to delete and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

There are exceptions to the right to delete. Common reasons why businesses may keep your personal information include:

• If the information is exempt from the CCPA. This includes:
  • Publicly available information (such as your address, which is often in public real estate/property records). However, if you are a law enforcement officer, public official, or Safe at Home participant (available to victims of domestic violence, stalking, sexual assault, human trafficking, elder and dependent abuse, as well as reproductive health workers), you may request a website to not publicly post your address as described here.
  • Certain types of information such as medical information or consumer credit reporting information.
• The business cannot verify your request
• To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
• For certain business security practices
• For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided
• To comply with legal obligations, exercise legal claims or rights, or defend legal claims
• If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code sections 1798.105(d) and 1798.145 for more exceptions.

If you do not know why a business denied your request to delete, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to delete to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

You may ask businesses to correct inaccurate information that they have about you.

The California Privacy Protection Agency is currently engaged in a formal rulemaking process and has proposed CCPA regulations pertaining to the right to correct, but these are not currently final or effective.

Review the business’s privacy policy, which should include instructions on how you can submit your request to correct.

Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests.

Businesses cannot make you create an account just to submit a correction request, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your correction request through one of the business’s designated methods, which may be different from its normal customer service contact information.

If a business’s designated method of submitting requests to correct is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to correct and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

There are exceptions to the right to correct. Common reasons why businesses may deny your request to correct include:

• The business cannot verify your identity to complete your request
• The request is manifestly unfounded or excessive
• The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

If you do not know why a business denied your request to correct, follow up with the business to ask it for its reasons.

You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.

The California Privacy Protection Agency is currently engaged in a formal rulemaking process and has proposed CCPA regulations pertaining to the right to limit, but these are not currently final or effective.

Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This law exempts certain businesses that are regulated by other laws from this definition. Exempted businesses include consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.

Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyzes and packages the data for sale to other businesses.

The California law on data brokers requires data brokers covered by the law to register with the Attorney General and to provide certain information on their practices. The Data Broker Registry can be found on the Attorney General’s website at https://oag.ca.gov/data-brokers.

Data brokers are subject to the CCPA. On the Data Broker Registry website, you will find contact information and a website link for each registered data broker, as well as additional information to help you exercise your CCPA rights.

You can click on the “View Full Submission” link on the Data Broker Registry to get instructions on how to opt-out of the sale of your personal information. However, you may not be able to stop the sale of all of your information. The CCPA’s definition of “personal information” does not include information lawfully made available from government records, which are often sources used by data brokers.

You can also go to a data broker’s website through the link posted on the Registry and find the broker’s privacy policy to learn more about its privacy practices and how to exercise your CCPA rights.