California Consumer Privacy Act (CCPA)

Updated on March 13, 2024

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new additional privacy protections that began on January 1, 2023. As of January 1, 2023, consumers have new rights in addition to those above, such as:

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

CPRA amends the CCPA; it does not create a separate, new law. As a result, our office typically refers to the law as “CCPA” or “CCPA, as amended.”

Frequently Asked Questions (FAQs)

These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.

A. GENERAL INFORMATION ABOUT THE CCPA

If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, to direct businesses not to sell or share your personal information, to correct inaccurate information that they have about you, and to limit businesses’ use and disclosure of your sensitive personal information:

  • Right to know: You can request that a business disclose to you: (1) the categories and/or specific pieces of personal information they have collected about you, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. You can make a request to know up to twice a year, free of charge.
  • Right to delete: You can request that businesses delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
  • Right to opt-out of sale or sharing: You may request that businesses stop selling or sharing your personal information (“opt-out”), including via a user-enabled global privacy control. Businesses cannot sell or share your personal information after they receive your opt-out request unless you later authorize them to do so again.
  • Right to correct: You may ask businesses to correct inaccurate information that they have about you.
  • Right to limit use and disclosure of sensitive personal information: You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.

You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.

Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

Sensitive personal information is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.

Personal information does not include publicly available information (including public real estate/property records) and certain types of information.

Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records. The definition of publicly available information also includes information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or certain information disclosed by a consumer and made available if the consumer has not restricted the information to a specific audience.

The CCPA also exempts certain types of information such as certain medical information and consumer credit reporting information.

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents or households; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

The CCPA generally does not apply to nonprofit organizations or government agencies.

You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.

For all other violations of the CCPA, only the Attorney General or the California Privacy Protection Agency may take legal action against non-compliant entities. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint. Starting on July 1, 2023, you also will be able to file complaints with the California Privacy Protection Agency for violations of the CCPA, as amended, occurring on or after that date.

You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:

  • Your social security number
  • Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
  • Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
  • Your medical or health insurance information
  • Your fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)

This personal information must have been stolen in nonencrypted and nonredacted form. In addition, the personal information must have been stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.

Yes. As of January 1, 2023, the CPRA’s amendments to the CCPA are in effect, and businesses are required to comply with all express statutory requirements. Businesses are also required to comply with those CCPA regulations currently in effect.

Yes. The California Department of Justice promulgated an initial round of regulations implementing the CCPA on August 14, 2020 and further amended on March 15, 2021. Those regulations were recently updated by the California Privacy Protection Agency. These regulations appear in Title 11, Division 6, Section 7001 et seq. of the California Code of Regulations and were effective on March 29, 2023.

No. The exemptions for employment-related personal information and personal information reflecting business-to-business transactions described in Civil Code Sec. 1798.145(m)-(n) expired on December 31, 2022.

Yes. You may authorize another person to submit a CCPA request on your behalf. You may also authorize a business entity registered with the California Secretary of State to submit a request on your behalf.

Please note that if you use an authorized agent, businesses may require more information from either the authorized agent or from you to verify that you are the person directing the agent. For example, for requests to know or delete your personal information, the business may require the authorized agent to provide proof that you gave that agent signed permission to submit the request. Businesses may also require you to verify your identity directly with the business or directly confirm with the business that you gave the authorized agent permission to submit the request.

Back To Top



B. RIGHT TO OPT-OUT OF SALE OR SHARING

You may request that businesses stop selling or sharing your personal information (“opt-out”). Note that sharing refers specifically to sharing for cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.

Businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for the sale of the child’s personal information. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child.

Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request. Businesses also should not require you to verify your identity, though they can ask you basic questions to identify which personal information is associated with you.

You can also submit an opt-out request via a user-enabled global privacy control, like the GPC, discussed in FAQ 8 & 9 below. If you can’t find a business’s “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy.

If a business’s "Do Not Sell My Personal Information" link or other designated method of submitting opt-out requests is not working or difficult to find, you may report the business to our office (https://oag.ca.gov/contact/consumer-complaint-against-business-or-company).

Businesses must respond as soon as feasibly possible to your request, up to a maximum of 15 business days from the date they received your request to opt-out.

While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask you for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling your personal information include:

  • Sale or sharing is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

See Civil Code section 1798.145 for more exceptions.

If you do not know why a business denied your opt-out request, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to opt-out to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Businesses that sell or share personal information must offer two or more methods for consumers to submit requests to opt-out of the sale of their personal information. For businesses that collect personal information from consumers online, one acceptable method for consumers to opt-out of sales or sharing is via a user-enabled global privacy control, like the GPC. Developed in response to the CCPA and to enhance consumer privacy rights, the GPC is a ‘stop selling or sharing my data switch’ that is available on some internet browsers, like Mozilla Firefox, Duck Duck Go, and Brave, or as a browser extension. It is a proposed technical standard that reflects what the CCPA regulations contemplated – some consumers want a comprehensive option that broadly signals their opt-out request, as opposed to making requests on multiple websites on different browsers or devices. Opting out of the sale or sharing of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt-out of the sale or sharing of personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information.

To learn more about the GPC, you can visit its website here. Developers have begun to innovate around the GPC and created different mechanisms for consumers, such as EFF’s Privacy Badger extension or the Brave Privacy Browser.

Back To Top



C. REQUESTS TO KNOW

You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties

Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.

Businesses must designate at least two methods for you to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know.

Businesses cannot make you create an account just to submit a request to know, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your request to know through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.

If a business’s designated method of submitting requests to know is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to know and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

Businesses must verify that the person making a request to know is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are some exceptions to the right to know. Common reasons why businesses may refuse to disclose your personal information include:

  • The business cannot verify your request
  • The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period
  • Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information
  • Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code section 1798.145 for more exceptions.

If you do not know why a business denied your request to know, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to know to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Back To Top



D. REQUESTS TO DELETE

You may request that businesses delete personal information they collected from you and to tell their service providers to do the same. However, there are many exceptions (see FAQ D.5) that allow businesses to keep your personal information.

Review the business’s privacy policy, which must include instructions on how you can submit your request to delete.

Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests.

Businesses cannot make you create an account just to submit a deletion request, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your deletion request through one of the business’s designated methods, which may be different from its normal customer service contact information.

If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to delete and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

Businesses must verify that the person making a request to delete is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are exceptions to the right to delete. Common reasons why businesses may keep your personal information include:

  • If the information is exempt from the CCPA. This includes:
    • Publicly available information (such as your address, which is often in public real estate/property records). However, if you are a law enforcement officer, public official, or Safe at Home participant (available to victims of domestic violence, stalking, sexual assault, human trafficking, elder and dependent abuse, as well as reproductive health workers), you may request a website to not publicly post your address as described here.
    • Certain types of information such as medical information or consumer credit reporting information.
  • The business cannot verify your request
  • To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
  • For certain business security practices
  • For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided
  • To comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code sections 1798.105(d) and 1798.145 for more exceptions.

If you do not know why a business denied your request to delete, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to delete to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Creditors, collection agencies, and other debt collectors can still try to collect debts that you owe even if you asked them to delete your personal information. Learn more about debt collectors—including what they can and can’t do—here.

Credit reporting agencies like Equifax, Experian, and TransUnion can still collect and disclose your credit information, subject to regulation under the Fair Credit Reporting Act. Learn more about your rights under the Fair Credit Reporting Act here. Learn more about how to check and fix your credit report here.

Back To Top



E. REQUESTS TO CORRECT (RIGHT TO CORRECT)

You may ask businesses to correct inaccurate information that they have about you.

The California Privacy Protection Agency is currently engaged in a formal rulemaking process and has proposed CCPA regulations pertaining to the right to correct, but these are not currently final or effective.

Review the business’s privacy policy, which should include instructions on how you can submit your request to correct.

Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests.

Businesses cannot make you create an account just to submit a correction request, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your correction request through one of the business’s designated methods, which may be different from its normal customer service contact information.

If a business’s designated method of submitting requests to correct is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to correct and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

Businesses must verify that the person making a request to correct is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are exceptions to the right to correct. Common reasons why businesses may deny your request to correct include:

  • The business cannot verify your identity to complete your request
  • The request is manifestly unfounded or excessive
  • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

If you do not know why a business denied your request to correct, follow up with the business to ask it for its reasons.

Back To Top



F. REQUESTS TO LIMIT USE OF PERSONAL INFORMATION (RIGHT TO LIMIT)

You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.

The California Privacy Protection Agency is currently engaged in a formal rulemaking process and has proposed CCPA regulations pertaining to the right to limit, but these are not currently final or effective.

Back To Top



G. RIGHT TO NON-DISCRIMINATION

Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.

Businesses can also offer you promotions, discounts and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.

Back To Top



H. REQUIRED NOTICES

The CCPA requires businesses to give consumers certain information in a “notice at collection.” A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. (To find out how you can learn what specific information a business has collected about you, see the Right to Know section.) If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell or Share link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.

This notice must be provided at or before the point at which the business collects your personal information. For example, you might find a link to the notice at collection on a website’s homepage and on a webpage where you place an order or enter your personal information for another reason. On a mobile app, you might find a link to the notice in the settings menu. In a retail store, you might find the notice on a printed form used to collect your personal information.

A business’s privacy policy is a written statement that gives a broad picture of its online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. The CCPA requires business privacy policies to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale, the the Right to Correct, the the Right to Limit, and the Right to Non-Discrimination.

Most businesses post their privacy policy on their websites. A link to it can usually be found at the bottom of the homepage and other webpages. The link’s title may include “Privacy” or “California Privacy Rights.” In a mobile app, the privacy policy may be linked on the download page for the app or in the app’s settings menu.

Back To Top



I. DATA BROKERS AND THE CCPA

Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This law exempts certain businesses that are regulated by other laws from this definition. Exempted businesses include consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.

Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyzes and packages the data for sale to other businesses.

The California law on data brokers requires data brokers covered by the law to register with the Attorney General and to provide certain information on their practices. The Data Broker Registry can be found on the Attorney General’s website at https://oag.ca.gov/data-brokers.

Data brokers are subject to the CCPA. On the Data Broker Registry website, you will find contact information and a website link for each registered data broker, as well as additional information to help you exercise your CCPA rights.

You can click on the “View Full Submission” link on the Data Broker Registry to get instructions on how to opt-out of the sale of your personal information. However, you may not be able to stop the sale of all of your information. The CCPA’s definition of “personal information” does not include information lawfully made available from government records, which are often sources used by data brokers.

You can also go to a data broker’s website through the link posted on the Registry and find the broker’s privacy policy to learn more about its privacy practices and how to exercise your CCPA rights.

Back To Top



Other Consumer Resources on CCPA

Back To Top