Take action! Exercise your rights under the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) gives residents important rights regarding the personal information that businesses collect about them. This guide explains who and what is covered by the CCPA, describes how you can exercise your rights, and offers tips for keeping your personal data under wraps.

Why your CCPA rights are important

Businesses sometimes need your personal information for certain purposes—for example, they ask for your payment account number and shipping address when you order something. The personal information you provide for one reason, however, may also be used for other purposes, and a lot of information about you and your household can be collected without your knowledge. This information can be used by the business, shared with related companies, and made available to others. We are increasingly being tracked, online and offline, as we go about our daily lives, and the information that is gathered about us over time and from multiple sources is combined and analyzed to create profiles of our preferences, behavior, attitudes, abilities and other characteristics.

One use for this profiling is to decide which products or services to advertise to you. You may not care if, based on your profile, you start to see ads for pickup trucks, work boots and power tools. But would you feel comfortable if you get ads for products or services related to a health condition that you prefer to keep private? What if you don’t have that health condition at all, but, from the information collected about you, it’s assumed you do? Would it be fair for some people to be chosen to see ads for particular jobs, housing or credit, but not you? What if the price or rate you’re shown for something is higher than what other people see? How else might this profiling be used? Can this information be accessed by law enforcement or other government agencies? In addition to concerns such as these, your risk of identity theft may increase as more and more information about you is collected. Exercising your rights to limit the data businesses can use, store and share with others can help protect you from unwanted, unfair and harmful uses of your personal information.

Who and what the CCPA covers

The CCPA applies to companies that do business in California and do any of the following:

  • Have an annual gross revenue of more than $25 million
  • Buy, receive or sell the personal information of 50,000 or more California residents per year
  • Make at least half of their annual revenue from selling California residents’ personal information (this includes all data brokers)

The CCPA covers businesses that operate by phone, online, by mail, and in physical locations. It does not apply to nonprofit organizations or government agencies.

Personal information includes your name, address, email, account numbers, passwords and similar identifiers, as well as your age, race, gender, and other sensitive information.

It also includes the address of the browser you use to connect to the internet and information about your searches, the websites you visit and the pages you view, the apps you use, and the ads you click on; location information from your smartphone and other internet-connected devices; the products or services you buy; your fingerprints, iris scans and other biometrics; your professional, educational and employment information; and other information that identifies, relates to, describes, or could reasonably be linked with you or your household.

Information that is publicly available from federal, state or local government records, such as whether you own property or hold a professional license, is not covered by the CCPA.

Your basic CCPA rights

As a California resident, you have the right to:

  • Know the types of personal information a business collects and what it may do with it, and about Californians’ CCPA rights
  • See the specific pieces of personal information a business has collected about you
  • Delete (some of) the personal information a business has collected about you
  • Ask a business that sells consumers’ personal information not to sell yours
  • Not be discriminated against by a business for exercising your CCPA rights

Some of the rights the CCPA grants are automatic, while others require you to take steps to exercise them.

Right to know about a business’s privacy practices and your CCPA rights

Before or at the point where a business will collect your personal information (for example, when you visit a website, create an account, make a purchase, or use an app), it must provide an explanation of the types of personal information it collects and how it may use that data.

Online and in apps, look for this information in the company’s privacy policy (it may appear in other places as well, such as in the settings within an app). Businesses that collect personal information offline can provide this notice in a variety of ways: on forms people fill out, in handouts, or on prominent signs. When a business collects personal information by phone or in person, it may simply explain its privacy practices orally.

The business must also inform you about your CCPA rights and how to exercise them. The privacy policy will include this information or tell you where to find it (online, you may also see a link for Californians’ privacy rights on a business’s homepage). Businesses shouldn’t collect additional types of personal information or use it for purposes beyond those they’ve described.

Note: Businesses must provide the information required by the CCPA in simple, straightforward language. If they ordinarily provide contracts, disclaimers, sale announcements, and other information to Californians in multiple languages, they must also make the CCPA information available in those languages.

Right to see your personal information

You have the right to see the specific pieces of personal information a business has collected about you. This includes information you provided to the business directly and that it obtained from other sources. You also have the right to ask the business to tell you:

  • The categories of personal information it has collected about you
  • The categories of sources from which it collects the personal information
  • The business or commercial purposes for which it collects or sells personal information
  • The categories of third parties with whom it shares personal information

The words businesses use in responding to these requests vary. Personal information is the type of information described in “Who and what the CCPA covers” (above).

Sources of your data typically include information you provide to a business, directly or indirectly, when you create an account, make a purchase, or use its website or app, as well as information collected about you from social media, public records, data brokers, and other types of companies.

Maintaining your account, detecting fraud, “personalizing your experience,” and other internal operations are considered “business purposes,” while “commercial purposes” means trying to sell you something. “Service providers” are companies hired by a business to help with its operations, such as processing consumers’ payments. “Third parties,” on the other hand, are companies or other types of entities that aren’t legally related to the business and aren’t service providers.

Note: Businesses may claim not to “sell” your personal information because they don’t actually hand it over to a third party in exchange for money. But they may benefit financially when they do things such as allowing third parties to track you on their websites. To be on the safe side, they may provide information about this even if they don’t describe it as selling your data.

You can request this information twice in a 12-month period, and the business must provide it to you free of charge. It will cover the 12 months up to the time of your request. There must be at least two ways for you to submit your request, including, at a minimum, a toll-free phone number. Other means of making this request may include an online form, a hard copy form with mailing address, and/or an email address. However, a business that only operates online and has a direct relationship with you is allowed to only provide an email address to make this request. If a business has a website, it must allow you to make such requests online.

The business must respond to your request within 45 calendar days, though it can take an additional 45 days (90 days total) if it notifies you. If you don’t get a response by the deadline, follow up with the company. There are some valid reasons why a business may refuse to give you the information—for example, if it can’t verify your identity, you’ve already made two requests within the last 12 months, or it is not the company that collected your information (for example, it only provides a service, like payment card processing or shipping, for the company that collected the information). If the business denies your request, it must explain why.

You may receive the information you requested by mail or electronically. If it is delivered electronically, it must be in a portable format (if that is technically possible) that would allow you provide it to someone else.

Right to delete (some of) your personal information

You have the right to ask a business to delete your personal information and to tell its service providers to do the same. There must be at least two ways for you to submit your deletion request, and the business must respond within 45 calendar days, or 90 days if it notifies you. Again, if the business denies your request, it must explain why.

There are some limits to your right to delete. The business only has to delete personal information that you gave it, not that it obtained from other sources. Furthermore, it doesn’t have to delete information that is necessary for security or fraud prevention, to provide a warranty, to notify you of recalls, or for certain other business purposes. Also, credit reporting agencies (such as Equifax, Experian and TransUnion) can still collect and disclose your credit information as allowed by the Fair Credit Reporting Act, and debt collectors can still try to collect on debts you owe, despite your request that they delete your information.

Note: Businesses are allowed to ask for personal information to verify your identity when you ask to see or delete your data, but they can only use that information to make sure it’s really you. You can authorize someone else to request your information or delete it on your behalf; the business can ask for proof of that authorization, from either you or your authorized agent, before acting on the request, unless you have provided the agent with power of attorney.

Right to opt out of sale

You have the right to ask a business that sells consumers’ personal information not to sell yours (opt out of sale). There must be at least two ways for you to do this. On the homepage of a business’s website, look for the “Do Not Sell My Personal Information” link. If there is a link on the homepage for Californians’ privacy rights, you may also find the “Do Not Sell” link there.

A business that gave you the information about its privacy practices offline but has a website must tell you how to find this link on its site. In a mobile app, the “Do Not Sell” link should appear on the download or landing page, and may be in other places within the app as well.

Other ways to opt out of sale can include a toll-free number, an email address, a form to submit in person or by mail, and a signal from an internet-connected device (this is called a “global privacy control”). If you’ve opted out, the business must wait at least 12 months before asking you to opt back in to the sale of your personal information. (Even if a business says it does not “sell” your data, it may offer you the ability to opt out of being tracked by third parties when you visit its website.) The right to opt out of sale doesn’t apply to all personal information. For example, certain medical information and consumer credit reporting information is excluded.

Note: Businesses do not need to verify your identity to honor a request not to sell your data, and you can authorize someone else to opt out of sale for you. The business may ask your agent for proof that you have given that permission and can deny the request if they can’t provide it or there is reason to believe that the request is fraudulent.

Right to not be discriminated against

Generally, businesses cannot discriminate against you (deny goods or services, charge a higher price, provide a lower quality, etc.) for exercising your rights under the CCPA, and they can’t require you to agree to give up these rights. However, a business can offer you financial incentives, such as discounts, if you allow it to collect, keep, or sell your data. Before a business can enroll you in a financial incentive program, it must provide you with the details of how it works and get your agreement (opt-in). Furthermore, a business can offer you a different price, rate, or level of or quality of goods or services if you don’t allow it to collect, keep or sell your personal information, as long as that price or difference is directly related to how much your data is worth to the business.

Note: If your personal information is required to fulfill your request for goods or services, be aware that withholding or deleting it could prevent your transaction from being completed.

Special protections for children

A business can’t sell the personal information of someone it knows is less than 16 years old unless that person agrees or, in the case of someone under age 13, a parent or legal guardian makes that agreement. Furthermore, parents or legal guardians of children under 18 can act on their behalf to ask to see their information or delete it.

Note: Under federal law, it is illegal for companies that operate websites and online services—including apps—that are directed to children under 13 to collect their personal information without notifying their parents and getting their permission. To learn more, go to Protecting Your Child’s Privacy Online.

Exercise your rights

For more information about your rights, check out the CCPA webpage of the California attorney general’s (AG) office.

The Electronic Privacy Information Center provides helpful form letters for Californians to make requests to see and delete their data.

Report CCPA violations

If you believe a business has violated the CCPA, file a complaint with the California AG. Explain exactly how the business violated the CCPA, including when and how the violation occurred. The AG doesn’t provide legal advice or direct assistance to individuals, but your complaint could be used to learn about misconduct and to determine what action, if any, may be appropriate.

Tips for protecting your privacy

There are some steps you can take to reduce the amount of personal information that is available to businesses.

Do your due diligence. Before downloading or using an app or creating an account, understand what information the company collects about you, how it uses it and how much control you have over it. Review the default permissions—typically set to allow all or much of your data to be collected and shared—and adjust them to achieve your desired level of privacy. If you aren’t satisfied with how much control you are given, consider choosing another app or website.

Be discreet. Share the least amount of personal information possible. You don’t have to fill in every field (birthdate, phone number, etc.) when creating your social media profile or an online account. Don’t post personal information on social media. And don’t answer quizzes or enter sweepstakes—these sources all provide valuable information to data brokers.

Get off lists. To learn how to get off lists for “prescreened” offers of credit and insurance and how to take advantage of other opt-out programs, go to Prescreened Credit and Insurance Offers.

Though the CCPA does not apply to government records, you can try to remove your data from the people-search sites that private companies operate using that information. Consumer Reports walks you through the (time-consuming) process at How to Delete Your Information From People-Search Sites.

You have the right to opt out of your personal information being shared for marketing purposes by financial services companies such as your bank, credit card issuer, mortgage lender and brokerage firm. Visit Privacy Rights Clearinghouse.

Data brokers that operate in California must be registered with the state. Under the CCPA, you can ask them what information they have about you and delete your data. A list of registered data brokers with links to make those requests is at the Data Broker Registry.

Use technology to protect your data. Consumer Reports provides tips for some simple ways to protect your data.

Consumer Federation of America explains how consumers are tracked for advertising purposes at Surveillance Advertising Factsheets. While it is impossible to completely avoid this tracking and profiling, ad blocking software can at least prevent these ads from reaching you. Visit The best ad blockers in 2021.

In January 2023, your rights will change when the new California Privacy Rights Act takes effect. The information in this guide will be updated, so stay tuned!

Published / Reviewed Date

Published: January 04, 2022

Download File

Take action! Exercise your rights under the California Consumer Privacy Act
File Name: CCPA-Privacy-Rights_2022.pdf
File Size: 0.52MB

Sponsors

Notes

Consumer Action and Consumer Federation of America, with support from the Rose Foundation, have launched The California Privacy Initiative to educate Californians about the California Consumer Privacy Act (CCPA) and encourage them to exercise their rights under the CCPA.

Filed Under

Privacy Rights   ♦  

Copyright

© 2021 –2022 Consumer Action. Rights Reserved.

 

Tags/Keywords

 
 

Quick Menu

Facebook FTwitter T