Take action! Exercise your rights under the California Consumer Privacy Act
This guide explains who and what is covered by the California Consumer Privacy Act (CCPA), describes how you can exercise your rights, and offers tips for protecting your personal data. It has been updated to reflect changes in the law that took effect on Jan. 1, 2023. Click here for a condensed version of the guide.
Publication Series
- This publication is part of the California Privacy Initiative training module.
Download File
PDF files may contain outdated links.
Take action! Exercise your rights under the California Consumer Privacy Act
File Name: 2023-CCPA-Privacy-Rights_EN_v1.1.pdf
File Size: 1.7MB
Languages Available
Table of Contents
- Why your CCPA rights are important
- Who and what the CCPA covers
- Your basic CCPA rights
- Right to know about a business’s privacy practices and your CCPA rights
- Rights to see and correct your personal information
- Right to delete (some) of your personal information
- Rights to opt out of selling/sharing your data and to limit your sensitive data
- Right to not be discriminated against
- Special protection for children
- Exercise your rights
- Report CCPA violations
- Tips for protecting your privacy
The California Consumer Privacy Act (CCPA) gives residents important rights regarding the personal information that businesses collect about them. This guide, which has been updated because of changes in the law that took effect on Jan. 1, 2023, explains who and what is covered by the CCPA, describes how you can exercise your rights, and offers tips for keeping your personal data under wraps.
Why your CCPA rights are important
Businesses sometimes need your personal information for certain purposes—for example, they ask for your payment account number and shipping address when you order something. The personal information you provide for one reason, however, may also be used for other purposes, and a lot of information about you and your household can be collected without your knowledge. This information can be used by the business, shared with related companies, and made available to others. We are increasingly being tracked, online and offline, as we go about our daily lives, and the information that is gathered about us over time and from multiple sources is combined and analyzed to create profiles of our preferences, behavior, attitudes, abilities and other characteristics.
One use for this profiling is to decide which products or services to advertise to you. You may not care if, based on your profile, you start to see ads for pickup trucks, work boots and power tools. But would you feel comfortable if you got ads for products or services related to a health condition that you prefer to keep private? What if you don’t have that health condition at all, but from the information collected about you, it is assumed you do? Would it be fair for some people to be chosen to see ads for particular jobs, housing or credit, but not you? What if the price or rate you’re shown for something is higher than what other people see? How else might this profiling be used? Can this information be accessed by law enforcement or other government agencies?
In addition to concerns such as these, your risk of identity theft may increase as more information about you is collected. Exercising your rights to limit the data businesses can use, store and share with others can help protect you from unwanted, unfair and harmful uses of your personal information.
Who and what the CCPA covers
The CCPA applies to companies that do business in California and do any of the following:
- Have an annual gross revenue of more than $25 million
- Buy, sell or share the personal information of 100,000 or more California residents per year
- Make at least half of their annual revenue from selling or sharing California residents’ personal information (this includes all data brokers)
This means that many small businesses are not covered by the law.
The CCPA covers businesses that operate by phone, online, by mail, and in physical locations. Generally, this law does not apply to nonprofit organizations, and it does not apply to government agencies at all.
Personal information includes, but is not limited to, your name, address, email, account numbers, passwords and similar identifiers, as well as your age, race, gender, and other sensitive information.
It also includes the address of the browser you use to connect to the internet and information about your searches, the websites you visit and the pages you view, the apps you use, and the ads you click on; location information from your smartphone and other internet-connected devices; the products or services you buy; your fingerprints, iris scans and other biometrics; your professional, educational and employment information; and other information that identifies, relates to, describes, or could reasonably be linked with you or your household.
Information that is “publicly available” is not covered by the CCPA. This includes information about you:
- From federal, state or local government records, such as whether you own property or hold a professional license
- That you made available to the public or that is from widely distributed media, such as a newspaper or phone book
- That you gave to someone and did not restrict to a specific audience
Your basic CCPA rights
As a California resident, you have the right to:
- Know the types of personal information a business collects and what it may do with it, and about Californians’ CCPA rights
- See the specific pieces of personal information a business has collected about you
- Correct inaccurate information about you
- Delete (some of) the personal information a business has collected about you
- Ask a business that sells or shares consumers’ personal information not to sell or share yours
- Limit the use and disclosure of sensitive information about you
- Not be discriminated against by a business for exercising your CCPA rights
Note: “Sell” means that a business will make your personal information available to a third party (see description of “third party” below) in exchange for money or something else of value. “Share” means that a business will make your information available to a third party for “cross-context behavioral advertising”—that is, to target you to receive ads based on information collected about you as you use multiple websites, apps or services.
Right to know about a business’s privacy practices and your CCPA rights
Before or at the point when your personal information will be collected (for example, when you visit a website, create an account, make a purchase or use an app), the business that controls that collection must tell you what types of personal information are collected, for what purposes, and whether the information will be sold or shared. You must also be told how long the information will be kept, or if it is not possible to say yet, how that will be determined. All California residents have this right to know. You do not need to ask for this basic information or verify your identity to get it.
Note: Businesses may claim not to “sell” personal information because they do not provide it to someone else in exchange for money. But they may benefit financially when they do things such as allowing third parties to track people on their websites. To be on the safe side, they may provide information about this even if they do not describe it as “selling” personal data.
Online and in apps, look for this information in the company’s privacy policy (it may appear in other places as well, such as in the settings within an app). Businesses that collect personal information offline can provide this notice in a variety of ways: on forms people fill out, in handouts, or on prominent signs. When a business collects personal information by phone or in person, it may simply explain its privacy practices orally.
The business must also inform you about your CCPA rights and how to exercise them. The privacy policy will include this information or tell you where to find it (online, you may also see a link for Californians’ privacy rights on a business’s homepage). Businesses should not collect additional types of personal information or use it for purposes beyond those they have described, and they must take reasonable steps to keep it secure.
Note: Businesses must provide the information required by the CCPA in simple, straightforward language. If they ordinarily provide contracts, disclaimers, sale announcements and other information to Californians in multiple languages, they must also make the CCPA information available in those languages.
Businesses are only allowed to ask for personal information to verify your identity for requests to delete, requests to correct, and requests to know, to make sure it is really you. You can authorize someone else to make these requests for you; the business can ask for proof of that authorization, from either you or your authorized agent. Businesses cannot require you to verify your identity when you ask to opt out of sale or sharing, or to limit the processing of your sensitive information.
Rights to see and correct your personal information
You have the right to see the specific pieces of personal information a business has collected about you. This includes information you provided to the business directly or indirectly when you created an account, made a purchase, or used its website or app, and that it obtained from other sources, such as social media, public records, data brokers and other companies. If the information the business has about you is incorrect, you have the right to ask for it to be corrected.
You also have the right to ask the business to tell you:
- The categories of personal information it has collected about you
- The categories of sources from which it collects personal information
- The business or commercial purposes for which it collects, sells or shares personal information
- The categories of third parties to whom it discloses personal information
If the business has not sold or shared your personal information, it should tell you that.
Note: “Third parties” are companies or other types of entities that you did not intentionally interact with but are collecting your personal information. They are different than “service providers” and “contractors” that the business may hire to handle your personal data for “business purposes,” such as maintaining your account, fulfilling orders, detecting fraud, fixing bugs in the system, “personalizing your experience,” and other internal operations.
You also have the right to ask a business that sells or shares your personal information, or that discloses it to others for business purposes, to tell you:
- The categories of personal information that it sold or shared about you and the categories of third parties to which it was sold or shared
- The categories of personal information that the business disclosed about you for business purposes and the categories of persons to whom it was sold or shared
You have the right, twice in every 12-month period, to ask a business to tell you what personal information it has about you, and whether it has sold, shared or disclosed any of that information. There must be at least two ways for you to make this request, including, at a minimum, a toll-free phone number. Other means of making the request may include an online form, a hard copy form with mailing address, and/or an email address. However, a business that only operates online and has a direct relationship with you is allowed to only provide an email address for you to make the request. If a business has a website, it must allow you to make such requests online. There can be no charge for you to request and receive the information.
The business must respond to your request within 45 calendar days, though it can take an additional 45 days (90 days total) if needed and it notifies you. If you don’t get a response by the deadline, follow up with the company. There are some valid reasons why a business may refuse to give you the information—for example, if it cannot verify your identity, you have already made two requests for the same information within the last 12 months, or it is not the company that collected your information (for example, it only provides a service, like payment card processing or shipping, for the company that collected the information). If the business denies your request, it must explain why.
You may receive the information you requested through your account with the business, or by mail or electronically. If it is delivered electronically, it must be in a portable format (if that is technically possible) that would allow you to provide it to someone else. It should cover at least the 12 months up to the time of your request.
Right to delete (some) of your personal information
You have the right to ask a business to delete personal information collected from you. The business must tell its service providers, contractors and any third parties to which it has sold or with which it shared the information to delete it as well. There must be at least two ways for you to submit your deletion request, and the business must respond within 45 calendar days, or 90 days if it notifies you. Again, if the business denies your request, it must explain why.
There are some limits to your right to delete. The business is only required to delete personal information that you gave it, not that it obtained from other sources. Furthermore, it does not have to delete information that is reasonably necessary to complete the transaction for which it was collected, to ensure security and integrity, to provide a warranty, to notify you of recalls, or for certain other business purposes. Also, credit reporting agencies (such as Equifax, Experian and TransUnion) can still collect and disclose your credit information as allowed by the Fair Credit Reporting Act, and debt collectors can still try to collect on debts you owe, despite your request that they delete your information.
Rights to opt out of selling/sharing your data and to limit your sensitive data
You have the right to ask a business that sells or shares consumers’ personal information not to sell or share yours (opt out of sale or sharing). You also have the right to limit a business’s use or disclosure of your sensitive personal information to only that which is necessary to perform the services or provide the goods you requested. Sensitive personal information includes:
- Your Social Security, driver’s license, state ID card or passport number
- Your login or financial account number in combination with a security or access code, password, or other credentials that allow access to your account
- Your precise geolocation
- Your racial or ethnic origin, religious or philosophical beliefs, or union membership
- The contents of your mail, email or text messages (unless they were intended for the business)
- Your genetic data, or the processing of biometric data to identify you
- Personal information collected and analyzed concerning your health, your sex life, or your sexual orientation
Note: Information you made available to the public or that is from widely distributed media, such as a newspaper or phone book, is not “personal” or “sensitive personal information.”
There must be at least two ways for you to exercise these rights. On the homepage of a business’s website, look for the “Do Not Sell or Share My Personal Information” link. You may see a separate link to “Limit the Use of My Sensitive Personal Information,” or a link titled “Your California Privacy Choices,” where you can exercise both rights.
A business that gave you the information about its privacy practices offline but has a website must tell you how to find this link on its site. In a mobile app, the “Do Not Sell or Share” link should appear on the download or landing page and may be in other places within the app as well.
Other ways to opt out of sale or sharing of your personal data or to limit the use or disclosure of your sensitive personal data can include a toll-free number, an email address, a form to submit in person or by mail, and an opt-out preference signal that your internet browser can send on your behalf (GPC, or global privacy control). If you have opted out, the business must wait at least 12 months before asking you to opt back in. Even if a business says it does not “sell” or “share” your data, it may offer you the ability to opt out of being tracked by third parties when you visit its website. These opt-out rights do not apply to all personal information. For example, certain medical information and consumer credit reporting information is excluded.
Right to not be discriminated against
Generally, businesses cannot discriminate against you (deny goods or services, charge a higher price, provide a lower quality, etc.) for exercising your rights under the CCPA, and they can’t require you to agree to give up these rights. However, a business can offer you financial incentives, such as discounts, if you allow it to collect, keep, sell or share your data.
Before a business can enroll you in a financial incentive program, it must provide you with the details of how it works and get your agreement. Furthermore, a business can offer you a different price, rate, level, or quality of goods or services if you do not allow it to collect, keep, sell or share your personal information, as long as that price or difference is directly related to how much your data is worth to the business.
Note: If your personal information is required to fulfill your request for goods or services, be aware that withholding or deleting it could prevent your transaction from being completed.
Special protection for children
A business cannot sell or share the personal information of someone it knows is less than 16 years old unless that person agrees or, in the case of someone under age 13, a parent or legal guardian agrees.
Note: Under federal law, it is illegal for companies that operate websites and online services—including apps—that are directed at children under 13 to collect their personal information without notifying their parents and getting their permission. Learn more at the FTC website.
Exercise your rights
For more information about your rights, check out the CCPA webpage of the California Attornney General (AG) and the FAQs page of the California Privacy Protection Agency (CPPA).
The Electronic Privacy Information Center provides helpful form letters for Californians to make requests to see and delete their data.
Report CCPA violations
If you believe a business has violated the CCPA, you can file a complaint with the California Attorney General or, beginning on July 1, 2023, the California Privacy Protection Agency. Explain how the business violated the law, including when and how the violation occurred. Neither agency provides legal advice or direct assistance to individuals, but your complaint could be used to learn about misconduct and to determine what action, if any, may be appropriate for them to take. You can also use the Attorney General’s Consumer Privacy Interactive Tool to draft a notice of noncompliance to send directly to businesses that may be violating the CCPA.
Tips for protecting your privacy
There are some steps you can take to reduce the amount of personal information that is available to businesses.
Do your due diligence. Before downloading or using an app or creating an account, understand what information the company collects about you, how it uses it and how much control you have over it. Review the default permissions—typically set to allow all or much of your data to be collected and shared—and adjust them to achieve your desired level of privacy. If you aren’t satisfied with how much control you are given, consider choosing another app or website.
Be discreet. Share the least amount of personal information possible. You may not need to fill in every field, answer every question or provide all the information requested to do what you want to do. Do not share personal information with a public audience on social media or post sensitive information (mother’s birth name, phone number, etc.) on social media, regardless of how limited your audience is. And do not answer quizzes or enter sweepstakes—these sources all provide valuable information to data brokers.
Get off lists. To learn how to get off lists for “prescreened” offers of credit and insurance and how to take advantage of other opt-out programs, go to Prescreened Credit and Insurance Offers.
Though the CCPA does not apply to government records, you can try to remove your data from the people-search sites that private companies operate using that information. Consumer Reports walks you through the (time-consuming) process.
You have the right to opt out of your personal information being shared for marketing purposes by financial services companies, such as your bank, credit card issuer, mortgage lender and brokerage firm. Visit Privacy Rights Clearinghouse.
Data brokers that operate in California must be registered with the state. Under the CCPA, you can ask them what information they have about you and opt out of the sale or sharing of your personal information. A list of registered data brokers with links to make those requests is at Data Broker Registry.
Use technology to protect your data. Consumer Reports provides tips for some simple ways to protect your data.
Consumer Federation of America explains how consumers are tracked for advertising purposes. While it is impossible to completely avoid this tracking and profiling, ad blocking software can at least prevent these ads from reaching you. Check out this list of best ad blockers.
Published / Reviewed Date
Reviewed: January 04, 2023
Download File
Take action! Exercise your rights under the California Consumer Privacy Act
File Name: 2023-CCPA-Privacy-Rights_EN_v1.1.pdf
File Size: 1.7MB
Sponsors
Notes
Consumer Federation of America (CFA) is an association of nonprofit consumer organizations that was established in 1968 to advance the consumer interest through research, advocacy, and education.
Filed Under
Copyright
© 2021 –2024 Consumer Action. Rights Reserved.