California Consumer Privacy Act

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This landmark law secures new privacy rights for California consumers, including:

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

Frequently Asked Questions (FAQs)

These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.

A. GENERAL INFORMATION ABOUT THE CCPA

If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information and not to sell your personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.

Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.

Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records.

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

No. The CCPA does not apply to nonprofit organizations or government agencies.

You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. If you want to sue for statutory damages, you must give the business written notice of which CCPA sections it violated and give it 30 days to give you a written statement that it has cured the violations in your notice and that no further violations will occur. You cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and gives you its written statement that it has done so, unless the business continues to violate the CCPA contrary to its statement.

For all other violations of the CCPA, only the Attorney General can file an action against businesses. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint.

You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:

  • Your social security number
  • Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
  • Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
  • Your medical or health insurance information
  • Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)

This personal information must have been stolen in nonencrypted and nonredacted form.

B. REQUESTS NOT TO SELL PERSONAL INFORMATION (RIGHT TO OPT-OUT OF SALE)

You may request that businesses stop selling your personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information.

Businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for the sale of the child’s personal information. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child.

Businesses that sell personal information are subject to the CCPA’s requirement to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request.

Make sure you submit your opt-out request through the “Do Not Sell My Personal Information” link or through another method that the business designates for opt-out requests, which may be different from its normal customer service contact information. If you can’t find a business’s “Do Not Sell” link, review its privacy policy, which must include that link.

If a business’s “Do Not Sell” link or other designated method of submitting opt-out requests is not working, notify the business in writing and consider submitting your request through another designated method if possible.

While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask you for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling your personal information include:

  • If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code section 1798.145 for more exceptions.

If you do not know why a business denied your opt-out request, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to opt-out to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Businesses that sell personal information must offer two or more methods for consumers to submit requests to opt-out of the sale of their personal information. For businesses that collect personal information from consumers online, one acceptable method for consumers to opt-out of sales is via a user-enabled global privacy control, like the GPC. Developed in response to the CCPA and to enhance consumer privacy rights, the GPC is a ‘stop selling my data switch’ that is available on some internet browsers, like Mozilla Firefox, Duck Duck Go, and Brave, or as a browser extension. It is a proposed technical standard that reflects what the CCPA regulations contemplated – some consumers want a comprehensive option that broadly signals their opt-out request, as opposed to making requests on multiple websites on different browsers or devices. Opting out of the sale of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt-out of the sale of personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale of personal information.

To learn more about the GPC, you can visit its website here. Developers have begun to innovate around the GPC and created different mechanisms for consumers, such as EFF’s Privacy Badger extension or the Brave Privacy Browser.

C. REQUESTS TO KNOW PERSONAL INFORMATION (RIGHT TO KNOW)

You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties

Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.

Businesses must designate at least two methods for you to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know.

Businesses cannot make you create an account just to submit a request to know, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your request to know through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.

If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to know and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

Businesses must verify that the person making a request to know is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are some exceptions to the right to know. Common reasons why businesses may refuse to disclose your personal information include:

  • The business cannot verify your request
  • The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period
  • Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information
  • Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code section 1798.145 for more exceptions.

If you do not know why a business denied your request to know, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to know to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

D. REQUIRED NOTICES

The CCPA requires businesses to give consumers certain information in a “notice at collection.” A notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. (To find out how you can learn what specific information a business has collected about you, see the Right to Know section.) If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.

This notice must be provided at or before the point at which the business collects your personal information. For example, you might find a link to the notice at collection on a website’s homepage and on a webpage where you place an order or enter your personal information for another reason. On a mobile app, you might find a link to the notice in the settings menu. In a retail store, you might find the notice on a printed form used to collect your personal information.

A business’s privacy policy is a written statement that gives a broad picture of its online and offline practices for the collection, use, sharing, and sale of consumers’ personal information. The CCPA requires business privacy policies to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.

Most businesses post their privacy policy on their websites. A link to it can usually be found at the bottom of the homepage and other webpages. The link’s title may include “Privacy” or “California Privacy Rights.” In a mobile app, the privacy policy may be linked on the download page for the app or in the app’s settings menu.

E. REQUESTS TO DELETE PERSONAL INFORMATION (RIGHT TO DELETE)

You may request that businesses delete personal information they collected from you and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep your personal information.

Businesses must designate at least two methods for you to submit your request—for example, a toll-free number, email address, website form, or hard copy form. Businesses do not have to provide an online form for requesting deletion.

Businesses cannot make you create an account just to submit a deletion request, but if you already have an account with the business, it may require you to submit your request through that account.

Make sure you submit your deletion request through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request.

If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible.

Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.

If you submitted a request to delete and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request.

Businesses must verify that the person making a request to delete is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.

There are exceptions to the right to delete. Common reasons why businesses may keep your personal information include:

  • The business cannot verify your request
  • To complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
  • For certain business security practices
  • For certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided
  • To comply with legal obligations, exercise legal claims or rights, or defend legal claims
  • If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA

See Civil Code sections 1798.105(d) and 1798.145 for more exceptions.

If you do not know why a business denied your request to delete, follow up with the business to ask it for its reasons.

Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.

The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to delete to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.

If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Creditors, collection agencies, and other debt collectors can still try to collect debts that you owe even if you asked them to delete your personal information. Learn more about debt collectors—including what they can and can’t do—here.

Credit reporting agencies like Equifax, Experian, and TransUnion can still collect and disclose your credit information, subject to regulation under the Fair Credit Reporting Act. Learn more about your rights under the Fair Credit Reporting Act here. Learn more about how to check and fix your credit report here.

F. RIGHT TO NON-DISCRIMINATION

Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.

Businesses can also offer you promotions, discounts and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.

G. DATA BROKERS AND THE CCPA

Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” This law exempts certain businesses that are regulated by other laws from this definition. Exempted businesses include consumer reporting agencies (commonly known as credit bureaus) and certain financial institutions and insurance companies.

Data brokers collect information about consumers from many sources including websites, other businesses, and public records. The data broker analyzes and packages the data for sale to other businesses.

The California law on data brokers requires data brokers covered by the law to register with the Attorney General and to provide certain information on their practices. The Data Broker Registry can be found on the Attorney General’s website at https://oag.ca.gov/data-brokers.

Data brokers are subject to the CCPA. On the Data Broker Registry website, you will find contact information and a website link for each registered data broker, as well as additional information to help you exercise your CCPA rights.

You can click on the “View Full Submission” link on the Data Broker Registry to get instructions on how to opt-out of the sale of your personal information. However, you may not be able to stop the sale of all of your information. The CCPA’s definition of “personal information” does not include information lawfully made available from government records, which are often sources used by data brokers.

You can also go to a data broker’s website through the link posted on the Registry and find the broker’s privacy policy to learn more about its privacy practices and how to exercise your CCPA rights.