Consumer rights under the CCPA

The California Consumer Privacy Act (CCPA) protects California residents' data privacy. The Act guarantees a set of core CCPA rights, which are supplemented by two additional rights under the California Privacy Rights Act (CPRA).

Consumers can bring court actions against private companies if they breach these rights, potentially leading to severe penalties. As a result, companies active in California must know where they stand regarding CCPA rights.

This article will explain each consumer right and what it means in practice. We will provide everything you need to know to ensure robust CCPA compliance.

Who has privacy rights under the CCPA?

Rights empower individuals or collectives to access resources, make decisions, and obtain justice. Under the CCPA, rights apply to California residents. However, this does not simply refer to the state's permanent population.

The law defines a rights holder as a "natural person" who is a "California resident."

The term "Natural person" identifies the rights holder as a human being (not a corporation or other organized body). This part is clear. However, the definition of California residents requires explanation.

Firstly, a California resident is present in the state for a reason that is neither "temporary" nor "transitory." Rights holders must be rooted in a California community via rental agreements, family relationships, or employment.

That's not all. The California Consumer Privacy Act also covers permanent California residents who leave the state temporarily.

Individuals do not automatically gain CCPA rights by entering California, and they do not lose them when they leave. The crucial thing to note is that rights apply to actual California residents, not vacationers or transitory workers.

Understanding CCPA rights

It should be simple to identify those with rights under CCPA and individuals who do not qualify. However, what are those rights, and what duties do they impose on companies in California?

The following section explains each CCPA right to help you understand your compliance obligations.

Right to know (or "notice")

Under CCPA, residents have the right to know what personal information companies hold about them. Rights holders can request information about how companies collect, use, share, and sell their personal information. Companies must also disclose the reason for data collection and usage/sharing.

Businesses must provide information about the categories of personal information they collect. Residents can ask for specific information and categories of information the company sells or shares. They can also enquire about the identity of third parties that receive customer information.

Note: Consumer requests only apply to the previous 12-month period. Personal information collected before that point is not covered by CCPA. Companies must fulfil valid requests without charging a fee or obstructing the exercise of CCPA rights.

The Act also limits the number of consumer requests each individual can make. Companies can reject requests if the individual has made over two similar requests in the previous 12 months.

Right to delete ("erasure")

CCPA grants California residents the right to delete personal information that companies hold about them. The right to erasure applies to companies, third parties, and service providers.

The right to erasure is not absolute. Several exceptions apply. For example, companies can refuse deletion requests if:

  • The requested information is already publicly available (for example, in government databases)
  • The request involves medical or financial information. These personal data categories fall under other regulatory frameworks.
  • The company cannot verify the identity or nature of the request.
  • Deleting personal information will prevent the company from providing a "reasonably anticipated product or service."
  • The consumer requests the deletion of warranty information. This is not covered by CCPA.
  • Deleting information contravenes the company's legal obligations.

Right to opt out

Under CCPA, consumers have a right to opt out of sharing and selling personal information. The right to opt-out generally refers to cross-context online marketing (i.e. tracking cookies and other digital data collection systems).

Companies must include a "Do Not Sell or Share My Personal Information" link on their website that is conspicuous and easy to use. This link must also be included in the company's CCPA privacy policy.

When California residents exercise their right to opt out, companies cannot repeat their request within the following 12-month period.

Note: CCPA also includes a right to opt-in for minors. If website visitors are under 16, companies must request their consent to collect, share, and sell personal information. If the child is under 13, consent must be provided by a parent or legal guardian. Minors aged 13-16 can provide consent themselves.

Understanding CCPA rights

Right to non-discrimination

This right ensures companies cannot punish consumers for exercising their rights under the CCPA. Businesses must provide consistent service, regardless of the number of the consumer's personal information requests.

For example, companies cannot provide discounts to customers who agree to waive their CCPA rights or raise prices for each subsequent access request. Businesses can offer incentives to share personal information. However, these bonuses must be proportionate to the value of the personal data involved.

Right to data portability

The CCPA guarantees California residents the right to expect personal information in a portable format. Customers must be able to move their personal information between service providers without excessive costs or obstructions.

Companies must provide personal information in a portable format (avoiding proprietary or obscure file types or extensive paper records).

Private Right of Action

The Private Right of Action enables Californians to sue covered entities following data privacy violations. For example, citizens can initiate court proceedings if a company fails to take reasonable action to prevent data breaches.

If the violation does not involve a data breach, rights holders must file a complaint with the Office of the State Attorney General. The Attorney General will decide whether to pursue regulatory action, depending on the severity of the violation.

Rights added by the CPRA

The 2020 California Privacy Rights Act supplements the CCPA in a couple of significant areas. CPRA adds extra protections for categories of personal information and empowers residents to gain more control over their data privacy.

Right to amend or correct personal information

Rights holders can also change the personal information that companies hold about them. This applies if the consumer's personal information is inaccurate or incomplete.

Businesses can reject correction requests if a request is excessive, it involves medical information, or the customer makes repeated requests to change personal data in the same year.

Right to limit the use and disclosure of sensitive personal information

The CPRA goes beyond limiting data sharing or selling. The updated CCPA framework gives rights holders more control over how businesses use their personal information.

California residents can limit the use of personal information for business purposes. This right covers all data categories regulated by the CCPA, including geolocation data, social security numbers, and street addresses.

This new right makes it critically important to write robust privacy statements. Businesses must clearly explain what they will do with personal information, who will use it, and why they collect data. Privacy policies should also note data retention periods.

Note: As of 2025, the right to limit data use and disclosure was part of a formal rulemaking process. The scope of the right may expand or contract when fully implemented and tested by compliance actions.

Put CCPA rights at the heart of your compliance strategy

Companies selling to California consumers must foreground rights in their data privacy systems.

The CCPA grants residents extensive rights over their personal data, including access, deletion, opt-out, and protection against discrimination. After the passing of the CPRA, Californians can limit how companies use data, and correct personal information too.

Integrating CCPA rights into your security and privacy practices achieves more than avoiding compliance violations. It also builds trust and enhances transparency, precious commodities in a world of ever-growing demands for privacy and data security.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consult a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance