The California Privacy Protection Agency’s (Agency) mission is to protect consumer privacy, ensure businesses and consumers are well‐informed about their rights and obligations, and vigorously enforce the California Consumer Privacy Act (CCPA).
These FAQs provide information about the Agency and the CCPA, the rights consumers have under the CCPA, and how to exercise these rights. The FAQs also provide information about the Agency’s rulemaking process to adopt regulations to implement the CCPA.
These FAQs are not legal advice, regulatory guidance, or an opinion of the California Privacy Protection Agency, nor do they implement, interpret, or make specific any law or regulation. We will update this information periodically.
The California Consumer Privacy Act of 2018 gives consumers certain rights over the personal information businesses collect about them and requires businesses to inform consumers about how they collect, use, and retain their personal information. This landmark legislation was the first comprehensive consumer privacy law passed in the United States.
In 2020, California voters approved Proposition 24, the California Privacy Rights Act. The CPRA amended the CCPA by adding additional consumer privacy rights and obligations for businesses. It also established this Agency and tasked it with responsibilities including implementing and enforcing the law and educating the public on their rights and obligations under the law. The CPRA amended the CCPA; it did not create a separate, new law. As a result, the Agency typically refers to the law as “CCPA” or “CCPA, as amended.” The CPRA amendments to the CCPA went into effect on January 1, 2023.
As of January 1, 2023, California residents have the following rights:
Businesses that are subject to the CCPA must honor these rights and provide methods by which consumers can exercise these rights. They must also comply with the law’s purpose limitation and data minimization rules. This means businesses must limit the collection, use, and retention of your personal information to only those purposes that: (1) a consumer would reasonably expect, (2) are compatible with the consumer’s expectations and disclosed to the consumer, or (3) purposes that the consumer agreed to, as long as the consent given wasn’t obtained through dark patterns. For all of these purposes, the business’ collection, use, and retention of the consumer’s information must be reasonably necessary and proportionate to serve those purposes.
Businesses also have additional responsibilities, including making certain disclosures to consumers about their privacy practices, such as posting a privacy policy.
The California Privacy Protection Agency was created to protect Californians’ consumer privacy. Established in 2020 by Proposition 24, the Agency is governed by a five-member board. The Agency implements and enforces the CCPA, and has several responsibilities, including:
The CCPA provides privacy rights to California residents. A California resident is a person (not a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state. It includes California residents that are employees or job applicants, and contacts for business customers, vendors, or independent contractors. For more information about the rights California residents have under the CCPA, see For California Residents section.
The CCPA applies to for-profit businesses that collect consumers’ personal information (or have others collect personal information for them), determine why and how the information will be processed, do business in California, and meet any of the following thresholds:
The CCPA also applies to some entities controlled by these businesses, certain joint ventures or partnerships made up of these businesses, and those persons that voluntarily certify to be subject to the CCPA.
Additionally, the CCPA imposes separate obligations on service providers and contractors (who contract with businesses to process personal information) and other recipients of personal information from businesses.
The CCPA does not generally apply to nonprofit organizations or government agencies.
For more information about businesses' obligations under the CCPA, see For Businesses section.
Personal information is information that identifies, relates to, or could reasonably be linked to a particular consumer or household. For example, it could include a consumer’s name, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences about the consumer’s preferences and characteristics.
Personal information includes sensitive personal information, which is a term used to describe certain kinds of personal information that are more sensitive in nature. For example, sensitive personal information includes things like social security numbers and driver’s license numbers; information that would allow someone to access your financial account or other kind of account; your precise geolocation; the contents of your mail, email, and text messages; genetic data; biometric information used to identify a consumer; or information about a consumer’s health, sex life, sexual orientation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership. Consumers have the right to limit a business’s use and disclosure of their sensitive personal information.
Personal information does not include publicly available information. The definition of publicly available information includes information a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or certain information disclosed by a consumer and made available if the consumer has not restricted the information to a specific audience.
You can find a copy of the California Consumer Privacy Act, as amended, as well as information regarding the purpose and intent of the law, on our Law & Regulations page.
The Office of the Attorney General also provides information about the CCPA, how consumers can exercise their rights and file complaints, and information about other California privacy laws.
The CCPA provides California residents with six major privacy rights. Learn how to exercise those rights here.
The CCPA also gives you the right to be notified of the types of personal information a business is collecting and what they may do with the information. Businesses cannot make you waive these rights, and any contract provision that says you waived these rights is unenforceable.
Delete, Correct, or Know: Review the business’s privacy policy, which must include instructions on how you can submit your request. Businesses must generally designate at least two methods for you to submit your requests to delete, correct, or know your personal information — for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests. Make sure you submit your request to delete, correct or know through one of the business’s designated methods, which may be different from its normal customer service contact information.
Opt-out of sale or sharing: Businesses must honor opt-out preference signals (“OOPS”) that meet certain requirements, such as the Global Privacy Control, as a valid request to opt-out of sale/sharing. An opt-out preference signal is a simple way to opt-out of the sale or sharing of personal information. For example, an OOPS may be a setting on your internet browser or a browser extension that automatically sends your choice to opt-out of sale/sharing of your personal information to covered businesses you visit online. In most instances, businesses must also provide a clear and conspicuous link on their websites labeled “Do Not Sell or Share My Personal Information,” “Your Privacy Choices,” or “Your California Privacy Choices” in the footer or header of their website. The link must allow you to individually exercise your right to opt-out of sale/sharing with that business.
Limit use and disclosure of sensitive personal information: Businesses that use or disclose your sensitive personal information for purposes outside those provided for in the statute must provide a clear and conspicuous link on their websites labeled “Limit the Use of My Sensitive Personal Information,” “Your Privacy Choices,” or “Your California Privacy Choices” in the footer or header of their website. The link must allow the visitor to individually exercise the right to limit the use and disclosure of sensitive personal information.
Businesses subject to the right to opt-out of sale/sharing and the right to limit are also required to include information about how to exercise those rights in their privacy policy. If it is difficult to find or use the business’s methods for submitting CCPA requests, you should notify the business through the contact information provided in their privacy policy. You can also file a complaint with the Agency.
Delete, Correct, or Know: Businesses must confirm receipt of your request within 10 business days and must substantively respond to your request to delete, correct, or know your personal information within 45 calendar days. They can extend the deadline by another 45 days (90 days total) if they notify you.
Opt-out of Sale/Sharing, Limit the Use of Sensitive Personal Information: Businesses must comply with your request as soon as feasibly possible, up to a maximum of 15 business days from the date they received your request.
In some instances, a business may deny your request to delete, correct, know, opt-out of sale/sharing, or limit:
Delete: Common reasons why businesses may deny your request to delete your personal information include:
Correct: Common reasons why businesses may deny your request to correct your personal information include:
Know: Common reasons why businesses may deny your request to know your personal information include:
Opt-out of sale or sharing of personal information: Common reasons why businesses may deny your request to opt-out of the sale or sharing of your personal information include:
Limit use and disclosure of sensitive personal information: Common reasons why businesses may deny your request to limit the use and disclosure of your sensitive personal information include:
If you do not know why a business denied your request, follow up with the business to ask for its reasons.
Data brokers are businesses that collect and sell the personal information of consumers with whom they do not have a direct relationship. California law requires data brokers to register with the Data Broker Registry and provide information to help you exercise your CCPA rights.
Beginning on January 1, 2024, the Agency will take over the management of the Data Broker Registry. The Agency is also tasked with establishing by January 1, 2026 a deletion mechanism that allows consumers to request from all data brokers the deletion of all personal information related to the consumer through a single deletion request. More information about the Data Broker Registry and the deletion mechanism can be found in this announcement.
Businesses subject to the CCPA are required to post their privacy policy through a link using the word “privacy” on their homepage and other webpages. A link can usually be found at the bottom of a business’s website. For mobile apps, a link to the privacy policy should also be available on the download page for the app or in the app’s settings menu.
If you believe a business, service provider, third-party, or contractor has violated the CCPA, you can submit a complaint. You can also file a consumer complaint with the Office of the Attorney General.
You cannot sue businesses for most CCPA violations. However, you can sue a business under the CCPA if there is a data breach. View more information about the types of data breaches for which you currently can sue a business under the CCPA.