What Is CCPA?
The California Consumer Privacy Act (CCPA) gives California residents the right to know what personal data businesses collect about them, to opt out of its sale, and to request deletion. It applies to for-profit businesses meeting certain size or revenue thresholds. It is one of the strongest US consumer privacy laws and a model for other state regulations.
Core Rights Under CCPA
The CCPA grants California residents five fundamental rights over their personal data. In my review of how these rights apply in practice, most people are unaware they can exercise them at any time, for free, up to twice per year.
1. The right to know You can ask any covered business to disclose what personal information they have collected about you, where it came from, what it is used for, and whether it has been shared or sold.
2. The right to delete You can request that a business delete the personal information they have collected about you. The business must also instruct their service providers to delete the same data.
3. The right to opt out of sale Businesses that sell personal information must provide a visible “Do Not Sell or Share My Personal Information” link on their website. Clicking it stops the sale of your data to third parties.
4. The right to non-discrimination A business cannot deny you service, charge you a higher price, or provide a lower quality of service because you exercised your CCPA rights.
5. The right to correct inaccurate information Added by the California Privacy Rights Act (CPRA) amendment in 2023, this allows you to request corrections to inaccurate personal data a business holds about you.
Which Businesses Are Subject to CCPA?
Not every company must comply. CCPA applies to for-profit businesses operating in California that meet at least one of the following thresholds:
| Threshold | Details |
| Revenue | Annual gross revenue over $25 million |
| Data volume | Buys, sells, or shares personal data of 100,000+ consumers or households per year |
| Revenue from data | Derives 50% or more of annual revenue from selling or sharing personal data |
Small businesses below all three thresholds are generally exempt. However, any business that serves California residents and meets even one threshold must comply — regardless of where the business itself is headquartered.
How to Submit a CCPA Data Request
Exercising your rights is straightforward. Here is the process:
- Identify the business’s privacy contact — look for a “Privacy Policy” link at the bottom of the website. Covered businesses must include CCPA-specific contact options
- Choose your request type — know, delete, opt out, or correct
- Submit through the designated channel — most businesses provide a web form, toll-free number, or email address for CCPA requests
- Verify your identity — businesses will ask you to confirm your identity before processing the request to prevent fraudulent deletions
- Wait for the response — businesses have 45 days to respond, extendable by another 45 days if they notify you
Best for opt-out requests: look for the “Do Not Sell or Share My Personal Information” link directly on the homepage or in the footer — this is faster than submitting a formal request.
CCPA vs GDPR: Key Differences
Both laws protect personal data, but their approach differs significantly.
| Feature | CCPA | GDPR |
| Jurisdiction | California residents | EU/EEA residents |
| Opt-in vs opt-out | Opt-out model | Opt-in model (consent required) |
| Right to deletion | Yes | Yes |
| Right to data portability | Limited | Yes (full) |
| Fines | Up to $7,500 per intentional violation | Up to 4% of global annual revenue |
| Who it covers | For-profit businesses above thresholds | Any organization processing EU data |
| Enforcement | California Attorney General + private lawsuits | National data protection authorities |
The key practical difference: GDPR requires businesses to get your consent before collecting data. CCPA allows collection but gives you the right to stop it or delete it after the fact.
Your Right to Be Forgotten Under CCPA
The deletion right under CCPA is often called the “right to be forgotten,” though it is more limited than the equivalent under GDPR. When you submit a deletion request, the business must:
- Delete your data from their active records
- Direct their service providers and contractors to do the same
- Notify third parties to whom they sold your data, where technically feasible
Exceptions apply. Businesses can refuse deletion requests if the data is needed to complete a transaction you initiated, to detect security incidents, to comply with a legal obligation, or to exercise free speech rights.
Protecting Your Privacy Beyond CCPA
CCPA is a legal floor, not a complete privacy solution. Even with full CCPA compliance, data brokers outside California, small businesses below the threshold, and non-commercial organizations are not covered.
For broader protection, consider combining CCPA opt-outs with these steps:
- Opt out of data brokers manually or use a removal service like DeleteMe or Kanary
- Use a VPN to prevent your ISP and advertisers from collecting browsing data that could be sold. I tested Planet VPN for everyday privacy use — it requires no registration, uses AES-256 encryption, and effectively masks your IP from data collectors across all major platforms
- Review app permissions on your phone — data collected by apps may not fall under CCPA if the app is a non-profit or federal entity
- Enable Global Privacy Control (GPC) in your browser — this signals opt-out preferences automatically to all covered sites under CCPA
Frequently Asked Questions
Does CCPA apply to me if I live outside California? No. CCPA rights apply only to California residents. However, many businesses apply CCPA-style controls to all US users for simplicity. You can still try submitting a request — many companies will comply regardless of your state.
Can a business charge me for a CCPA request? No. Businesses must respond to up to two requests per year free of charge within 45 days.
What happens if a business violates CCPA? The California Attorney General can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Consumers also have a private right of action for data breaches involving certain types of sensitive information.
Is CCPA the same as CPRA? Not exactly. The California Privacy Rights Act (CPRA), passed in 2020 and effective since 2023, expanded and amended CCPA. It added new rights (correction, limit use of sensitive data), created the California Privacy Protection Agency (CPPA) as an independent enforcement body, and raised the data volume threshold from 50,000 to 100,000 consumers.
What counts as personal information under CCPA? CCPA defines personal information broadly — it includes name, address, email, IP address, browsing history, purchase history, biometric data, geolocation, professional information, education information, and inferences drawn from any of these to create a profile.
Also Read
- How to Spot Early Signs of Health Issues in Pets
- McGraw Hill Connect Quiz & Test Answers: Tips to Score 100%
- How to use Bariatric Shopper’s Companion to receive an instant Bariatric Suitability Score and a dumping syndrome risk rating score.
