Per-jurisdiction rights guide
Your Data Rights in California Under the CCPA/CPRA
A calm, factual walkthrough of what California's privacy law gives you — the right to know, delete, correct, and limit how businesses use your personal information — and the regulator you can turn to if a request goes wrong.
In short
If you are a California resident, the CCPA, as amended by the CPRA, gives you the right to know what personal information a business collects about you, to delete it, to correct it, to opt out of its sale or sharing, and to limit use of sensitive information. The California Privacy Protection Agency enforces these rights.
What the CCPA and CPRA actually give you
California has one of the strongest consumer privacy laws in the United States. The California Consumer Privacy Act (CCPA) took effect in 2020, and the California Privacy Rights Act (CPRA) amended and expanded it from 2023. Together they apply to California residents and to many for-profit businesses that handle Californians' personal information. The law speaks in terms of "personal information" — a broad category that covers things like your name, email address, location history, browsing activity, and online identifiers tied to you.
The core idea is straightforward: businesses must be transparent about the personal information they collect and why, and you get a set of rights to see and control it. These rights are yours to use directly — you make the request, and the business must respond within the timeframes the law sets. You do not need a lawyer to begin, and exercising a right cannot lawfully be held against you through worse prices or service (the law calls this the right to non-discrimination).
It helps to know the main rights the CCPA/CPRA gives California residents at a glance, before looking at how to use them.
- The right to know — to learn what personal information a business has collected about you, where it came from, why, and who it was shared with.
- The right to delete — to ask a business to delete personal information it collected from you, subject to certain exceptions.
- The right to correct — to ask a business to fix inaccurate personal information it holds about you (added by the CPRA).
- The right to opt out of the sale or sharing of your personal information, including for cross-context behavioural advertising.
- The right to limit the use of sensitive personal information, such as precise location, health, or account log-in details.
- The right to non-discrimination for exercising any of these rights.
How to use your rights in practice
Most businesses covered by the law must give you at least two ways to submit a request — commonly a toll-free number and a web form or email address — and many display a "Do Not Sell or Share My Personal Information" link in their footer or privacy menu. A good first step is to read a company's privacy policy, which is required to describe your rights and how to use them. From there you can send a request to know, delete, correct, opt out, or limit sensitive-data use.
The business generally has up to 45 days to respond to a verifiable request to know, delete, or correct, and may extend that once when reasonably necessary. For requests to know and to delete, it usually needs to verify your identity before acting, so it may ask for information to confirm you are who you say you are. Opt-out and limit requests do not require the same identity verification and should take effect promptly. You can also use an authorised agent, or a recognised browser opt-out signal, to exercise some of these rights on your behalf.
This article is general information, not legal advice. For guidance on your specific situation, consider speaking to a qualified professional or contacting the regulator directly. If you want to understand your wider digital footprint first, it can help to map which businesses and data brokers are likely to hold information about you, so your requests go to the right places.
Data brokers and where to get help
California also keeps a public register of data brokers — businesses that collect and sell personal information about people they do not have a direct relationship with. Brokers that meet the legal definition must register with the state, which means you can look up who they are and contact them with your CCPA/CPRA requests. A newer California law, the Delete Act, is also building a single deletion mechanism that will let residents ask registered data brokers to delete their information through one request, rather than contacting each one separately.
If a business does not respond, mishandles your request, or you believe it is breaking the law, you have somewhere to turn. The California Privacy Protection Agency (CPPA) is the dedicated regulator with authority to enforce the CCPA/CPRA, and the California Attorney General also has enforcement powers. You can report a complaint to the CPPA, which publishes guidance for consumers on how each right works and how to use it.
Understanding your own digital footprint — the accounts, services, and records tied to your identity — makes all of this far less daunting, because you already know roughly where your information lives before you ask anyone to act on it. This article is general information, not legal advice; the right that fits your situation, and the way to use it, can depend on the specific facts.
Frequently asked questions
Who is protected by the CCPA and CPRA?
The CCPA, as amended by the CPRA, protects California residents and gives them rights over the personal information that covered businesses collect about them. The law applies to many for-profit businesses that meet certain size or data-handling thresholds. If you live in California, you can generally exercise these rights directly with the businesses that hold your information.
What is the difference between the CCPA and the CPRA?
The CCPA is California's original consumer privacy law, effective from 2020. The CPRA is a 2020 ballot measure that amended and expanded it, with most provisions in force from 2023. The CPRA added rights such as correction and limiting the use of sensitive personal information, and it created the California Privacy Protection Agency to enforce the rules. People often refer to the combined framework as "the CCPA/CPRA."
How long does a business have to respond to my request?
For a verifiable request to know, delete, or correct, a business generally has up to 45 days to respond, and may extend that once when reasonably necessary. Opt-out and limit-use requests should take effect promptly and do not need the same identity verification. Timeframes and exact steps can vary, so check the business's privacy policy for how it handles requests.
Where do I complain if a business ignores my CCPA rights?
You can report the issue to the California Privacy Protection Agency (CPPA), the dedicated regulator that enforces the CCPA/CPRA, and the California Attorney General also has enforcement authority. Both publish guidance for consumers. This is general information, not legal advice — for your specific situation, consider contacting the regulator directly or a qualified professional.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Want to see what businesses hold about you?
OSINTA helps you understand your own digital footprint and prepare your own data-rights requests — calmly, and on your terms. You stay in control of every step.