CCPA: Consumer Rights
Consumer Rights [§ 1798.100-106]
Rule: California consumers have comprehensive rights over their personal information, including rights to know, delete, correct, port, and opt-out.
Right to Know [§ 1798.100, 110]
Consumers can request disclosure of:
| Information Type | Description |
|---|---|
| Categories collected | What types of PI you collected |
| Sources | Where you got the PI |
| Purpose | Why you collected/used it |
| Categories shared | What types you disclosed to third parties |
| Third parties | Who received the PI |
| Specific pieces | The actual data collected about them |
Lookback period: 12 months preceding the request (can provide more).
Right to Delete [§ 1798.105]
Consumers can request deletion of their personal information.
Business must:
- Delete the PI from records
- Direct service providers/contractors to delete
- Notify third parties to delete (if sold/shared)
Exceptions — may deny deletion if needed for:
| Exception | Example |
|---|---|
| Complete a transaction | Fulfill an order |
| Security | Detect security incidents |
| Debug | Fix functionality errors |
| Free speech | Exercise or defend legal claims |
| Legal compliance | Comply with legal obligation |
| Research | Public interest research (with safeguards) |
| Internal uses | Reasonably aligned with consumer expectations |
Right to Correct [§ 1798.106]
Consumers can request correction of inaccurate personal information.
Business must:
- Use commercially reasonable efforts to correct
- Consider the nature of PI and purposes of processing
- May require documentation supporting correction
Right to Data Portability [§ 1798.100(d)]
When requesting specific pieces of PI, consumers can request data in a:
- Portable format
- Readily useable format
- Format allowing transmission to another entity without hindrance
Right to Opt-Out of Sale/Sharing [§ 1798.120]
Consumers have the right to direct a business to not sell or share their personal information.
- Business must respect opt-out
- Must provide “Do Not Sell or Share My Personal Information” link
- Must honor Global Privacy Control (GPC) signals
- Cannot require account creation to opt-out
Right to Limit Sensitive PI Use [§ 1798.121]
Consumers can direct businesses to limit use of sensitive personal information to:
- Performing services/providing goods requested
- Ensuring security and integrity
- Short-term transient use (non-profiling)
- Performing services on behalf of business
- Verifying/maintaining quality
- Other purposes where opt-out not permitted
Right to Non-Discrimination [§ 1798.125]
Businesses cannot discriminate against consumers who exercise rights:
| Prohibited | Allowed |
|---|---|
| Denying goods/services | Offering financial incentives for data |
| Charging different prices | Price differences reflecting data value |
| Providing different quality | Loyalty programs with notice |
| Threatening any of the above | Differential service if data necessary |
Authorized Agents [§ 1798.140(e)]
Consumers can designate an authorized agent to make requests on their behalf.
Business can require:
- Written permission from consumer
- Direct verification of consumer identity
- Agent registration with Secretary of State (for opt-out)
Exercising Rights — Response Timeline
| Step | Timeline |
|---|---|
| Confirm receipt | Within 10 business days |
| Respond to request | Within 45 calendar days |
| Extension (if needed) | Additional 45 days with notice |
| Denial | Must explain reasons and appeal rights |