California is home to the United States' most comprehensive consumer privacy legislation. The California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, gave California residents unprecedented rights over their personal data. Three years later, the California Privacy Rights Act (CPRA) — passed by ballot initiative in November 2020 — amended and significantly strengthened the CCPA, effective January 1, 2023.
Together, these laws have set the de facto national standard for data privacy in the United States, influencing every state law that followed. California's framework is widely compared to Europe's GDPR in its ambition and scope.
California residents have the following legally enforceable rights:
You can request what personal information a business has collected about you, where it came from, and why it's being processed.
You can request that businesses delete your personal information, with limited exceptions (legal obligations, security, etc.).
(Added by CPRA) You can request correction of inaccurate personal information that a business holds about you.
You can request a copy of your data in a portable, usable format to take it to another service provider.
You can tell businesses to stop selling or sharing your personal information with third parties for cross-context advertising.
(Added by CPRA) You can limit how businesses use or disclose your sensitive personal information, including SSN, precise location, and health data.
Businesses cannot penalize you for exercising your privacy rights — no degraded service, higher prices, or denial of services.
(CPRA) Right to opt out of automated decision-making technology in certain contexts, including profiling for significant decisions.
The CCPA/CPRA applies to for-profit businesses that do business in California AND meet at least one of these thresholds:
Annual gross revenue over $25 million — regardless of how much California data you process
Buy, sell, or receive personal information of 100,000+ California residents or households per year
Derive 50% or more of annual revenue from selling or sharing California consumers' personal information
Nonprofit organizations and government entities are generally exempt. Businesses with fewer employees that don't meet these thresholds are also largely exempt — though they may be covered by other California laws like the California Online Privacy Protection Act (CalOPPA).
The CPRA created a special category of "Sensitive Personal Information" (SPI) with enhanced protections and a separate opt-out right. This includes:
Governor Jerry Brown signed the California Consumer Privacy Act, giving California residents unprecedented privacy rights for the first time.
The CCPA becomes enforceable. Businesses scramble to post "Do Not Sell My Personal Information" links on their websites.
California voters approved the California Privacy Rights Act by 56.2%, amending and strengthening the CCPA.
New CPRA rights become enforceable. The California Privacy Protection Agency (CPPA) is now the primary enforcement agency.
The CPPA is actively finalizing rules on automated decision-making, cybersecurity audits, and risk assessments.
Enforcement of the CCPA/CPRA is shared between the California Attorney General and the newly created California Privacy Protection Agency (CPPA).
Penalties can reach $2,500 per unintentional violation and $7,500 per intentional violation. For large breaches involving thousands of consumers, this can add up to hundreds of millions of dollars in fines. There is also a private right of action for consumers when their non-encrypted, non-redacted personal information is exposed in a data breach — with statutory damages between $100–$750 per consumer per incident.
The CCPA/CPRA applies only to California residents. If you live outside California, these specific rights may not apply to you — though your state may have its own privacy law. Check our State Laws directory for your state's protections.
To exercise your CCPA/CPRA rights with any covered business:
1. Find their privacy portal. Covered businesses must provide at least two methods to submit requests — typically a web form and a toll-free phone number. Look for a "Privacy" link at the bottom of any website, or search "[Company Name] + CCPA request."
2. Use a browser opt-out signal. Under the CPRA, businesses must respect the Global Privacy Control (GPC) browser signal, which automatically sends opt-out requests. Install the GPC extension and every covered site will honor your opt-out automatically.
3. Submit your request. Businesses must respond to access and deletion requests within 45 days (extendable to 90 with notice). Opt-out requests must be honored within 15 business days.