These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.
You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.
Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.
Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
Sensitive personal information is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.
Personal information does not include publicly available information (including public real estate/property records) and certain types of information.
Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records. The definition of publicly available information also includes information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or certain information disclosed by a consumer and made available if the consumer has not restricted the information to a specific audience.
The CCPA also exempts certain types of information such as certain medical information and consumer credit reporting information.
The CCPA generally does not apply to nonprofit organizations or government agencies.
You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.
For all other violations of the CCPA, only the Attorney General or the California Privacy Protection Agency may take legal action against non-compliant entities. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint. Starting on July 1, 2023, you also will be able to file complaints with the California Privacy Protection Agency for violations of the CCPA, as amended, occurring on or after that date.
This personal information must have been stolen in nonencrypted and nonredacted form. In addition, the personal information must have been stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. Before suing, you must give the business written notice of which CCPA sections it violated and allow 30 days to respond in writing that it has cured the violations and that no further violations will occur. If the business is able to actually cure the violation and gives you its written statement that it has done so, you cannot sue the business, unless it continues to violate the CCPA contrary to its statement.
Yes. As of January 1, 2023, the CPRA’s amendments to the CCPA are in effect, and businesses are required to comply with all express statutory requirements. Businesses are also required to comply with those CCPA regulations currently in effect.
Yes. The California Department of Justice promulgated an initial round of regulations implementing the CCPA on August 14, 2020 and further amended on March 15, 2021. Those regulations were recently updated by the California Privacy Protection Agency. These regulations appear in Title 11, Division 6, Section 7001 et seq. of the California Code of Regulations and were effective on March 29, 2023.
No. The exemptions for employment-related personal information and personal information reflecting business-to-business transactions described in Civil Code Sec. 1798.145(m)-(n) expired on December 31, 2022.
Yes. You may authorize another person to submit a CCPA request on your behalf. You may also authorize a business entity registered with the California Secretary of State to submit a request on your behalf.
Please note that if you use an authorized agent, businesses may require more information from either the authorized agent or from you to verify that you are the person directing the agent. For example, for requests to know or delete your personal information, the business may require the authorized agent to provide proof that you gave that agent signed permission to submit the request. Businesses may also require you to verify your identity directly with the business or directly confirm with the business that you gave the authorized agent permission to submit the request.
You may request that businesses stop selling or sharing your personal information (“opt-out”). Note that sharing refers specifically to sharing for cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites. With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information.
Businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for the sale of the child’s personal information. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child.
Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request. Businesses also should not require you to verify your identity, though they can ask you basic questions to identify which personal information is associated with you.
You can also submit an opt-out request via a user-enabled global privacy control, like the GPC, discussed in FAQ 8 & 9 below. If you can’t find a business’s “Do Not Sell or Share My Personal Information” link, review its privacy policy to see if it sells or shares personal information. If the business does, it must also include that link in its privacy policy.
If a business’s "Do Not Sell My Personal Information" link or other designated method of submitting opt-out requests is not working or difficult to find, you may report the business to our office (https://oag.ca.gov/contact/consumer-complaint-against-business-or-company).
Businesses must respond as soon as feasibly possible to your request, up to a maximum of 15 business days from the date they received your request to opt-out.
While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask you for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose.
If you do not know why a business denied your opt-out request, follow up with the business to ask it for its reasons.
Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA.
The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to opt-out to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself.
If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.
Businesses that sell or share personal information must offer two or more methods for consumers to submit requests to opt-out of the sale of their personal information. For businesses that collect personal information from consumers online, one acceptable method for consumers to opt-out of sales or sharing is via a user-enabled global privacy control, like the GPC. Developed in response to the CCPA and to enhance consumer privacy rights, the GPC is a ‘stop selling or sharing my data switch’ that is available on some internet browsers, like Mozilla Firefox, Duck Duck Go, and Brave, or as a browser extension. It is a proposed technical standard that reflects what the CCPA regulations contemplated – some consumers want a comprehensive option that broadly signals their opt-out request, as opposed to making requests on multiple websites on different browsers or devices. Opting out of the sale or sharing of personal information should be easy for consumers, and the GPC is one option for consumers who want to submit requests to opt-out of the sale or sharing of personal information via a user-enabled global privacy control. Under law, it must be honored by covered businesses as a valid consumer request to stop the sale or sharing of personal information.
To learn more about the GPC, you can visit its website here. Developers have begun to innovate around the GPC and created different mechanisms for consumers, such as EFF’s Privacy Badger extension or the Brave Privacy Browser.