California
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
California's CCPA gives you the right to opt out of data brokers.
What the CCPA does for you
Under the CCPA, you have the right to know what personal information businesses collect about you and why, to access a copy of that data, to delete it, to correct inaccuracies, to opt out of its sale or sharing, and to limit how businesses use your sensitive information. You also have the right to be treated fairly whether or not you exercise these rights. This law applies to for-profit businesses that meet certain size or revenue thresholds and do business in California.
Your rights under the CCPA
Right to Know
You have the right to ask a business to tell you what personal information it has collected about you, where it came from, why it was collected, who it was shared with, and the specific pieces of information it holds. Businesses must respond within 45 days and provide the information free of charge.
Exceptions: Does not apply to household data; Business only required to respond twice in a 12-month period to the same consumer; Does not require disclosure of trade secrets; Does not apply to deidentified or aggregate consumer information; Does not cover educational standardized assessment responses where disclosure would jeopardize validity.
Source: Cal. Civ. Code §§ 1798.110, 1798.115, 1798.130
Right to Delete
You have the right to request that a business delete the personal information it has collected from you. Once the business receives and verifies your request, it must delete your data and instruct its service providers and contractors to do the same.
Exceptions: Does not apply when data is needed to complete a transaction or fulfill a contract; Does not apply when needed to ensure security and integrity; Does not apply when needed to debug or repair existing functionality; Does not apply when needed to exercise free speech; Does not apply when needed to comply with the California Electronic Communications Privacy Act; Does not apply to scientific, historical, or statistical research with informed consumer consent; Does not apply to internal uses reasonably aligned with consumer expectations; Does not apply when needed to comply with a legal obligation; Does not apply to student grades, scores, or test results held on behalf of an educational agency at which the student is currently enrolled.
Source: Cal. Civ. Code §§ 1798.105(a), 1798.105(d)
Right to Correct
You have the right to ask a business that holds inaccurate personal information about you to correct it. The business must use commercially reasonable efforts to make the correction you request.
Exceptions: Corrections that would involve disproportionate effort may be declined; Business may decline requests to correct information that is actually accurate; Does not apply to household data.
Source: Cal. Civ. Code § 1798.106
Right to Opt Out of Sales
You have the right at any time to tell a business to stop selling or sharing your personal information with third parties. Businesses must have a clear 'Do Not Sell or Share My Personal Information' link on their website. After you opt out, the business must wait at least 12 months before asking you to opt back in.
Exceptions: Does not apply to transfers of personal information as part of a merger, acquisition, or bankruptcy where the recipient uses it consistently with the original terms; Does not apply to disclosures to service providers or contractors acting under written contracts; Does not apply if every aspect of the commercial conduct takes place wholly outside California.
Source: Cal. Civ. Code §§ 1798.120, 1798.135
Right to Data Portability
When you request your personal information, businesses must provide it in a format that is easily understandable and, to the extent technically feasible, in a structured, commonly used, machine-readable format that you can transmit to another entity without hindrance.
Exceptions: Does not include data generated solely to ensure security and integrity; Personal information is not considered disclosed when you instruct a business to transfer your data in the context of switching services.
Source: Cal. Civ. Code § 1798.130(a)(2)(A), § 1798.130(a)(3)(B)(iii)
Right to Non-Discrimination
Businesses cannot penalize you for exercising your privacy rights. They cannot deny you goods or services, charge you different prices, provide you a lower quality of service, or retaliate against you as an employee or contractor because you exercised a right under the CCPA.
Exceptions: Businesses may offer financial incentives or different prices if reasonably related to the value of your data, provided you opt in voluntarily; Businesses may offer loyalty, rewards, or discount programs consistent with the law.
Source: Cal. Civ. Code § 1798.125
Right to Limit Sensitive Data
You have the right to tell a business to limit its use of your sensitive personal information — such as your Social Security number, precise location, racial or ethnic origin, health data, genetic data, neural data, or the contents of your messages — to only what is necessary to provide the goods or services you requested. Businesses that use sensitive data for other purposes must provide a 'Limit the Use of My Sensitive Personal Information' link on their website.
Exceptions: Businesses may still use sensitive personal information for security and integrity purposes; Sensitive personal information collected or processed without the purpose of inferring consumer characteristics is not subject to this right and is treated as regular personal information.
Source: Cal. Civ. Code §§ 1798.121, 1798.135(a)(2)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a CCPA deletion or opt-out request. Covered businesses have 45 days to respond (Cal. Civ. Code § 1798.130(a)(2)(A), § 1798.140(ak)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The CCPA explicitly permits consumers to use an authorized agent — a person or service like Optery — to submit privacy rights requests on their behalf, including both deletion and opt-out requests (Cal. Civ. Code § 1798.100 et seq.).
Enforcement and penalties
The CCPA is enforced by California Privacy Protection Agency and California Attorney General. Businesses that violate the CCPA can face administrative fines of up to $2,500 per violation, or up to $7,500 per intentional violation or violation involving the personal information of consumers under 16. The California Privacy Protection Agency handles administrative enforcement, while the Attorney General can bring civil actions seeking the same penalty amounts.
Can you sue directly? Consumers may sue directly only for data breaches involving their nonencrypted and nonredacted personal information (as defined in Cal. Civ. Code § 1798.81.5(d)(1)(A)), or their email address combined with a password/security question, that resulted from the business's failure to maintain reasonable security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
Who does the CCPA apply to?
The CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds: (1) annual gross revenues over $25 million, (2) annually buy, sell, or share the personal information of 100,000 or more consumers or households, or (3) derive 50% or more of their annual revenue from selling or sharing consumers' personal information. Non-profit organizations and smaller businesses that don't meet these thresholds are generally not covered.
Frequently asked questions
Which businesses have to follow the CCPA?
The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds: annual gross revenues over $25 million, buying/selling/sharing data of 100,000+ consumers or households per year, or deriving 50% or more of annual revenues from selling or sharing consumer data (Cal. Civ. Code § 1798.140(d)(1)). Non-profits and smaller businesses that don't hit these thresholds are generally exempt, though they can voluntarily certify compliance.
How do I submit a privacy request and how long does a business have to respond?
Businesses covered by the CCPA must provide at least two ways to submit requests — including at minimum a toll-free phone number — and must maintain a web form if they have a website. Businesses have 45 days to respond to your request and may extend this by another 45 days if they notify you within the first 45 days (Cal. Civ. Code § 1798.130(a)(2)(A)). Responses must be provided free of charge.
Can I sue a business directly under the CCPA?
You can only bring a private lawsuit under the CCPA in limited circumstances — specifically if your personal information (such as your name plus SSN, financial account details, or health information as defined in Cal. Civ. Code § 1798.81.5) was exposed in a data breach due to the business's failure to maintain reasonable security (Cal. Civ. Code § 1798.150). You can seek statutory damages of $100–$750 per consumer per incident or actual damages, whichever is greater. For other CCPA violations, you must file a complaint with the California Privacy Protection Agency or Attorney General.
What is sensitive personal information and can I limit how businesses use it?
Sensitive personal information includes things like your Social Security number, precise geolocation, racial or ethnic origin, religious beliefs, health data, genetic data, neural data, the contents of your messages, financial account credentials, and biometric data used to identify you (Cal. Civ. Code § 1798.140(ae)). You have the right to direct businesses to limit the use of your sensitive personal information to what is necessary to provide the services you requested, by using the 'Limit the Use of My Sensitive Personal Information' link on the business's website (Cal. Civ. Code § 1798.121).
Can someone else submit a privacy request on my behalf?
Yes. You can authorize another person — including a service like Optery — to submit privacy rights requests on your behalf, including requests to opt out of the sale or sharing of your personal information and requests to delete, access, or correct your data (Cal. Civ. Code §§ 1798.135(e), 1798.140(ak)). Businesses are required to comply with requests from properly authorized agents. You can also submit opt-out requests through browser or platform opt-out preference signals.