Consumer Rights Granted by the CCPA (CPRA)

Consumer Rights Granted by the CCPA (CPRA)

The California Consumer Privacy Act (CCPA) as amended by the CPRA, gives Californian consumers certain rights over how businesses collect, use, and process their personal information. The CCPA (CPRA) ensures that Californians can:

  • Buy goods and services online without opting in to online marketing,
  • Opt out of marketing without the risk of discrimination, and
  • Ask businesses to delete their personal information after it's collected

The CCPA (CPRA) is one of the most comprehensive and far-reaching privacy laws in the United States. It greatly enhances the consumer rights available to Californian citizens, and it is designed to give Californians similar rights as European Union (EU) citizens have over their personal data under the General Data Protection Regulation (GDPR).

In this article, we'll look at the important consumer rights granted by the CCPA (CPRA), what they mean, and how you can display them appropriately in your Privacy Policy.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

Does the CCPA (CPRA) Apply to Your Business?

The CCPA (CPRA) applies to for-profit businesses that operate in California and meet at least one of the following criteria:

  • Have a gross annual revenue greater than $25 million
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households or devices, or
  • Generate at least 50% of their annual revenue by selling California residents' personal information

This is defined in section 1798.140 (C) of the text of the act:

CCPA full text Section 1798 140 C - Definition of Business with CPRA update

Note that this is different than it was before the CPRA updates took effect.

What is Personal Information Under the CCPA (CPRA)?

What is Personal Information Under the CCPA (CPRA)?

Personal information is fairly easy to categorize. Basically, personal information is any information which can be used to identify an individual, their family, or their home address. Examples of personal information include:

  • Home address
  • Email address
  • IP address
  • Name
  • Date of birth
  • Passport or social security number
  • Biometric data
  • Geometric and other location data

There's a bigger breakdown of examples of personal information in Subsection O of Section 1798.140:

California Legislative Info: CCPA Section 1798 140 - Definition of personal information

Note that this list is non-exhaustive, meaning there are other pieces of information which could be classified as personal data.

What Consumer Rights are Granted by the CCPA (CPRA)?

What Consumer Rights are Granted by the CCPA (CPRA)?

The consumer rights granted to Californians under the CCPA (CPRA) are:

  • The right to access the personal information that has been collected
  • The right to correct inaccurate personal information
  • The right to know what personal information is being collected
  • The right to opt out of sharing, processing and selling of information
  • The right to opt out of automated decision-making technology
  • The right of opting in for minors
  • The right of data portability
  • The right to limit the use and disclosure of sensitive personal information
  • The right to non-discrimination and non-retaliation
  • The right to request deletion of personal data from the business that collected it and anyone who it was shared with

The responsibility of informing consumers of these rights and others falls squarely on business' shoulders.

Now we'll look at the rights individually to help you address each in your Privacy Policy. Addressing each of the rights in your Privacy Policy is the ideal way to stay compliant while providing your user base with the required information.

Right to Access Information

The right to access allows residents of California to have access to the personal data that businesses collect on them. This means that residents of the state can request a copy of the specific personal information a business holds on them.

Here's an example from Cancer Research UK. It may be a charity, but it's an example of a very clear and concise access clause that's simple to understand and straightforward in its terms. Clarity and user-friendliness are key to complying with the CCPA:

Cancer Research UK Privacy Statement: Right to access your personal information clause

Cancer Research UK's clause tells people that:

  • They have a right to access the information held on them
  • They can ask for a copy of the personal data stored on them
  • There are at least two ways the individual can contact the company to access the data

Here's how A.P. Chem Beauty lists out exactly how the right of access works, where a user makes a request that gets verified, and then specific information is disclosed. Listing out all of the information a user can receive is not necessary, but it is helpful:

AP Chem Beauty Privacy Policy: Right of Access section

In terms of legal exceptions, there are very few instances where a company can legally withhold information from a user. The exception typically only applies when, for example, you're storing the data to handle a complaint or lawsuit, or the consumer makes numerous repetitive demands to see their data within a short space of time.

Right to Correct Inaccurate Personal Information

Consumers in California have the right to request that businesses correct any of their personal information that's inaccurate.

After receiving and verifying the authenticity of a correction request, businesses must make a reasonable effort to make the necessary corrections in accordance with regulations.

Note that there are exceptions when businesses may not have to comply with the consumer's request, like when the requestor's identity can't be verified and when complying would put undue burden on the company.

Here's how San Diego-based commercial and residential moving company Corovan addresses the right to correct inaccurate information in its Privacy Policy, along with some other rights:

Corovan Privacy Policy: Choices regarding the information we collect clause excerpt

Right to Know What Personal Information is Collected

Essentially, consumers have a right to know:

  • What categories of personal information you plan on collecting from them
  • Why the collection is necessary
  • Who you intend to share the personal information with, and why
  • How they can opt out of anything other than essential data collection (that includes, for example, collecting personal data to complete a transaction and arrange goods delivery)

Here's how OpenAI addresses the right to know in its Privacy Policy:

OpenAI Privacy Policy: California Privacy Rights clause excerpt

It's important to note that consumers should be told about these rights before the information is collected. It's also worth noting that the consumer must be re-informed if you plan on changing the amount of data you collect or if you want to change who you're sharing it with.

The best practice way to satisfy the right to know is by having and displaying an informative Privacy Policy.

Here's how Waterstones links to its Privacy Policy in its website footer so that it's always easily and freely accessible from any page to any website visitor:

Waterstones website footer with Privacy Notice link highlighted

The Privacy Policy sets out, in detail, what personal information Waterstones collects, and how it is used. You'll see that Waterstones uses bullet points and short paragraphs to make it easy for consumers to read the clauses.

First, the types of personal information collected are broken down:

Waterstones Privacy Notice: What personal data is collected clause

Next, it's explained why this data is collected:

Waterstones Privacy Notice: What personal data is used for clause

Next, the categories of third parties to whom the personal data is disclosed, and why, is included:

Waterstones Privacy Notice: Third party sharing clause

Right to Opt Out of Sharing, Processing and Selling

Under the CCPA (CPRA), every consumer has the right to object to you selling their data to any third party, for any purpose. Moreover, if a consumer tells you that you can't sell their data, you can't ask them for their consent again for at least 12 months from the day they give you their objection.

You can read about this right in Section 1798.120 of the CCPA:

California Legislative Info: CCPA Section 1798 120 - Do not sell personal information section

It's common for businesses who do not sell personal data to third parties to also disclose this in their Privacy Policy.

California-based heavy-duty truck sales and service company Inland Kenworth addresses the right to opt out in its Privacy Policy as follows:

Inland Kenworth Privacy Policy: Right to opt out of the sale of personal data section

Some businesses choose not to sell or share the personal data they collect because it limits liability and puts customers at ease.

Just keep in mind that if a customer opts out of having their data collected, you're prohibited from asking them for consent again for at least one year.

The CCPA (CPRA) requires the displaying of a Do Not Sell My Personal Information link, like SeaWorld does here:

SeaWorld website footer with Do Not Sell or Share My Personal Information link highlighted

For more information, check out our feature article: Creating and Displaying a "Do Not Sell My Personal Information" Page

Right to Opt Out of Automated Decision-Making Technologies

The CCPA (CPRA) allows consumers to opt out of the use of automated decision-making, profiling and other similar technologies.

Automated decision-making and profiling are generally defined as processes that evaluate personal aspects of a natural person and predict future behavior.

The types of information analyzed during the automated decision-making and profiling processes can include work, health, finance, and personal preference data to name just a few.

Here's an example of a clause that addresses this right:

23andMe Privacy Policy: Automated individual decision-making including profiling clause

Right to Opt in for Minors

Because children are particularly vulnerable, they're granted a number of age-specific rights under the CCPA (CPRA).

For example, businesses are only permitted to sell personal information collected from a child known be younger than 16 if they get authorization first. This affirmative authorization can be given by the child and is referred to as the right to opt in for minors.

On the other hand, for children younger than 13, authorization can only be granted by a parent or legal guardian.

Here's how heavy-duty truck manufacturer PACCAR addresses the collection of children's data in its Privacy Statement:

PACCAR Privacy Statement: Users under 16 years old section

PACCAR also includes a link to an email address for users who have additional questions about the company's data collection policies.

Right to Data Portability

Under the CCPA (CPRA), consumers enjoy the right to data portability. This means that upon request, the collector must provide their data in an easily readable and commonly used format so that they can transfer or migrate it to another entity.

If they'd rather not do it themselves, consumers in California can also exercise their right to portability by requesting that a business transit some or all of their data to another entity for them.

State Street clearly lays out how users can exercise their Right to Data Portability:

State Street CCPA Rights and Choices: Exercising Access Data Portability and Deletion Rights section

State Street also lets users know that their identity must be verified before a request can be acted upon, and that access and portability requests can only be made no more than two times in any 12-month period.

Right to Limit the Use and Disclosure of Sensitive Personal Information

When defining sensitive personal information, the CCPA (CPRA) includes more than a dozen data points including:

  • Religious beliefs
  • Sexual orientation
  • Political leanings
  • Health and medical information
  • Geographic location

Under the CRPA amendments, Californians are able to request that a business only use their sensitive personal information when it's necessary to deliver goods or provide services.

The CPRA also introduced the requirement of an additional link on each company's homepage with the heading, Limit the Use of My Sensitive Personal Information.

Here's how Lynx displays a link in its website footer for more information about how a user can limit the use of sensitive personal information:

Lynx website footer with Limit the Use of My Sensitive Personal Information link highlighted

The linked webpage notifies readers of their right to limit the use of their sensitive personal information and how they can exercise it in a number of ways:

Lynx Limit the Use of My Sensitive Personal Information page excerpt

Right to Non-Discrimination and Non-Retaliation

When it comes to the collection of personal data, Californians have the right to non-discrimination, non-retaliation, and equality.

In other words, businesses can't discriminate or retaliate against a consumer just because he or she refused to consent (opted out) to having personal data collected.

Here's how Inland Kenworth notes that it doesn't discriminate against customers who exercise their rights:

Inland Kenworth Privacy Policy: Right to not be discriminated against section

Under the terms of the CCPA (CPRA), discrimination generally includes the following:

  • Refusing to sell products or services
  • Offering discounts or other incentives to customers who consent to data collection or opt into marketing schemes
  • Providing inferior products or services to customers who opt out

Right to Request Deletion

If you're a business owner or data collector, it's important to know that consumers can request that you delete their information at any time.

To make this as easy as possible and avoid non-compliance issues down the road, it makes sense to inform them how they can initiate the process and what to expect every step of the way.

Businesses are generally required to make a good faith effort to comply with customer deletion requests, but in the following instances you may not be required to do so:

  • You can't verify who sent the request
  • Complying with the request may create a security issue
  • Deletion would make difficult or impossible to complete a transaction, initiate a recall, or deliver a product or service
  • You're currently complying with other legal obligations that take precedence
  • The customer is requesting the deletion of information that the CCPA (CPRA) specifically exempts

SeaWorld addresses the right to deletion in its Privacy Policy as follows:

SeaWorld Privacy Policy: Deletion Request Rights section

SeaWorld also informs customers that in cases where deletion requests are denied, the company will explain why they haven't complied.

In regard to the right to deletion, it's also worth noting that:

  • You must let customers know how to submit a deletion request
  • Two means of communication must be provided (an email address is enough for online businesses)
  • You can't require a customer to create an account before submitting his or her deletion request
  • You must respond to deletion requests within 45 business days (this can be extended to 90 days with proper notification)
  • Businesses are required to pass the deletion request on to third parties


The CCPA (CPRA) provides various consumer rights that limit how businesses collect, store, and share Californian's personal data.

Under the act, Californians have the following rights:

  • The right to access the personal information that has been collected
  • The right to correct inaccurate personal information
  • The right to know what personal information is being collected
  • The right to opt out of sharing, processing and selling of information
  • The right to opt out of automated decision-making technology
  • The right of opting in for minors
  • The right of data portability
  • The right to limit the use and disclosure of sensitive personal information
  • The right to non-discrimination and non-retaliation
  • The right to request deletion of personal data from the business that collected it and anyone who it was shared with

Note these rights and how users can exercise them within your Privacy Policy to help ensure compliance.