Frequently Asked Questions (FAQs)

The California Privacy Protection Agency’s mission is to protect the consumer privacy of Californians. As part of this mission, the Agency seeks to promote public awareness of consumers’ rights and businesses’ obligations under California’s landmark consumer privacy law, the California Consumer Privacy Act of 2018 (“CCPA”).

These FAQs provide information about the Agency and the CCPA, the rights consumers have under the CCPA, and how to exercise these rights. These FAQs also provide information about the Agency’s current rulemaking to adopt regulations to implement the CCPA, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and how members of the public can submit comments on these proposed regulations.

These FAQs are not legal advice, regulatory guidance, or an opinion of the California Privacy Protection Agency. We will update this information periodically.

General Information about the CCPA

The California Consumer Privacy Act gives consumers more control over the personal information that businesses collect about them. The CCPA currently provides consumers with certain rights regarding their personal information, including:

  • The right to delete personal information collected from them;
  • The right to know what personal information a business has collected about them and how it is used and shared;
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

In November of 2020, California voters approved Proposition 24, the CPRA, which amended the CCPA and added new privacy protections that begin on January 1, 2023. Starting in 2023, consumers will have new rights in addition to those above, such as:

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

Businesses that are subject to the CCPA have several responsibilities, including responding to consumer requests to exercise these rights and making certain disclosures to consumers about their privacy practices, such as posting a privacy policy.

The California Privacy Protection Agency was created to protect Californians’ consumer privacy. Established in 2020, the Agency is governed by a five-member board that consists of experts in privacy, technology, and consumer rights. The Agency implements and enforces the CCPA, and has several responsibilities, such as:

  • Promoting public awareness of consumers’ rights and businesses’ responsibilities under the CCPA. These FAQs are intended to provide information to consumers and businesses about the CCPA and its forthcoming changes in 2023.
  • Adopting regulations in furtherance of the CCPA. The Agency may issue regulations to achieve the CCPA’s goals, including rules that operationalize the CCPA’s requirements, update existing regulations, and consolidate requirements to make the regulations easier to follow and understand. More information about the Agency’s current rulemaking, and how to submit comments or attend the hearings online or in person, can be found here.
  • Enforcement of the CCPA. The Agency is tasked with enforcing the CCPA through administrative enforcement actions. It has the ability to investigate possible violations, provide businesses with an opportunity to cure, and take enforcement actions.

The CCPA provides privacy rights to California residents. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state.

The CCPA currently applies to for-profit businesses that do business in California, collect consumers’ personal information (or have others collect personal information for them), determine why and how the information will be processed, and meet any of the following thresholds:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

These thresholds will change beginning on January 1, 2023. Starting in 2023, to meet the second threshold, businesses must annually buy, sell, or share the personal information of 100,000 or more consumers or households. In addition, the last threshold will include businesses that derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.

  • The CCPA also imposes separate obligations on service providers (which process personal information on a business’s behalf) and other recipients of personal information from businesses.
  • The CCPA does not apply to nonprofit organizations or government agencies.

Personal information is information that identifies, relates to, or could reasonably be linked with a particular consumer or household. For example, it could include a consumer’s name, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences made about the consumer’s preferences and characteristics.

Sensitive personal information is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Beginning in 2023, consumers will have an additional right to limit a business’s use and disclosure of that subset of personal information.

Personal information and sensitive personal information do not include publicly available information, which is information lawfully made available from government records. In 2023, the definition of publicly available information will also include information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or certain information disclosed by a consumer and made available if the consumer has not restricted the information to a specific audience.

You can find the California Consumer Privacy Act, as amended by Proposition 24 (the California Privacy Rights Act), here. The current CCPA regulations provide guidance on the CCPA’s implementation, and the Office of the Attorney General’s FAQs provide information about the CCPA and how consumers can exercise their rights today. The Agency has also proposed regulations implementing the CPRA’s amendments to the CCPA.

For California Residents

You have the right to ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information, and not to sell your personal information:

  • Right to know: You can request that a business disclose to you: (1) the categories and/or specific pieces of personal information they have collected about you, (2) the categories of sources for that personal information, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information that the business sells or discloses to third parties. You can make a request to know up to twice a year, free of charge.
  • Right to delete: You can request that businesses delete personal information they collected from you and tell their service providers to do the same, subject to certain exceptions (such as if the business is legally required to keep the information).
  • Right to opt-out of sale: You may request that businesses stop selling your personal information (“opt-out ”). Businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again.

When exercising these rights, be aware of:

How to submit your requests

  • Know or Delete: Review the business’s privacy policy, which must include instructions on how you can submit your request. Businesses must generally designate at least two methods for you to submit your requests to know or delete your personal information — for example, an email address, website form, or hard copy form. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests. Make sure you submit your request to know or delete through one of the business’s designated methods, which may be different from its normal customer service contact information.
  • Opt-out of sale: Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. You can also submit an opt-out request via a user-enabled global privacy control, and can find more information about the control here . If you can’t find a business’s “Do Not Sell My Personal Information” link, review its privacy policy to see if it sells personal information. If the business does, it must also include that link in its privacy policy. If it is difficult to find or use the business’s “Do Not Sell My Personal Information” link or other designated method of submitting opt-out requests, you can notify the business using the Attorney General’s Consumer Privacy Tool.

Where to find a business’s privacy policy

Most businesses post their privacy policy on their websites. A link can usually be found at the bottom of the homepage and other webpages. The link’s title may include “Privacy” or “California Privacy Rights.” For mobile apps, a link to the privacy policy should be available on the download page for the app or in the app’s settings menu.

How to exercise CCPA rights with respect to data brokers

Another California law, Civil Code section 1798.99.80, defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The California law on data brokers requires data brokers to register with the Attorney General and to provide certain information about their business practices. The Data Broker Registry can be found on the Attorney General’s website here. On the Data Broker Registry website, you will find contact information and a website link for each registered data broker, as well as additional information to help you exercise your CCPA rights.

How long a business has to respond to your requests

  • Know or Delete: Businesses must respond to your request to know or delete your personal information within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you.
  • Opt-out of sale: Businesses must respond as soon as feasibly possible to your request, up to a maximum of 15 business days from the date they received your request to opt-out.

Why the business may deny your request

In some instances, a business may deny your request to know, delete, or opt-out of sale:

  • Know: Common reasons why businesses may refuse to disclose your personal information include:
    • The business cannot verify your identity to complete your request
    • The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period
    • Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information
    • Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims
    • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
  • Delete: Common reasons why businesses may refuse to delete your personal information include:
    • The business cannot verify your identity to complete your request
    • The business needs your information to complete your transaction, provide a reasonably anticipated product or service, or for certain warranty and product recall purposes
    • For certain business security practices
    • The business needs your information for certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided
    • To comply with legal obligations, exercise legal claims or rights, or defend legal claims
    • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA
  • Opt-out of sale: Common reasons why businesses may refuse to stop selling your personal information include:
    • A sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims
    • The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.

If you do not know why a business denied your opt-out request, follow up with the business to ask for its reasons.

Lastly, you also have the right to be notified, before or at the point the business collects your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable.

You can find more information about how you can exercise your rights here.

In addition to your rights to know, delete, opt-out of the sale of your personal information, and non-discrimination, you also will have new rights starting next year. These rights were created as part of amendments to the CCPA under Proposition 24, which California voters passed in November 2020.

Starting next year, you may ask businesses to correct inaccurate information that they have about you. In addition, you can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested.

Businesses will be required to notify you of how you can exercise these rights in their privacy policies.

You cannot sue businesses for most CCPA violations. In limited circumstances, you can sue a business under the CCPA if there is a data breach. More information about the types of data breaches for which you currently can sue a business under the CCPA can be found here.

For all other violations of the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with the Attorney General, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint. In addition, starting in 2023, you also will be able to file complaints with the Agency. Patterns of misconduct identified in consumer complaints and other information may lead to investigation and subsequent of the enforcement of the CCPA on behalf of the collective legal interests of the people of the State of California.

Regulations

The California Privacy Protection Agency is currently engaged in formal rulemaking activities. In Fall 2021, the Agency solicited preliminary written comments from the public. In Spring 2022, it held Informational and Stakeholder sessions and posted all materials on its website. On May 27, 2022, the Board posted a meeting notice and agenda for its June 8, 2022 meeting, which included as one of its items “Discussion and Possible Action Regarding Proposed Regulations, Sections 7000 to 7304, to Implement, Interpret, and Make Specific the California Consumer Privacy Act of 2018, as Amended by the California Privacy Rights Act of 2020, Including Possible Notice of Proposed Action.” The draft proposed regulations were made available to the public as part of the June 8 meeting materials. On June 8, 2022, the Board approved the draft proposed regulations for the formal rulemaking process and authorized the Executive Director to take steps necessary to begin the rulemaking process. On July 8, 2022, the Agency published its notice of proposed action in the California Regulatory Notice Register, beginning the formal rulemaking process. Below is a Q&A to provide more information about the proposed regulations and the regulations process.

When Proposition 24 created the new state agency, the California Privacy Protection Agency, it established its governance by a five-member Board. The Board holds rulemaking authority, meaning that it must decide to begin the formal rulemaking process under California’s Administrative Procedures Act (APA) for draft proposed regulations. The Board decides to begin formal rulemaking in a public meeting that complies with the Bagley-Keene Open Meeting Act. This law requires the Agency to post notice of any Board meeting on the Internet at least 10 days in advance, with notice including the specific agenda for the meeting and a brief description of the items to be discussed. In addition, any writings that are or will be distributed to the Board, that relate to an item that will be discussed at a public meeting, must also be made available to the public. Draft proposed regulations are a writing.

To commence the formal rulemaking process as set forth in the APA, the Agency filed a Notice of Proposed Rulemaking Action, referred to as a “NOPA”, the text of the proposed regulations, and an initial statement of reasons (ISOR) describing the reasons for the draft proposed regulations. The NOPA is posted on the Agency’s website and published in the California Regulatory Notice Register, which marks the first day that formal rulemaking begins.

The public will have the opportunity to comment on the draft proposed regulations multiple times during the formal rulemaking process. Filing a NOPA opens the initial public comment period, which runs for at least 45 days and provides an opportunity to submit written public comments to the Agency. The Agency will also hold a public hearing. In the NOPA, the Agency provides specific instructions on how the public may send written comments on the proposed regulations and attend a public hearing to provide oral comments. For tips on writing an effective public comment, see here.

Under the APA, if the Agency proposes any substantive change related to the original text of the proposed regulations after the initial comment period, it will open an additional public comment period for at least 15 days and consider any comments received on those proposed modifications. The Agency is required to summarize and respond to every public comment in its Final Statement of Reasons (FSOR), which will accompany the text of the final regulations in a package submitted to the Office of Administrative Law (OAL). For more information on the formal rulemaking process, see here. If you would like to receive notifications regarding rulemaking activities, please subscribe to our email list here.

On April 21, 2022, rulemaking authority under the CCPA formally transferred from the Attorney General to the Agency. Just like the Attorney General’s rulemaking process, the Agency’s rulemaking process will comply with the APA. One main difference between the Agency’s rulemaking authority is that Attorney General did not have to comply with Bagley-Keene because the Department of Justice is led by the Attorney General, as opposed to being a state body that is controlled by a Board. This is why, for example, the first time the public viewed the Attorney General’s proposed CCPA regulations was when the Department of Justice filed its NOPA and began formal rulemaking. The Board will also comply with Bagley-Keene throughout formal rulemaking. This means that each time the Board discusses the proposed regulations, it will be in a public meeting that includes 10-days' advance notice to the public, with any writings distributed to the Board made available to the public.

Proposition 24, also known as the “California Privacy Rights Act of 2020” or “CPRA”, amended or reenacted the California Consumer Privacy Act of 2018, or the “CCPA.” The law vests the Agency with “full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018.” This is because the CPRA amended the CCPA; it did not create a separate, new law. The proposed regulations seek to update existing regulations and add new rules to implement and interpret the language in the text of the CCPA, as amended by the CPRA. Further, many of the regulations reorganize and restate the existing statute and regulations, to make it easier to read as a standalone document.

The Agency is currently seeking public comment on the proposed rules that (1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand. If you would like to participate, you can submit written comments to the Agency via email at regulations@cppa.ca.gov or via mail to: California Privacy Protection Agency, Attn: Brian Soublet, 2101 Arena Blvd., Sacramento, CA 95834. You also can attend or speak at a public hearing that will be held on August 24 and 25, 2022.

More information about the draft rules, and how to submit comments or attend the hearings online or in person, can be found here.