A Consumer’s Guide to CCPA, CPRA, and Your Privacy Rights

California has the strongest consumer privacy laws in the United States. The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), gives residents powerful tools to control how their personal information is collected, used, and sold. This guide explains how these laws work and walks you through the practical steps to remove your information online.

Understanding California Privacy Laws

The CCPA became effective in January 2020 as California’s landmark privacy protection law. In 2020, California voters approved Proposition 24, the CPRA, which amended and strengthened the CCPA starting January 1, 2023. Together, these laws create a comprehensive framework that gives California residents unprecedented control over their personal data.

The California Privacy Protection Agency (CPPA) was established to implement and enforce these laws. Unlike the original CCPA, which was enforced by the California Attorney General, the CPPA now has primary responsibility for overseeing compliance and protecting consumer rights.

Who Does the Law Apply To?

The CCPA applies to for-profit businesses that collect personal information from California residents and meet any of these criteria: (1) Have annual gross revenues exceeding $26.625 million in the preceding calendar year, (2) Buy, sell, or share the personal information of 100,000 or more California residents or households, or (3) Derive 50% or more of their revenue from selling or sharing California residents’ personal information. These thresholds apply to businesses regardless of their physical location—if you have California customers, the law applies to you.

Your Privacy Rights Under California Law

California residents have multiple rights to control their personal information:

Right to Know: You can request what personal information a business has collected about you and how they use and share it.

Right to Delete: You can request that a business delete the personal information they collected from you. The business must delete it and tell their service providers to do the same.

Right to Correct: If a business has inaccurate personal information about you, you can ask them to correct it.

Right to Opt-Out of Sale or Sharing: You can tell businesses not to sell or share your personal information. This includes selling data to third parties for profit and sharing data for behavioral advertising purposes.

Right to Limit Use of Sensitive Personal Information: Sensitive information—such as health data, social security numbers, precise geolocation, and financial information—receives special protection. You can limit how businesses use this data.

How to Request Deletion of Your Personal Information

Here’s a step-by-step guide to exercise your right to delete with businesses:

1. Find the Privacy Policy: Look for a link labeled “Privacy,” “California Privacy Rights,” or “Your Privacy Choices” on the business’s website. This is usually at the bottom (footer) of the homepage or in the website’s header. In mobile apps, check the settings menu or download page.

2. Locate the Deletion Request Method: The privacy policy must provide at least two ways to submit deletion requests. These typically include an email address, online form, or toll-free phone number. If the business has a website, one method must be web-based.

3. Verify Your Identity: The business will ask you to prove you are who you claim to be. This protects against fraudulent deletion requests. Be prepared to provide identifying information such as your name, email, account number, or other details the business may request.

4. Submit Your Request: Clearly state that you want your personal information deleted. Use the exact method specified in the privacy policy.

5. Expect a Response: The business has 45 days to delete your information, with the option of a 45-day extension if they notify you. Depending on your situation, the business may deny your request if certain exceptions apply (such as if the deletion is needed to complete a transaction or fulfill a legal obligation).

Data Brokers: A Special Case

Data brokers are businesses that buy and sell personal information about consumers with whom they have no direct relationship. These companies compile data from public records and other sources and then sell detailed profiles to third parties. They represent a major privacy challenge because you may not even know they have your information.

The California Delete Act

Recognizing the challenge of dealing with hundreds of data brokers individually, California passed the Delete Act (Senate Bill 362) in October 2023. This law allows California residents to delete their information from all registered data brokers through a single, centralized request mechanism called the Delete Request and Opt-Out Platform (DROP).

How to Use DROP

The DROP platform makes it simple to request deletion from multiple data brokers at once:

1. Access DROP: Visit privacy.ca.gov/data-brokers/. You can begin signing up starting January 2026.

2. Create a Profile: Set up an account with basic personal information needed to verify your identity.

3. Submit a Delete Request: Once you submit your request through DROP, it is automatically sent to all registered data brokers. These companies must begin processing deletion requests starting August 1, 2026.

4. Track Responses: Data brokers are required to process deletion requests and must comply within the legal timeframe. The DROP platform allows you to track the status of your request.

What Information Can Data Brokers Delete?

Data brokers must delete all personal information they hold about you, subject to narrow exceptions. Information lawfully made available from government records—such as voter registration, birth certificates, and public court records—may not be deletable because brokers obtain this from public sources. However, most of the sensitive personal information data brokers maintain can be deleted through DROP.

Three Title Suggestions for This Article

1. California Privacy Laws: How to Remove Your Information Online

2. Taking Control: Your Guide to CCPA, CPRA, and Deleting Your Data

3. Privacy Rights in 2025: How California Law Lets You Delete Your Personal Information

Additional Steps You Can Take

Beyond formal deletion requests, you can further protect your privacy:

• Be selective about what you share online, especially on social media and when creating accounts

• Use privacy-focused browser settings and opt-out links on business websites for targeted advertising

• Consider using a virtual private network (VPN) to hide your internet activity from data brokers and internet service providers

• Limit app permissions—especially location access—which data brokers use to build profiles

• Monitor your credit reports and consider identity theft monitoring services if you’re concerned about data exposure

Penalties for Non-Compliance

California law takes violations seriously. The CPPA can impose civil penalties of up to $7,988 per intentional violation. The law’s enforcement arm is aggressive—the CPPA has already issued multi-million-dollar fines against companies for privacy violations. Additionally, California residents can sue businesses for data breaches caused by failure to maintain reasonable security, with statutory damages up to $750 per incident.

Final words

California’s privacy laws represent a fundamental shift in consumer power. You no longer have to accept invisible data collection and unregulated sales of your information. Whether you’re concerned about a specific business or want to remove your data from data brokers across the board, you now have clear, enforceable rights. For individual businesses, follow the steps outlined in their privacy policy. For data brokers, use the DROP platform starting January 2026 to submit deletion requests en masse. These tools may take some effort, but they give you real control over your personal information—something increasingly rare in the digital age.