What is the CCPA?
The California Consumer Privacy Act (CCPA) is California's consumer-data law. It took effect January 1, 2020, and was expanded by the California Privacy Rights Act (CPRA) effective January 1, 2023. The combined framework, codified at California Civil Code §1798.100–§1798.199, gives California residents the right to know, access, delete, correct, and opt out of the sale of their personal data, plus the right to limit use of sensitive personal information.
The seven core rights
California residents have the right to:
- Know what personal data businesses collect.
- Access a copy of their personal data from the past 12 months.
- Delete their personal data, with limited exceptions.
- Correct inaccurate personal data.
- Opt out of sale or sharing of personal data, including for cross-context behavioral advertising.
- Limit use of sensitive personal information (SSN, precise geolocation, health, race, religion, sexual orientation).
- Non-discrimination for exercising any of the above.
The Delete Act (SB 362)
Signed in 2023, the Delete Act adds two things on top of CCPA:
- Every data broker doing business in California must register annually with the California Privacy Protection Agency (CPPA).
- DROP — the Delete Request and Opt-out Platform. Operated by the CPPA. One California resident can submit one deletion request through DROP and every registered data broker must honor it. The first universal-deletion mechanism in the US.
Enforcement
The California Privacy Protection Agency (CPPA), created by CPRA and the first dedicated state privacy agency in the US, enforces CCPA. The agency investigates complaints filed at privacy.ca.gov and can issue fines up to $7,500 per intentional violation. Businesses must respond to a verified consumer request within 45 calendar days.
Who counts as a "California resident"
Anyone domiciled in California or in California for other than a temporary or transitory purpose. Vacationers and short-term visitors don't qualify. People with California addresses, California driver's licenses, or who file California taxes do qualify.
Practically: most US data brokers honor CCPA-cited requests from any US resident because maintaining a separate California-only flow is more expensive than just complying nationally. Lead with CCPA citation even if you're not actually a California resident — many brokers won't check.