The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them. This landmark law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;

The right to delete personal information collected from them (with some exceptions);

The right to opt-out of the sale of their personal information; and

The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

Frequently Asked Questions (FAQs)

These FAQs provide general consumer information about the CCPA and how you can exercise your rights under the CCPA. They are not legal advice, regulatory guidance, or an opinion of the Attorney General. We will update this information periodically.

A. GENERAL INFORMATION ABOUT THE CCPA

1. What rights do I have under the CCPA? If you are a California resident, you may ask businesses to disclose what personal information they have about you and what they do with that information, to delete your personal information and not to sell your personal information. You also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against you for exercising your rights under the CCPA. Businesses cannot make you waive these rights, and any contract provision that says you waive these rights is unenforceable. 2. What if I am not a California resident? Only California residents have rights under the CCPA. A California resident is a natural person (as opposed to a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state. 3. What is considered personal information under the CCPA? Personal information is information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics. 4. What is not considered personal information under the CCPA? Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records. 5. What businesses does the CCPA apply to? The CCPA applies to for-profit businesses that do business in California and meet any of the following: Have a gross annual revenue of over $25 million;

Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or

Derive 50% or more of their annual revenue from selling California residents’ personal information. 6. Does the CCPA apply to nonprofits or government agencies? No. The CCPA does not apply to nonprofit organizations or government agencies. 7. What can I do if I think a business violated the CCPA? You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. If you want to sue for statutory damages, you must give the business written notice of which CCPA sections it violated and give it 30 days to give you a written statement that it has cured the violations in your notice and that no further violations will occur. You cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and gives you its written statement that it has done so, unless the business continues to violate the CCPA contrary to its statement. For all other violations of the CCPA, only the Attorney General can file an action against businesses. The Attorney General does not represent individual California consumers. Using consumer complaints and other information, the Attorney General may identify patterns of misconduct that may lead to investigations and actions on behalf of the collective legal interests of the people of California. If you believe a business has violated the CCPA, you may file a consumer complaint with the Office of the Attorney General. If you choose to file a complaint with our office, explain exactly how the business violated the CCPA, and describe when and how the violation occurred. Please note that the Attorney General cannot represent you or give you legal advice on how to resolve your individual complaint. 8. What kind of data breach can I sue a business for under the CCPA? You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following: Your social security number

Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity

Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account

Your medical or health insurance information

Your fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes) This personal information must have been stolen in nonencrypted and nonredacted form.

Back To Top

B. REQUESTS NOT TO SELL PERSONAL INFORMATION

(RIGHT TO OPT-OUT OF SALE)

1. What is the right to opt-out? You may request that businesses stop selling your personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale of your personal information. 2. Can businesses sell a child’s personal information? Businesses can only sell the personal information of a child that they know to be under the age of 16 if they get affirmative authorization (“opt-in”) for the sale of the child’s personal information. For children under the age of 13, that opt-in must come from the child’s parent or guardian. For children who are at least 13 years old but under the age of 16, the opt-in can come from the child. 3. How do I submit my opt-out request? Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous “Do Not Sell My Personal Information” link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account in order to submit your request. Make sure you submit your opt-out request through the “Do Not Sell My Personal Information” link or through another method that the business designates for opt-out requests, which may be different from its normal customer service contact information. If you can’t find a business’s “Do Not Sell” link, review its privacy policy, which must include that link. If a business’s “Do Not Sell” link or other designated method of submitting opt-out requests is not working, notify the business in writing and consider submitting your request through another designated method if possible. 4. Why is the business asking me for more information? While businesses are not required to verify that the person submitting an opt-out request is really the consumer for whom the business has personal information, they may need to ask you for additional information to make sure they stop selling the right person’s personal information. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose. 5. Why did the business deny my opt-out request? There are some exceptions to the opt-out right. Common reasons why businesses may refuse to stop selling your personal information include: If a sale is necessary for the business to comply with legal obligations, exercise legal claims or rights, or defend legal claims

If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA See Civil Code section 1798.145 for more exceptions. If you do not know why a business denied your opt-out request, follow up with the business to ask it for its reasons. 6. Why did I get a response that the business is a service provider that does not have to act on my request? Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA. The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to opt-out to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself. If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Back To Top

C. REQUESTS TO KNOW PERSONAL INFORMATION

(RIGHT TO KNOW)

1. What is the right to know? You may request that businesses disclose to you what personal information they have collected, used, shared, or sold about you, and why they collected, used, shared, or sold that information. Specifically, you may request that businesses disclose: The categories of personal information collected

Specific pieces of personal information collected

The categories of sources from which the business collected personal information

The purposes for which the business uses the personal information

The categories of third parties with whom the business shares the personal information

The categories of information that the business sells or discloses to third parties Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge. 2. How do I submit my request to know? Businesses must designate at least two methods for you to submit your request—for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests to know. Businesses cannot make you create an account just to submit a request to know, but if you already have an account with the business, it may require you to submit your request through that account. Make sure you submit your request to know through one of the business’s designated methods, which may be different from its normal customer service contact information. If you can’t find a business’s designated methods, review its privacy policy, which must include instructions on how you can submit your request. If a business’s designated method of submitting requests to delete is not working, notify the business in writing and consider submitting your request through another designated method if possible. 3. How long does the business have to respond to my request to know? Businesses must respond to your request within 45 calendar days. They can extend that deadline by another 45 days (90 days total) if they notify you. If you submitted a request to know and have not received any response within the timeline, check the business’s privacy policy to make sure you submitted your request through the designated way. Follow up with the business to see if the business is subject to the CCPA and to follow up on your request. 4. Why is the business asking me for more information? Businesses must verify that the person making a request to know is the consumer about whom the business has personal information. Businesses may need to ask you for additional information for verification purposes. If the business asks for personal information to verify your identity, it can only use that information for this verification purpose. 5. Why did the business deny my request to know? There are some exceptions to the right to know. Common reasons why businesses may refuse to disclose your personal information include: The business cannot verify your request

The request is manifestly unfounded or excessive, or the business has already provided personal information to you more than twice in a 12-month period

Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information

Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims

If the personal information is certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA See Civil Code section 1798.145 for more exceptions. If you do not know why a business denied your request to know, follow up with the business to ask it for its reasons. 6. Why did I get a response that the business is a service provider that does not have to act on my request? Many businesses use other businesses to provide services for them. For example, a retailer may contract with a payment card processor to process customer credit card transactions or a shipping company to deliver orders. These entities may qualify as “service providers” under the CCPA. The CCPA treats service providers differently than the businesses they serve. It is the business that is responsible for responding to consumer requests. If you submit a request to know to a service provider of a business instead of the business itself, the service provider may deny the request. You must submit your request to the business itself. If a service provider has said that it does not or cannot act on your request because it is a service provider, you may follow up to ask who the business is. However, sometimes the service provider will not be able to provide that information. You may be able to determine who the business is based on the services that the service provider provides, although sometimes this may be difficult or impossible.

Back To Top

D. REQUIRED NOTICES

Back To Top

E. REQUESTS TO DELETE PERSONAL INFORMATION

(RIGHT TO DELETE)

Back To Top

F. RIGHT TO NON-DISCRIMINATION

Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.

However, if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction.

Businesses can also offer you promotions, discounts and other deals in exchange for collecting, keeping, or selling your personal information. But they can only do this if the financial incentive offered is reasonably related to the value of your personal information. If you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information. If you are not sure how your request may affect your participation in a special offer, ask the business.

Back To Top

G. DATA BROKERS AND THE CCPA

Back To Top