What Is the CCPA?
The California Consumer Privacy Act (CCPA) is the first and still the most widely-cited US state consumer privacy law. It grants California residents the rights to know, delete, correct, and opt out of the sale of their personal information — with real teeth: an independent enforcement agency and civil penalties up to $7,500 per intentional violation.
At a glance
- Full name
- California Consumer Privacy Act, amended by CPRA
- Effective dates
- CCPA: Jan 2020 · CPRA: Jan 2023
- Covers
- CA residents\u2019 personal info held by businesses meeting thresholds
- Response deadline
- 45 days (extendable to 90 with notice)
- Enforcement
- California Privacy Protection Agency + AG
- Penalties
- $2,500 per violation · $7,500 per intentional violation
Who the CCPA applies to
A business is covered if it collects California residents\u2019 personal information and meets any one of these thresholds:
- Has $25 million or more in annual gross revenue
- Buys, sells, or shares the personal information of 100,000+ California residents or households annually
- Derives 50% or more of annual revenue from selling or sharing personal information
Businesses located outside California still fall under CCPA if they meet a threshold and target California residents. Most national data brokers are covered.
Your 7 CCPA/CPRA rights
Right to know
What categories and specific pieces of personal information a business has collected about you, sources, purposes, and third parties it shares with.
Right to delete
Demand a business delete personal information collected from you. Response deadline: 45 days.
Right to correct
Demand inaccurate personal information be corrected. Added by CPRA (effective 2023).
Right to opt out of sale or sharing
Direct a business to stop selling or sharing your personal information. Global Privacy Control signal must be honored.
Right to limit use of sensitive personal info
Restrict use of SSN, precise geolocation, biometric data, contents of non-business communications, and other sensitive categories.
Right to non-discrimination
Businesses cannot deny service, charge different prices, or provide different quality of service because you exercised a CCPA right.
Right to data portability
Receive personal information in a portable, usable format to transfer to another business.
How to exercise your CCPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 200+ known brokers).
- 2
Submit a verifiable consumer request via the business's designated method (typically a privacy email, web form, or toll-free number).
- 3
The business has up to 45 days to respond (extendable once to 90 with notice).
- 4
If the business denies or ignores your request, appeal internally first, then file a complaint with the California Privacy Protection Agency.
CCPA Delete Act (SB 362) + DROP Platform
California\u2019s Data Broker Delete Act (SB 362, signed October 2023) goes beyond CCPA itself. The Delete Request and Opt-Out Platform (DROP), operated by the CPPA, launches August 1, 2026. A single verifiable consumer request through DROP will direct every registered California data broker (~566 entities) to delete the requester\u2019s personal information. Brokers must check the deletion list every 45 days. SB 361 (2025) also expanded broker disclosure requirements to include sensitive-data flags and GenAI data sharing.
Use your rights
CCPA-compliant deletion emails, $2 one-time
OfflistMe drafts CCPA-compliant deletion emails for 200+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $2 →FAQ
What does CCPA stand for?+
CCPA stands for the California Consumer Privacy Act of 2018, codified at California Civil Code § 1798.100 et seq. It was substantially amended by the California Privacy Rights Act (CPRA, Proposition 24, 2020), which took effect January 2023. The combined current-state citation is "CCPA/CPRA."
Who does CCPA apply to?+
CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one of three thresholds: (1) $25M+ in annual gross revenue; (2) buy, sell, or share personal information of 100,000+ California residents/households annually; or (3) derive 50%+ of annual revenue from selling or sharing personal information. Businesses outside California that target California residents still fall under CCPA.
What rights does CCPA grant?+
CCPA grants California residents: the right to know what personal information a business has collected; the right to delete that information; the right to correct inaccurate information (added by CPRA); the right to opt out of the sale or sharing of personal information; the right to limit the use of sensitive personal information; the right to non-discrimination for exercising CCPA rights; and the right to data portability.
How long does a business have to respond to a CCPA request?+
45 days from the date of a verifiable consumer request. Businesses may extend once by 45 additional days (90 days total) with written notice explaining the delay. The California Privacy Protection Agency can fine businesses for non-responsive behavior.
What are CCPA penalties?+
Civil penalties of $2,500 per violation and $7,500 per intentional violation under § 1798.155. The CPPA and California AG share enforcement authority. A separate private right of action exists only for data breaches involving non-encrypted personal information (§ 1798.150), with statutory damages of $100-$750 per consumer per incident.
What is the difference between CCPA and CPRA?+
CPRA (Proposition 24, 2020) is an amendment to CCPA that took effect January 2023. It added the right to correct, the right to limit use of sensitive personal information, expanded "sale" to include "sharing" for cross-context advertising, created the California Privacy Protection Agency as an independent enforcement body, and lengthened the B2B and HR data transition period.
Do CCPA rights apply outside California?+
Technically no — CCPA grants rights to California residents. In practice, most national data brokers operate a single CCPA-compliant workflow and honor deletion requests from any US resident, because maintaining state-specific workflows is operationally costly. Residents of other states can often leverage CCPA-compliant infrastructure.
How do I file a CCPA complaint?+
File complaints with the California Privacy Protection Agency at cppa.ca.gov/consumers/complaint.html or with the California Attorney General. The CPPA handles most data-broker complaints; the AG handles broader consumer-privacy enforcement. For non-responsive brokers, file after the 45-day deadline expires.