Your CCPA Privacy Rights Explained: What California Law Gives You

The Short Answer

The California Consumer Privacy Act (CCPA), strengthened by the California Privacy Rights Act (CPRA) in 2023, is the strongest state-level privacy law in the US. If you're a California resident, you have the right to know what data companies collect about you, demand they delete it, and tell them to stop selling it — and companies face real penalties for noncompliance. Even if you don't live in California, CCPA matters because many companies extend its protections to all US users rather than maintaining separate systems.

Who CCPA Covers

CCPA applies to for-profit businesses that:

• Have annual gross revenue over $25 million, **or**
• Buy, sell, or share the personal information of 100,000+ California residents, households, or devices per year, **or**
• Derive 50% or more of annual revenue from selling personal information

This covers every major tech company — Google, Meta (Facebook, Instagram), Spotify, Uber, Discord, Reddit, LinkedIn — and thousands of smaller companies. If you use the internet, CCPA-covered businesses have your data.

Your Rights Under CCPA

Right to Know You can ask any covered business to disclose: - What categories of personal information they've collected - The specific pieces of personal information they hold about you - Where they got it (sources) - Why they collected it (business purpose) - Who they shared it with (third parties)

Companies must respond within 45 days. You can make this request twice per 12-month period.

Right to Delete You can request that a company delete your personal information. The company must also direct any service providers they shared it with to delete their copies. There are exceptions — companies can keep data needed for legal compliance, security, or completing a transaction — but for most consumer data, deletion is enforceable.

Right to Opt Out of Sale or Sharing This is CCPA's signature provision. You can tell any company: "Stop selling my personal information." Companies must honor this and provide a clear "Do Not Sell or Share My Personal Information" link on their website. Under CPRA, this extends to "sharing" for cross-context behavioral advertising, which closed a major loophole.

When Google shares your data with advertising partners, that's covered. When Facebook lets advertisers target you based on your behavior, that's covered. When data brokers sell your profile, that's covered.

Right to Correct Added by CPRA, you can request that a company correct inaccurate personal information.

Right to Limit Use of Sensitive Personal Information Also added by CPRA, you can restrict how companies use sensitive data including: - Social Security numbers - Financial account information - Precise geolocation - Racial or ethnic origin - Religious beliefs - Health information - Sexual orientation - Private communications content

Right to Non-Discrimination Companies cannot punish you for exercising your privacy rights — no degraded service, no price increases, no account restrictions. Uber can't charge you more because you opted out of data selling. Spotify can't downgrade your recommendations as retaliation.

How Companies Actually Comply (and Where They Fall Short)

Compliance varies wildly:

**Google** offers relatively robust CCPA tools through its Privacy Checkup and "Your Privacy Choices" settings. You can download your data, delete activity, and manage ad personalization. But the sheer volume of data Google collects means even their tools don't give you a complete picture.

**Facebook/Instagram** has a "Your Privacy Choices" page and allows data downloads. However, Meta's business model depends on data sharing for advertising, so their opt-out mechanisms are designed to be technically compliant while preserving as much data use as possible. The "Limited Data Use" mode for California users restricts some processing but doesn't eliminate tracking.

**Spotify** provides data download and deletion tools. Their "Do Not Sell" page exists but primarily covers third-party advertising data. Your listening history and behavioral data are considered necessary for the service and are harder to restrict.

**Uber** allows data access and deletion requests through their privacy center. Given that Uber has precise location data for every ride, the data they hold is particularly sensitive.

**Discord** and **Reddit** offer privacy request forms, but their compliance infrastructure is less mature than the tech giants. Response times can be slower, and the data provided may be less comprehensive.

The CPRA Upgrades (2023)

The California Privacy Rights Act amended and strengthened CCPA in important ways:

• **Created the California Privacy Protection Agency** — A dedicated enforcement body, the first of its kind in the US
• **Extended to employees and B2B contacts** — Previously exempt categories
• **Added data minimization requirements** — Companies shouldn't collect more than necessary
• **Created the "sensitive personal information" category** — With specific restrictions
• **Strengthened the right to opt out** — Including sharing for advertising, not just sales
• **Added the right to correct** — Previously you could only know and delete

Common Misconceptions

**"I don't live in California, so CCPA doesn't apply to me."** — Technically true, but many companies extend CCPA rights to all US users rather than building separate systems. Google, for example, offers the same privacy controls to everyone. Additionally, about a dozen other states have passed their own privacy laws modeled on CCPA.

**"Opting out of data sales stops all tracking."** — It doesn't. It stops the sale and sharing of your data with third parties, but the company can still collect and use your data for its own purposes. Facebook will still track you; it just can't (in theory) sell that data to a broker.

**"Companies have to delete everything if I ask."** — There are exceptions. Data needed for security, legal compliance, completing transactions, or exercising free speech can be retained. Companies often interpret these exceptions broadly.

What You Can Do

1. **Submit a "Do Not Sell" request to every major platform you use** — Even if you're not in California, try it. Many companies honor these requests from all US users. Look for the "Do Not Sell or Share My Personal Information" link, usually in the website footer.

2. **Use the Global Privacy Control (GPC)** — This is a browser setting that automatically sends a "Do Not Sell" signal to every website you visit. Firefox, Brave, and DuckDuckGo support it natively. Under CCPA, companies must honor GPC signals.

3. **File data access requests** — Submit a "Right to Know" request to the companies you use most. Seeing the actual data they hold is often the wake-up call that motivates better privacy hygiene.

4. **Request deletion annually** — Make it a yearly habit. Even if companies re-collect data, periodic deletion limits the historical depth of your profile.

5. **File complaints when companies don't comply** — The California Privacy Protection Agency accepts complaints at cppa.ca.gov. Enforcement only works if violations are reported.