California Consumer Privacy Act / California Privacy Rights Act
Comprehensive California privacy law granting consumers rights over their personal information and imposing obligations on businesses that collect, sell, or share personal data.
Privacy Policy — Required Disclosures
Businesses must maintain a privacy policy that is reasonably accessible, easy to read, and updated at least every 12 months. The policy must describe consumer rights and how to exercise them.
Notice at Collection
At or before collecting personal information, a business must give consumers a Notice at Collection identifying the categories of PI collected and the purposes for which it is used. The notice must link to the full privacy policy.
Notice of Right to Opt-Out of Sale or Sharing
A business that sells or shares personal information must provide a clear "Do Not Sell or Share My Personal Information" link on its homepage and in its privacy policy. The link must use the prescribed language or a compliant alternative.
Notice of Right to Limit Use of Sensitive Personal Information
Businesses that use sensitive personal information beyond permissible purposes must post a "Limit the Use of My Sensitive Personal Information" link. This obligation is conditional — only applies when sensitive PI is processed beyond what is required to provide the service.
Alternative Opt-Out Link
If a business uses a single link (e.g. "Your Privacy Choices") that combines opt-out and sensitive PI limit rights, the link must use the official CPPA opt-out icon or be accompanied by a description that clearly conveys both rights.
Symmetry of Choice (Equal Prominence)
The opt-out mechanism must be as easy to access and use as any opt-in mechanism. Businesses cannot use confusing language, double-negatives, or designs that make opting out harder than opting in.
Opt-Out Preference Signals (Global Privacy Control)
Businesses must treat a valid Global Privacy Control (GPC) signal as a consumer request to opt out of the sale and sharing of personal information. The signal must be honored with the same effect as a manual opt-out request.
GPC — Marketing Cookies Must Be Blocked
When a GPC signal is active, third-party marketing and advertising cookies must not be loaded. Failing to block these trackers after receiving the GPC signal is a violation, regardless of whether a "Do Not Sell" link is present.
GPC — Third-Party Requests Must Be Blocked
After receiving a GPC signal, a business must prevent third-party requests that facilitate cross-context behavioral advertising or the sale of personal information. Network-level blocking is the expected implementation.
GPC — Status Display Requirement
When a GPC signal is active, the business must visually confirm to the consumer that the opt-out has been honored. A persistent status indicator on the page satisfies this requirement.
Consumer Right to Know / Right to Access
Consumers have the right to request that a business disclose what personal information it has collected about them, the categories, sources, purposes, and third parties to which it is disclosed.
Right to Delete
Consumers have the right to request deletion of personal information a business has collected from them. The privacy policy must describe this right and explain how to submit a deletion request.
Right to Correct
CPRA (2023+) added the right to correct inaccurate personal information. Privacy policies must describe this right and provide a mechanism for consumers to submit correction requests.
Right to Opt-Out of Sale of Personal Information
Consumers have the right to direct a business not to sell their personal information. This right must be prominently disclosed in the privacy policy, and businesses must honor opt-out requests within 15 business days.
Right to Limit Use of Sensitive Personal Information
CPRA added a consumer right to limit how businesses use sensitive personal information (health, financial, biometric, precise geolocation, etc.) to purposes strictly necessary for providing the requested service.
Non-Discrimination
Businesses may not discriminate against consumers who exercise their CCPA rights — for example, by denying goods or services, charging different prices, or providing a lower quality of service.
Employee Training Requirements
Businesses must ensure all personnel responsible for handling consumer requests or the company's privacy compliance program are informed of all CCPA requirements that may affect their job duties.
Automated Decisionmaking Technology (ADMT) — Opt-Out Right
New in 2026: Consumers have the right to opt out of significant automated decisions (e.g. profiling that produces legal or similarly significant effects). Businesses must provide a clear opt-out mechanism and honor it.
ADMT — Pre-Use Notice
Before using ADMT for a significant decision, businesses must provide consumers with notice that includes a plain-language explanation of the logic used and how it affects the consumer.
ADMT — Right to Access Profiling Logic
Consumers may request access to the logic underlying automated profiling decisions, as well as a human review of the decision.
Legal notice: This reference library is for informational purposes only and does not constitute legal advice. Excerpts are reproduced from official public sources and are current as of January 2026. Laws and regulations change — always verify against the authoritative source and consult a qualified attorney.