California Consumer Privacy Act / California Privacy Rights Act
Comprehensive California privacy law granting consumers rights over their personal information and imposing obligations on businesses that collect, sell, or share personal data.
Privacy Policy
Businesses must provide a comprehensive privacy policy accessible online via a conspicuous 'privacy' link and through the settings menu of any mobile application. The policy must describe categories of PI collected, sources, purposes, third-party recipients, service provider and contractor categories disclosed for business purposes, and consumer rights including the right to know, delete, correct, opt-out of sale/sharing, limit sensitive PI use, opt-out of ADMT, and access ADMT logic. The policy must also state the date it was last updated.
Notice at Collection of Personal Information
At or before collecting personal information, a business must give consumers a Notice at Collection identifying the categories of PI collected and the purposes for which it is used. The notice must link to the full privacy policy.
Notice of Right to Opt-out of Sale/Sharing and the “Do Not Sell or Share My Personal Information” Link
A business that sells or shares personal information must post a "Do Not Sell or Share My Personal Information" link in the header or footer of its homepage. In lieu of this link, a business may instead provide the Alternative Opt-out Link (§ 7015) or process opt-out preference signals in a frictionless manner (§ 7025(f)-(g)). The Notice of Right to Opt-out must be posted at the destination webpage of the link or within the privacy policy.
Notice of Right to Limit and the “Limit the Use of My Sensitive Personal Information” Link
A business that uses or discloses a consumer's sensitive personal information for purposes other than those specified in § 7027(m) must provide the Notice of Right to Limit, including a "Limit the Use of My Sensitive Personal Information" link in the header or footer of its homepage. The obligation does not apply if the business only uses sensitive PI for § 7027(m)-specified purposes and discloses this in its privacy policy, or if it processes sensitive PI solely without the purpose of inferring consumer characteristics.
Alternative Opt-Out Link
A business choosing to use the Alternative Opt-out Link must title the link "Your Privacy Choices" or "Your California Privacy Choices" AND must include the official CPPA opt-out icon adjacent to the title — both elements are required. The link must be a conspicuous link in the header or footer of the homepage and must direct consumers to a webpage where they can exercise both their opt-out of sale/sharing right and their right to limit sensitive PI use.
Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent
Businesses must design and implement methods for submitting CCPA requests and obtaining consumer consent that are easy to understand, symmetrical in choice (the more privacy-protective path must be no longer or harder than the less protective path), free of confusing language or double-negatives, free of choice architecture that impairs consumer decisions, and easy to execute without unnecessary burden. A method that does not comply may be a dark pattern; any consent obtained through a dark pattern is void.
Opt-out Preference Signals
Businesses that sell or share personal information must treat any qualifying opt-out preference signal as a valid request to opt out of sale/sharing for the consumer's browser, device, and associated profiles. The Register 2025, No. 39 amendments (operative January 1, 2026) updated subsections (c)(3)-(4), (c)(6) and (f)(3). Subsection (c)(3) adds conflict-resolution rules when a signal conflicts with a business-specific privacy setting; (f)(3) adds an exception permitting a link to a privacy settings page within the prohibition on interstitials.
GPC — Conflict with Business-Specific Privacy Settings
When an opt-out preference signal conflicts with a consumer's existing business-specific privacy setting that permits sale or sharing, the business must still process the signal as a valid opt-out request. However, the business may notify the consumer of the conflict and provide an opportunity to consent to sale or sharing using the consent procedures in section 7004. If the consumer consents, the business may ignore the signal for as long as the consumer is known to it.
GPC — Conflict with Financial Incentive Programs
When an opt-out preference signal conflicts with a consumer's participation in a financial incentive program that requires consent to sale or sharing, the business may notify the consumer that processing the signal would withdraw them from the program and ask them to affirm intent to withdraw. If the consumer affirms, the business must process the opt-out; if the consumer does not affirm, the business may ignore the signal for that program as long as the consumer is known to it.
GPC — Status Display Requirement
When an opt-out preference signal is active, the business must display on its website whether it has processed the signal as a valid opt-out request. The business may satisfy this by displaying a message such as "Opt-Out Request Honored" or by showing the consumer's opt-out status via a toggle or radio button.
GPC — No Notifications or Interstitials in Frictionless Mode
Under the frictionless processing path, a business is prohibited from displaying any notification, pop-up, text, graphic, animation, sound, video, or interstitial content in response to an opt-out preference signal. Two exceptions apply: the business may show opt-out status (e.g., "you are opted out"), and may provide a link to a privacy settings page through which the consumer can consent to the business ignoring the signal.
General Duties of Businesses that Collect Personal Information
Businesses that control personal information collection must notify consumers at or before the point of collection about: the categories collected, their purposes, and whether the information is sold or shared. Collection, use, and retention must be reasonably necessary and proportionate to disclosed purposes. Businesses must enter into compliant data-sharing agreements with service providers, contractors, and third parties, and implement reasonable security procedures.
Right to Delete
Consumers have the right to request deletion of personal information a business has collected from them. The privacy policy must describe this right and explain how to submit a deletion request.
Consumers' Right to Correct Inaccurate Personal Information
Consumers have the right to request correction of inaccurate personal information maintained by a business. Businesses must disclose this right and use commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request.
Consumers’ Right to Opt Out of Sale or Sharing of Personal Information
Consumers have the right to direct a business not to sell or share their personal information with third parties. This right must be prominently disclosed in the privacy policy. Businesses may not sell or share personal information of consumers under 16 without opt-in consent (under 13 requires parental consent). Once a consumer opts out, the business must honor the direction unless the consumer subsequently provides consent.
Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information
CPRA added a consumer right to limit how businesses use or disclose sensitive personal information (health, financial, biometric, precise geolocation, etc.) to uses necessary to perform services or provide goods reasonably expected by an average consumer. Businesses using sensitive PI for other purposes must notify consumers and provide a mechanism to limit such use.
Consumers’ Right of No Retaliation Following Opt Out or Exercise of Other Rights
Businesses may not discriminate against or retaliate against consumers who exercise their CCPA rights, including by denying goods or services, charging different prices, or providing a lower quality of service. However, a business may offer financial incentives — including payments or price differences — for the collection, sale, sharing, or retention of personal information, provided the difference is reasonably related to the value of the consumer's data and the consumer gives prior opt-in consent.
Training
Businesses must ensure all individuals responsible for handling consumer inquiries about the business's information practices or the business's compliance with the CCPA are informed of all CCPA requirements and regulations and how to direct consumers to exercise their rights.
When a Business’s Use of Automated Decisionmaking Technology is Subject to the Requirements of This Article
Section 7200 defines when a business's use of ADMT is subject to Article 11 requirements. A business that uses ADMT to make a significant decision concerning a consumer must comply with the requirements of this Article. Compliance is required by January 1, 2027 for pre-existing ADMT use.
Pre-use Notice Requirements
Before using ADMT for a significant decision, businesses must provide consumers with a Pre-use Notice informing them about the business's use of ADMT and consumers' rights to opt-out of ADMT and to access ADMT.
Requests to Access ADMT
Consumers may request access to information about a business's use of ADMT, including: the specific purpose for which ADMT was used, the logic of the ADMT and how it processed their personal information to generate an output, and the outcome of the decisionmaking process. Businesses must respond with plain-language explanations.
Legal notice: This reference library is for informational purposes only and does not constitute legal advice. Excerpts are reproduced from official public sources and are current as of January 2026. Laws and regulations change — always verify against the authoritative source and consult a qualified attorney.