California — Data Subject Rights

The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA, Proposition 24), grants California consumers a statutory bundle of privacy rights against businesses that collect their personal information. The CPRA amendments became operative January 1, 2023. The California Privacy Protection Agency (CPPA) holds full administrative power to implement and enforce the statute.

Enumerated consumer rights

California residents ("consumers" under the statute) have the following rights with respect to their personal information:

• Right to know (Cal. Civ. Code §§ 1798.100, 1798.110) — the right to request that a business disclose the categories and specific pieces of personal information it has collected about the consumer, the categories of sources, the business or commercial purpose for collection, and the categories of third parties to whom the business discloses personal information.

• Right to delete (Cal. Civ. Code § 1798.105) — the right to request that a business delete any personal information about the consumer that the business has collected from or about the consumer, subject to enumerated exceptions (security, fraud detection, legal compliance, free speech, research, and internal uses that the consumer would reasonably expect).

• Right to correct (Cal. Civ. Code § 1798.106) — the right to request that a business correct inaccurate personal information that it maintains about the consumer.

• Right to opt out of sale or sharing (Cal. Civ. Code § 1798.120) — the right to direct a business that sells or shares the consumer's personal information to third parties to stop doing so. "Sale" is defined broadly to include disclosing personal information to a third party for monetary or other valuable consideration (§ 1798.140(ad)); "sharing" means disclosing personal information to a third party for cross-context behavioral advertising (§ 1798.140(ah)).

• Right to limit use and disclosure of sensitive personal information (Cal. Civ. Code § 1798.121) — the right to direct a business that uses or discloses sensitive personal information for purposes beyond those necessary to perform services reasonably expected by the consumer to limit that use. Sensitive personal information includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, mail/email/text content, genetic data, biometric data processed for unique identification, health data, sex life or sexual orientation data, and (as of January 1, 2025) neural data.

• Right to non-discrimination (Cal. Civ. Code § 1798.125) — the right not to receive discriminatory treatment (denial of goods or services, different pricing, different quality of service) for exercising CCPA rights. A business may offer financial incentives or different prices if the difference is reasonably related to the value provided to the business by the consumer's data.

Response timeline and verification

A business that receives a verifiable consumer request must respond within 45 days of receipt (Cal. Civ. Code § 1798.130(a)(2); CPPA regulations § 7000 et seq.). The 45-day period may be extended once by an additional 45 days (for a maximum 90 days total) when reasonably necessary, taking into account the complexity and number of requests, provided the business informs the consumer of the extension within the initial 45-day period and provides the reasons for the delay.

The business must disclose and deliver the required information free of charge. Information may be delivered electronically or by mail; if electronic, it must be portable and in a readily usable format that allows the consumer to transmit the information to another entity without hindrance.

A business is not obligated to provide information pursuant to the right-to-know provisions (§§ 1798.110, 1798.115) to the same consumer more than twice in a 12-month period.

The business may deny a request if it cannot verify that the consumer making the request is the consumer about whom the business has collected information, pursuant to verification standards set forth in CPPA regulations. If the business does not take action on a consumer request, it must inform the consumer of the reasons for not taking action and any rights the consumer may have to appeal the decision, within the applicable response period.

Source: Cal. Civ. Code §§ 1798.100–1798.130 Source: CPPA FAQ — Consumer Rights

Businesses must verify the identity of consumers submitting requests to know, delete, or correct personal information before disclosing data or taking action. The CCPA imposes a risk-tiered verification framework that calibrates the degree of certainty required to the sensitivity of the information at issue and the potential harm posed by unauthorized access or deletion. The California Privacy Protection Agency (CPPA) regulations at 11 CCR §§ 7060–7062 implement Cal. Civ. Code § 1798.130(a)(2) and mandate data minimization: businesses must first attempt to verify the consumer using information already maintained, and may request additional information only if verification cannot be completed with existing data.

Two-tier verification standard — § 7060(c)

The CPPA regulations prescribe different verification thresholds depending on the nature of the request:

• Reasonable degree of certainty — required for requests to know categories of personal information (e.g., "what types of data do you collect about me?"). A business must match the information provided in the request with information already maintained about the consumer to a reasonable degree of certainty. 11 CCR § 7060(c)(1).

• Reasonably high degree of certainty — required for requests to know specific pieces of personal information (e.g., "provide me a copy of my purchase history") and requests to delete or correct. A business must match the request to existing information to a reasonably high degree of certainty. 11 CCR § 7060(c)(2), (c)(3). This heightened standard reflects the greater risk of harm from unauthorized disclosure of individualized data or from unauthorized deletion.

The regulations do not quantify "reasonable" or "reasonably high" in numerical terms. CPPA Enforcement Advisory 2024-01 (April 2, 2024) instructs businesses to evaluate the sensitivity of the information, the risk of harm from unauthorized access or deletion, and whether the business can rely on information already on file (such as an email address from which the request originates) or whether additional verification steps—such as requesting a driver's license number or using multi-factor authentication—are proportionate to the risk.

Password-protected accounts — § 7061

For consumers who maintain a password-protected account with the business, verification is simpler. A business may verify a consumer request by requiring the consumer to submit the request through the consumer's existing account. 11 CCR § 7061(a). If the business has an existing process to authenticate account holders at login (e.g., username/password, two-factor authentication), that process satisfies verification for all request types if the consumer is logged in at the time of the request.

A business may not require a consumer to create an account solely to submit a verifiable consumer request. Cal. Civ. Code § 1798.130(a)(2)(B).

Non-accountholders — § 7062

For consumers without password-protected accounts, the business must verify the consumer by matching data points provided in the request against information the business already maintains. 11 CCR § 7062(a). The regulation sets out request-specific guidance:

• Requests to know categories (§ 7062(b)): A business may request that the consumer provide two data points that the business already maintains (e.g., name and email address). If the business can verify the consumer to a reasonable degree of certainty using one data point (e.g., a unique email from which the request was sent), it may not demand additional information.

• Requests to know specific pieces or requests to correct (§ 7062(c)): A business may request that the consumer provide at least three pieces of personal information that the business already maintains and that the business matches against its records to a reasonably high degree of certainty. The business must also implement reasonable security measures to ensure that the person making the request is the consumer about whom the business has collected information.

• Requests to delete (§ 7062(d)): A business may require the consumer to provide information that the business matches to a reasonably high degree of certainty, and may require a signed declaration under penalty of perjury that the requestor is the consumer whose information is subject to the request. The business may also require the consumer to confirm separately that they want to proceed with deletion (a "double opt-in" mechanism to guard against accidental or fraudulent deletions).

Data minimization — § 7002(d) and § 7060(d)

Cal. Civ. Code § 1798.100(c) requires businesses to collect, use, retain, and share personal information only to the extent "reasonably necessary and proportionate" to achieve the purposes for which the information was collected or processed. This data minimization principle applies to verification. A business must generally avoid requesting additional information from the consumer for purposes of verification. 11 CCR § 7060(d). If the business cannot verify the consumer's identity using information already maintained, it may request additional information, but that new information may be used only for verification, security, or fraud prevention, and must be deleted as soon as practicable after processing the request. 11 CCR § 7060(d); Cal. Civ. Code § 1798.130(a)(2)(C).

CPPA Enforcement Advisory 2024-01 illustrates the principle: if a business holds only a consumer's name and email address, and the consumer submits a deletion request from that email address, the business must evaluate whether it can verify the consumer using the email alone (perhaps with a confirmation link sent to that email) rather than demanding a driver's license number or Social Security number, which would be disproportionate and would introduce new sensitive data that itself creates risk if breached.

No verification required for opt-out requests

A business may not require a consumer to verify their identity in order to submit a request to opt out of sale/sharing (Cal. Civ. Code § 1798.120(c)) or to limit use of sensitive personal information (Cal. Civ. Code § 1798.121(b)). The consumer must be able to exercise these rights through an opt-out preference signal (such as the Global Privacy Control) without providing any additional information. 11 CCR § 7026(c)–(d).

Source: Cal. Civ. Code § 1798.130 Source: Cal. Civ. Code § 1798.100 Source: 11 CCR §§ 7060–7062 (CPPA Regulations, effective March 29, 2023; updated Jan. 1, 2026) Source: CPPA Enforcement Advisory 2024-01 (Data Minimization)

The CCPA/CPRA right to delete (Cal. Civ. Code § 1798.105(a)) is not absolute. A business, service provider, or contractor shall not be required to comply with a consumer's deletion request if it is reasonably necessary to maintain the consumer's personal information in order to accomplish one of nine enumerated statutory purposes. § 1798.105(d). When a business invokes an exception, it may retain only the specific personal information required for that purpose—the exception does not authorize retention of the consumer's entire data set.

The nine statutory exceptions

Under § 1798.105(d), a business need not delete personal information if retention is reasonably necessary to:

1. Complete the transaction, fulfill a warranty or product recall, provide a requested or reasonably anticipated good or service, or perform a contract (§ 1798.105(d)(1)). This exception covers the entire lifecycle of a transaction for which the personal information was collected. It includes fulfilling the terms of a written warranty or a product recall conducted in accordance with federal law, providing a good or service requested by the consumer, providing a good or service reasonably anticipated by the consumer within the context of a business's ongoing business relationship with the consumer, and otherwise performing a contract between the business and the consumer.

1. Help ensure security and integrity, to the extent reasonably necessary and proportionate (§ 1798.105(d)(2)). This exception permits retention necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity. The statute adds a proportionality requirement: the use of the consumer's personal information must be "reasonably necessary and proportionate" for the security or integrity purpose. The exception does not specify which types of data qualify, but it is understood to encompass logs and records used to investigate and prevent fraud and abuse.

1. Debug to identify and repair errors that impair existing intended functionality (§ 1798.105(d)(3)). This exception applies only to existing functionality—the statute does not extend it to development of new features. A business may retain personal information needed to identify, diagnose, and repair errors, but only for as long as the debugging process requires.

1. Exercise free speech, ensure another consumer's right to free speech, or exercise another right provided for by law (§ 1798.105(d)(4)). This exception accommodates First Amendment interests and other legal rights. It has been invoked to justify retention of user-generated content (such as product reviews or public comments) and to comply with legal obligations such as litigation holds or public-records laws. The exception does not define which rights qualify, and it does not grant blanket immunity from deletion—a business must identify a specific legal right.

1. Comply with the California Electronic Communications Privacy Act (CalECPA) (§ 1798.105(d)(5)). CalECPA (Cal. Penal Code §§ 1546 et seq.) imposes warrant and court-order requirements on government access to electronic communications and metadata. This exception permits a business to retain personal information if deletion would violate CalECPA—for example, if the business has received a valid court order requiring preservation of specified communications. The statute does not elaborate on other scenarios where this exception applies.

1. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest (§ 1798.105(d)(6)). This exception applies only when three conditions are met: (a) the research conforms to or adheres to all other applicable ethics and privacy laws; (b) the business's deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (c) the consumer has provided informed consent. The CCPA defines "research" at Cal. Civ. Code § 1798.140(ag) to require that research be in the public interest and that personal information be deidentified, pseudonymized, or aggregated. The statute does not define "public interest" or specify when commercial research qualifies.

1. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information (§ 1798.105(d)(7)). This exception protects retention for internal purposes that a consumer would reasonably expect. The statute does not define "internal uses" or provide a list of qualifying purposes. It requires a contextual, fact-specific evaluation of consumer expectations at the time the data was collected.

1. Comply with a legal obligation (§ 1798.105(d)(8)). This exception encompasses any federal, state, or local law that requires the business to retain personal information. Examples include tax recordkeeping requirements (IRS and California Franchise Tax Board retention schedules), employment records (Equal Employment Opportunity Commission, Occupational Safety and Health Administration, and wage-and-hour laws), financial-services records (Securities and Exchange Commission, Financial Industry Regulatory Authority, and Gramm-Leach-Bliley Act retention rules), and healthcare records (Health Insurance Portability and Accountability Act and California Health & Safety Code retention rules). The statute does not define "legal obligation," but CPPA guidance confirms it applies when the business is "legally required to keep the information." CPPA FAQ. A business invoking this exception should identify the specific statute, regulation, or court order requiring retention.

1. Otherwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information (§ 1798.105(d)(9)). This catch-all exception applies to any internal, lawful use compatible with the context in which the consumer provided the information. The statute does not specify how it differs from exception (7); both require contextual compatibility and internal use. Exception (9) does not impose an express "reasonable expectations" test, but compatibility with context necessarily implicates the consumer's understanding of how the data would be used.

"Reasonably necessary" standard

All nine exceptions are conditioned on retention being "reasonably necessary" (or, in the case of exception (2), "reasonably necessary and proportionate"). The statute does not define "reasonably necessary." CPPA regulations impose a data-minimization principle on verification and other CCPA processes, requiring businesses to collect, use, retain, and share personal information only to the extent "reasonably necessary and proportionate" to achieve the stated purposes. 11 CCR § 7002(d); Cal. Civ. Code § 1798.100(c). This principle applies to the exceptions: a business should retain only the minimum personal information required to accomplish the permitted purpose, and only for as long as necessary.

Cascading deletion obligations — § 1798.105(c)

When a business receives a verifiable consumer request to delete, it must (1) delete the consumer's personal information from its own records; (2) notify any service providers or contractors to delete the consumer's personal information from their records; and (3) notify all third parties to whom the business has sold or shared the personal information to delete the consumer's personal information—unless this proves impossible or involves disproportionate effort. § 1798.105(c)(1). The "impossible or disproportionate effort" carve-out applies only to the third-party notification obligation, not to the business's own deletion duty or the duty to direct service providers and contractors.

CPPA regulations require a service provider or contractor to cooperate with the business in responding to a verifiable consumer request and, at the direction of the business, to delete (or enable the business to delete) personal information and notify its own service providers or contractors to delete. 11 CCR § 7022(c)(1). A service provider or contractor is not required to comply with a deletion request if it is reasonably necessary to maintain the consumer's personal information under one of the nine statutory exceptions in § 1798.105(d). 11 CCR § 7022(c)(2).

Record of deletion requests — § 1798.105(c)(2)

A business may maintain a confidential record of deletion requests solely for the purpose of (a) preventing personal information of a consumer who has submitted a deletion request from being sold, (b) compliance with laws, or (c) other purposes solely to the extent permissible under § 1798.105(d). § 1798.105(c)(2). This provision permits a business to maintain an internal record (such as a hashed identifier or email address) to honor the consumer's deletion request on an ongoing basis without re-collecting the deleted data, but the record must be confidential and limited to the stated purposes.

Source: Cal. Civ. Code § 1798.105 Source: 11 CCR § 7022 (CPPA Regulations, Requests to Delete) Source: CPPA FAQ — Consumer Rights

California consumers have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties to stop doing so. Cal. Civ. Code § 1798.120(a)(1). This right may be referred to as the "right to opt out of sale or sharing." A business that receives an opt-out direction is prohibited from selling or sharing the consumer's personal information after receipt of the direction unless the consumer subsequently provides consent to resume the sale or sharing. § 1798.120(d).

Broad statutory definitions of "sale" and "sharing"

The CCPA/CPRA defines "sale" expansively as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration." Cal. Civ. Code § 1798.140(ad)(1) (emphasis added). The phrase "monetary or other valuable consideration" sweeps in disclosures made in exchange for anything of value—not only cash payments but also barter arrangements, discounts, access to data or services, or participation in data cooperatives. The statute enumerates eight exceptions that do not constitute a "sale," including consumer-directed disclosures, disclosures to service providers or contractors acting under a written contract with specified restrictions, and disclosures pursuant to a merger, acquisition, bankruptcy, or other asset transaction in which the third party assumes control of all or part of the business and remains subject to the CCPA. § 1798.140(ad)(2).

"Sharing" is defined separately as "sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration." Cal. Civ. Code § 1798.140(ah)(1) (emphasis added). "Cross-context behavioral advertising" means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts. § 1798.140(k). Sharing thus captures disclosures to advertising platforms and data brokers for purposes of retargeting or behavioral profiling, even when no money changes hands.

The breadth of these definitions means that the opt-out right reaches most third-party disclosures of personal information for commercial purposes. The Attorney General and the CPPA have taken the position that disclosures through third-party cookies, advertising pixels, social-media plug-ins, and similar tracking technologies typically constitute "sale" or "sharing" unless the third party qualifies as a service provider or contractor under a compliant written contract.

Two opt-out mechanisms — § 1798.135

A business that sells or shares consumers' personal information must provide two methods for consumers to exercise the opt-out right:

1. "Do Not Sell or Share My Personal Information" link. The business must provide a clear and conspicuous link on its internet homepage, titled exactly "Do Not Sell or Share My Personal Information," to an internet web page that enables a consumer (or a person authorized by the consumer) to opt out. Cal. Civ. Code § 1798.135(a)(1). The business may combine this link with the "Limit the Use of My Sensitive Personal Information" link into a single alternative opt-out link. § 1798.135(a)(3); 11 CCR § 7015. The opt-out page must not require the consumer to create an account or provide additional information beyond what is necessary to direct the business not to sell or share. § 1798.135(c)(1).

1. Opt-out preference signal (Global Privacy Control). A business must treat an opt-out preference signal as a valid request to opt out of sale/sharing submitted pursuant to § 1798.120. Cal. Civ. Code § 1798.135(b)(1); 11 CCR § 7025. An opt-out preference signal is a signal sent by a platform, technology, or mechanism (such as a browser extension, browser setting, or device setting) that communicates the consumer's choice to opt out. The signal must be (a) in a format commonly used and recognized by businesses (e.g., an HTTP header field or JavaScript object) and (b) configured to make clear to the consumer that it is meant to opt them out of sale/sharing. 11 CCR § 7025(b). The Global Privacy Control (GPC) is the most widely deployed opt-out preference signal; it is a technical specification that transmits an Sec-GPC: 1 HTTP header and a navigator.globalPrivacyControl JavaScript property.

When a business receives an opt-out preference signal, it must treat the signal as a valid request to opt out for that browser or device, for any consumer profile associated with that browser or device (including pseudonymous profiles), and—if the consumer is known to the business—for the consumer's account and any offline sale or sharing of the consumer's personal information. 11 CCR § 7025(f)(1). The business must apply the opt-out in a frictionless manner—meaning the business honors the signal without requiring further consumer action, displays confirmation that the opt-out has been honored, and does not charge a fee or require the consumer to provide additional information (beyond what the signal conveys) to process the request. § 7025(f). The business may notify the consumer that the opt-out preference signal conflicts with the consumer's current privacy settings and may offer the consumer an opportunity to consent to the sale or sharing of their personal information, but the business must process the opt-out request unless the consumer instructs otherwise. § 7025(f)(3).

A business that elects to honor opt-out preference signals in a frictionless manner and meets the additional requirements of 11 CCR § 7025(g) is not required to post the "Do Not Sell or Share My Personal Information" link on its homepage, provided the business still includes a notice of the right to opt out in its privacy policy and describes how consumers can implement an opt-out preference signal. § 7025(g); § 1798.135(b)(1).

No verification required; 12-month opt-in wait

A business may not require a consumer to verify their identity in order to submit an opt-out request. Cal. Civ. Code § 1798.120(c); 11 CCR § 7026(g). The opt-out right is exercisable without friction. A business may deny an opt-out request only if it has a good-faith, reasonable, and documented belief that the request is fraudulent, in which case it must inform the requestor that it will not comply and provide an explanation. 11 CCR § 7026(g).

Once a consumer has opted out, the business must wait at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer's personal information. Cal. Civ. Code § 1798.135(c)(5). The business may use any personal information collected from the consumer in connection with the opt-out request solely for the purpose of complying with the request. § 1798.135(c)(6).

Minors under 16 — affirmative opt-in required

Notwithstanding the general opt-out framework, a business shall not sell or share the personal information of consumers under 16 years of age unless (a) the consumer is at least 13 and less than 16 years of age and has affirmatively authorized the sale or sharing, or (b) the consumer is less than 13 years of age and the consumer's parent or guardian has affirmatively authorized the sale or sharing. Cal. Civ. Code § 1798.120(c). A business that willfully disregards a consumer's age is deemed to have had actual knowledge of the consumer's age. This is sometimes called the "right to opt in" for minors—the default is no sale or sharing, and the minor (or parent/guardian) must take affirmative action to permit it.

Source: Cal. Civ. Code § 1798.120 Source: Cal. Civ. Code § 1798.135 Source: Cal. Civ. Code § 1798.140 Source: 11 CCR §§ 7025–7026 (CPPA Regulations, Opt-Out of Sale or Sharing) Source: CPPA FAQ — Consumer Rights

California consumers have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of that sensitive personal information to uses that are necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. Cal. Civ. Code § 1798.121(a). This right—introduced by the California Privacy Rights Act (CPRA, Proposition 24) and operative January 1, 2023—is narrower than the right to opt out of sale/sharing under § 1798.120. It does not prohibit all use or disclosure of sensitive personal information; rather, it restricts use or disclosure to a statutorily defined safe harbor of permitted purposes.

Definition of sensitive personal information

Sensitive personal information is a subset of personal information defined at Cal. Civ. Code § 1798.140(ae). The statute enumerates eleven categories:

• Social Security, driver's license, state identification card, or passport number
• Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• Precise geolocation (within a radius of 1,850 feet)
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Contents of a consumer's mail, email, and text messages (unless the business is the intended recipient)
• Genetic data
• Biometric information processed for the purpose of uniquely identifying a consumer
• Personal information collected and analyzed concerning a consumer's health
• Personal information collected and analyzed concerning a consumer's sex life or sexual orientation
• Citizenship or immigration status
• Neural data (added by AB 3286, effective January 1, 2025), defined as information generated by measuring the activity of a consumer's central or peripheral nervous system and that is not inferred from nonneural information

The definition is exhaustive—if a data element is not on the list, it is not sensitive personal information for purposes of § 1798.121.

The narrow trigger — use or disclosure beyond "reasonably expected" services

The right to limit is triggered only when a business uses or discloses sensitive personal information for purposes other than those necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. § 1798.121(a). A business that uses or discloses sensitive personal information only for the permitted purposes set forth in the statute and CPPA regulations does not trigger the right to limit and is not required to post a "Limit the Use of My Sensitive Personal Information" link on its homepage. 11 CCR § 7027(m); Cal. Civ. Code § 1798.135(a)(2).

The statute cross-references four enumerated "business purposes" from Cal. Civ. Code § 1798.140(e) that are always permitted and do not trigger the right to limit:

• § 1798.140(e)(2) — Detecting security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; and prosecuting those responsible for that activity
• § 1798.140(e)(4) — Debugging to identify and repair errors that impair existing intended functionality
• § 1798.140(e)(5) — Short-term, transient use, including nonpersonalized advertising shown as part of a consumer's current interaction with the business, provided the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction
• § 1798.140(e)(8) — Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business

CPPA regulations at 11 CCR § 7027(m) enumerate additional permitted purposes that mirror the remaining § 1798.140(e) business purposes and clarify the scope of the safe harbor. When a business uses or discloses sensitive personal information solely for one or more of these purposes, the business is not required to offer the right to limit. The regulation specifies that permitted purposes include:

• Performing services on behalf of the business (service-provider and contractor uses under § 1798.140(e)(1))
• Preventing, detecting, and investigating security incidents (§ 1798.140(e)(2))
• Resisting malicious, deceptive, fraudulent, or illegal actions and prosecuting those responsible
• Ensuring the physical safety of natural persons
• Short-term, transient use (§ 1798.140(e)(5))
• Performing services such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business (§ 1798.140(e)(1))
• Undertaking internal research for technological development and demonstration (§ 1798.140(e)(6))
• Improving, upgrading, or enhancing services or devices (§ 1798.140(e)(8))

The "reasonably expected by an average consumer" standard is objective. It evaluates what a reasonable consumer—not the specific individual making the request—would anticipate when interacting with the business in the context in which the sensitive personal information was collected. CPPA regulations at 11 CCR § 7002(b) provide factors for assessing reasonable consumer expectations, including the nature of the personal information, the context in which it was collected, the source, and the disclosures made by the business at or before collection.

Uses that trigger the right to limit

If a business uses or discloses sensitive personal information for purposes beyond the safe harbor—such as:

• Cross-context behavioral advertising or retargeting based on sensitive personal information
• Selling or sharing sensitive personal information to third parties for their own commercial purposes (although sale/sharing of sensitive PI may also implicate the opt-out-of-sale right under § 1798.120)
• Profiling or inference-drawing to predict consumer characteristics, preferences, or behavior (such as health-risk scoring, creditworthiness modeling, or employment screening based on sensitive personal information)
• Disclosure to data brokers or analytics partners for uses unrelated to the services the consumer requested

—then the business must provide consumers with a notice of the right to limit and a mechanism to submit a request to limit. Cal. Civ. Code § 1798.135(a)(2); 11 CCR § 7014.

Exception — sensitive PI collected without the purpose of inferring characteristics

Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to the right to limit under § 1798.121. Cal. Civ. Code § 1798.121(d); 11 CCR § 7027(a). Such information is treated as ordinary personal information for purposes of all other CCPA sections, including the right to know, the right to delete, and the right to opt out of sale/sharing. The statute does not define "inferring characteristics," but CPRA's legislative history and CPPA guidance indicate the exception applies when the business collects sensitive personal information solely for operational or transactional purposes (e.g., collecting a driver's license number to verify age at checkout) without using that information to draw inferences, build profiles, or target the consumer based on the sensitive attributes.

Notice and homepage-link requirements — § 1798.135(a)(2)

A business that uses or discloses consumers' sensitive personal information for purposes other than those authorized by § 1798.121(a) must provide a clear and conspicuous link on its internet homepage, titled exactly "Limit the Use of My Sensitive Personal Information," that enables a consumer (or a person authorized by the consumer) to limit the use or disclosure of the consumer's sensitive personal information to the permitted purposes. Cal. Civ. Code § 1798.135(a)(2); 11 CCR § 7014(b).

The business may combine this link with the "Do Not Sell or Share My Personal Information" link into a single "Alternative Opt-out Link" titled "Your Privacy Choices" or "Your California Privacy Choices," provided the combined link directs consumers to a webpage that informs them of both rights and allows them to exercise both. § 1798.135(a)(3); 11 CCR § 7015.

The business must also provide a Notice of Right to Limit in its privacy policy, describing the consumer's right to limit and instructing how to submit a request. 11 CCR § 7014(f). If the business does not operate a website, it must establish and document an offline method (e.g., a toll-free telephone number or a mailed form) by which consumers can submit requests to limit. 11 CCR § 7014(e)(2).

Opt-out preference signals (Global Privacy Control)

A business must treat an opt-out preference signal as a valid request to limit the use of sensitive personal information. Cal. Civ. Code § 1798.135(b)(1); 11 CCR § 7025(a). The Global Privacy Control (GPC) is the most widely deployed opt-out preference signal; it transmits an HTTP header (Sec-GPC: 1) and a JavaScript property (navigator.globalPrivacyControl) indicating the consumer's intent to opt out of sale/sharing and to limit use of sensitive personal information.

When a business receives an opt-out preference signal, it must honor the signal in a frictionless manner—meaning the business processes the request without requiring further consumer action, displays confirmation, and does not charge a fee or demand additional information. 11 CCR § 7025(f). The business must apply the limit to the browser or device that sent the signal, to any consumer profile associated with that browser or device, and—if the consumer is known to the business—to the consumer's account and any offline use or disclosure of the consumer's sensitive personal information. § 7025(f)(1).

15-business-day compliance window

Upon receipt of a request to limit (whether submitted via the homepage link, an offline method, or an opt-out preference signal), a business must stop using or disclosing the consumer's sensitive personal information for purposes other than the permitted purposes as soon as feasibly possible, but no later than 15 business days from the date the business receives the request. 11 CCR § 7027(g)(1). This 15-day deadline is shorter than the 45-day response window for requests to know, delete, or correct. The regulation does not define "as soon as feasibly possible," but CPPA guidance indicates the business should implement the limitation immediately if technically feasible (e.g., by updating a database flag or suppressing the consumer's sensitive personal information from the data feeds sent to advertising platforms) and document the steps taken to meet the 15-day outer limit.

No verification required

A business may not require a consumer to verify their identity in order to submit a request to limit use of sensitive personal information. Cal. Civ. Code § 1798.121(b) (by cross-reference to § 1798.135(c)); 11 CCR § 7027(c). The request must be honored without friction. A business may deny a request to limit only if it has a good-faith, reasonable, and documented belief that the request is fraudulent. 11 CCR § 7027(c).

Effect of consumer direction

Once a business receives a consumer's direction to limit, the business is prohibited from using or disclosing the consumer's sensitive personal information for any purpose other than the permitted purposes unless the consumer subsequently provides consent for the use or disclosure for additional purposes. Cal. Civ. Code § 1798.121(b). The statute does not prescribe the form of subsequent consent, but it must be affirmative and voluntary; the business may not condition provision of goods or services on withdrawal of the limitation. The business must wait at least 12 months before requesting that the consumer authorize resumed use or disclosure of the sensitive personal information for non-permitted purposes. Cal. Civ. Code § 1798.135(c)(5) (cross-applying the opt-out-of-sale 12-month rule).

Service providers and contractors

A service provider or contractor that assists a business in performing the permitted purposes authorized by § 1798.121(a) may not use the sensitive personal information, after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information, for any other purpose. Cal. Civ. Code § 1798.121(c). Service providers and contractors are not required to honor a consumer's request to limit directly—the obligation runs to the business, and the business must direct its service providers and contractors to comply. 11 CCR § 7050(j).

Recordkeeping and consumer-request metrics

A business must maintain records of consumer requests to limit and the business's responses for at least 24 months. 11 CCR § 7101(a). Businesses that process personal information of 10 million or more consumers in the preceding calendar year must compile and publish annual consumer-request metrics in their privacy policy, including the number of requests to limit received, the number complied with in whole or in part, the number denied, and the median and mean number of days within which the business substantively responded. 11 CCR § 7102(a).

Source: Cal. Civ. Code § 1798.121 Source: Cal. Civ. Code § 1798.135 Source: Cal. Civ. Code § 1798.140 Source: 11 CCR § 7027 (CPPA Regulations, Requests to Limit Use and Disclosure of Sensitive Personal Information) Source: 11 CCR § 7014 (Notice of Right to Limit) Source: 11 CCR § 7025 (Opt-Out Preference Signals)

The CCPA/CPRA right to know consists of two distinct disclosure obligations: (1) under Cal. Civ. Code § 1798.110, the right to know what personal information has been collected, and (2) under § 1798.115, the right to know what personal information has been sold or shared. Both rights are exercisable by submitting a verifiable consumer request, subject to the 45-day response timeline and the twice-per-12-month frequency limit prescribed in § 1798.130(a)(2) and (b).

Right to know what information has been collected — § 1798.110

A consumer has the right to request that a business disclose five categories of information about personal information the business has collected about that consumer:

1. The categories of personal information it has collected about the consumer (§ 1798.110(a)(1));
2. The categories of sources from which the personal information is collected (§ 1798.110(a)(2));
3. The business or commercial purpose for collecting, selling, or sharing the personal information (§ 1798.110(a)(3));
4. The categories of third parties to whom the business discloses personal information (§ 1798.110(a)(4)); and
5. The specific pieces of personal information it has collected about the consumer (§ 1798.110(a)(5)).

A business must disclose the first four items upon receipt of a verifiable consumer request. § 1798.110(b). The fifth item—specific pieces of personal information—is the consumer's right to obtain the actual records the business has collected, such as the consumer's account profile, purchase history, browsing logs, or inferences the business has drawn. This specific-pieces disclosure is the most frequently requested and most operationally intensive requirement.

The statute requires that categories be identified "by reference to the enumerated category or categories in [§ 1798.140] that most closely describes the personal information collected." § 1798.130(a)(3)(B). The eleven statutory categories in § 1798.140(v)(1) are: identifiers; personal information described in Cal. Civ. Code § 1798.80(e) (the "California customer records" statute); protected classification characteristics; commercial information; biometric information; internet or other electronic network activity information; geolocation data; sensory data; professional or employment-related information; education information; and inferences drawn from any of the foregoing to create a profile about the consumer.

Right to know what information has been sold or shared — § 1798.115

A consumer has the right to request that a business that sells or shares the consumer's personal information, or that discloses it for a business purpose, disclose:

1. The categories of personal information that the business collected about the consumer (§ 1798.115(a)(1));
2. The categories of personal information that the business sold or shared about the consumer, and the categories of third parties to whom the information was sold or shared, presented by category or categories of personal information for each category of third party to whom the information was sold or shared (§ 1798.115(a)(2)); and
3. The categories of personal information that the business disclosed about the consumer for a business purpose, and the categories of persons to whom it was disclosed for a business purpose (§ 1798.115(a)(3)).

Unlike § 1798.110, § 1798.115 does not grant a right to request the specific pieces of personal information that were sold, shared, or disclosed for a business purpose—only the categories and the categories of recipients. The statute requires a cross-tabulated disclosure in item (2): for each category of third party (e.g., "advertising networks," "data analytics providers"), the business must list which categories of personal information were sold or shared to that category of recipient. § 1798.130(a)(4)(B).

The distinction between "sold or shared" and "disclosed for a business purpose" is critical. Sale is defined at § 1798.140(ad) as disclosing personal information to a third party for monetary or other valuable consideration (subject to enumerated exceptions). Sharing is defined at § 1798.140(ah) as disclosing personal information to a third party for cross-context behavioral advertising, whether or not for consideration. Both trigger the consumer's opt-out right under § 1798.120. Disclosure for a business purpose is defined at § 1798.140(f) and means disclosure to a service provider or contractor under a written contract that restricts the recipient's use of the information to performing services on behalf of the business, or to certain other enumerated parties (such as other consumers, parties in a merger or bankruptcy, or government entities in response to legal process). A business that only discloses personal information for a business purpose and does not sell or share is not required to respond to the sale/sharing portions of a § 1798.115 request, but must still respond to item (3) (categories disclosed for a business purpose and categories of recipients).

12-month lookback period

Disclosures pursuant to §§ 1798.110 and 1798.115 must cover the 12-month period preceding the business's receipt of the verifiable consumer request. § 1798.130(a)(3)(A). The business must disclose information collected (§ 1798.110) or sold, shared, or disclosed for a business purpose (§ 1798.115) during that trailing 12 months. If a business receives a request on June 1, 2026, it must produce records from June 1, 2025 through May 31, 2026.

The 12-month lookback is a floor. A business may disclose a longer period (e.g., the full retention period of the consumer's data) but is not required to do so. If the business has collected or retained personal information about the consumer for less than 12 months, it must disclose what it has.

Portable format and delivery — § 1798.130(a)(2)

The business must deliver the disclosure free of charge within 45 days of receipt (extendable once by an additional 45 days, for a maximum 90 days total, when reasonably necessary). § 1798.130(a)(2)(A), (B).

For responses to requests under § 1798.110(a)(5) (specific pieces of personal information), the business must deliver the information in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the information from one entity to another entity without hindrance. § 1798.130(a)(2)(A). The statute does not mandate a specific file format. The CPPA's final regulations (effective March 29, 2023, with updates effective January 1, 2026) require that the business deliver the information in a manner "reasonably accessible to the consumer" and, for specific-pieces disclosures, in a format that is portable and readily usable. 11 CCR § 7020 et seq. The CPPA's explanatory materials and enforcement advisories interpret "portable and readily usable" to mean structured data formats such as JSON, CSV, or XML when the data is structured. A PDF is generally not sufficient for a § 1798.110(a)(5) response if the data is structured (such as a database export or transaction log), because PDF is not machine-readable and does not permit the consumer to re-upload the data to another service without manual re-entry. A business may provide a PDF if the personal information is inherently unstructured (such as scanned documents or images that the business itself holds only in PDF format).

Twice-per-12-month frequency limit

A business is not obligated to provide the information required by §§ 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period. § 1798.130(b). This limit applies separately to each consumer; it does not apply to opt-out requests under § 1798.120 (no frequency cap), deletion requests under § 1798.105 (no express frequency cap in the statute), or correction requests under § 1798.106 (no frequency cap). The twice-per-12-month cap is a permissive ceiling, not a mandate: a business may choose to honor additional requests if it wishes.

No specific-pieces disclosure of Social Security number, driver's license number, or account passwords

A business is not required to disclose a consumer's Social Security number, driver's license number or other government-issued identification number, financial account number, health insurance or medical identification number, account password, or security questions and answers in response to a request under § 1798.110(a)(5) (specific pieces). § 1798.130(a)(2)(A). This exclusion applies only to the specific-pieces disclosure; the business must still disclose the categories of personal information (e.g., "government identifiers," "account access credentials") in response to a categories request under § 1798.110(a)(1) or § 1798.115.

Categories must follow the statutory enumeration

The categories of personal information disclosed pursuant to §§ 1798.110 and 1798.115 must follow the definition of personal information in § 1798.140. § 1798.130(c). A business may not create its own taxonomy (e.g., "basic contact info," "user preferences") unless it cross-walks each custom category to one of the eleven statutory categories in § 1798.140(v)(1). CPPA regulations require businesses to use "the enumerated category or categories in subdivision (v) of Section 1798.140 that most closely describes the personal information." 11 CCR § 7020(c). If a single data element falls into multiple statutory categories (e.g., an email address is both an "identifier" and "personal information described in Cal. Civ. Code § 1798.80(e)"), the business may list all applicable categories or the one that most closely describes the information in context.

Source: Cal. Civ. Code § 1798.110 Source: Cal. Civ. Code § 1798.115 Source: Cal. Civ. Code § 1798.130 Source: Cal. Civ. Code § 1798.140 (definitions) Source: 11 CCR § 7020 et seq. (CPPA Regulations, effective March 29, 2023; updated Jan. 1, 2026)

California consumers may use an authorized agent to submit requests to know, delete, correct, opt out of sale/sharing, or limit use of sensitive personal information on their behalf. Cal. Civ. Code § 1798.135(e); 11 CCR § 7063. The CCPA and CPPA regulations establish a two-track framework for authorized-agent submissions: one track for agents holding power of attorney under the California Probate Code, and a second track for all other agents (including friends, family, privacy services, and commercial authorized-agent platforms). The framework is designed to balance consumer access against fraud prevention, but it imposes verification burdens that many businesses apply inconsistently or use to reject agent requests without legal grounds.

Definition of "authorized agent" — 11 CCR § 7001(d)

An "authorized agent" is a natural person or a business entity that a consumer has authorized to act on their behalf, subject to the requirements set forth in 11 CCR § 7063. The definition does not require the agent to be registered with the California Secretary of State, as the original Attorney General regulations (former 999.326) did. The CPPA removed the registration requirement in the March 29, 2023 final regulations to reduce barriers for consumers who use out-of-state or global authorized-agent services. 11 CCR § 7001(d) (eff. March 29, 2023); CPPA Final Statement of Reasons, Feb. 3, 2023, Appendix A (public comment response 10).

Two-track verification framework

The applicable verification rules depend on whether the consumer has provided the agent with power of attorney (POA) under California Probate Code §§ 4000–4465.

Track 1 — Power of attorney (Cal. Probate Code §§ 4121–4130)

If the consumer has provided the authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, the business may not require the agent to provide signed permission from the consumer or require the consumer to directly verify their identity with the business or confirm that they gave the agent permission to submit the request. 11 CCR § 7063(b). The statute-compliant POA is sufficient proof of authority.

A business shall not require power of attorney in order for a consumer to use an authorized agent. 11 CCR § 7063(b) (final clause). This prohibition prevents businesses from conditioning acceptance of authorized-agent requests on the consumer executing a formal POA. The regulation thus creates a carve-out for consumers who have granted POA (for whom verification is streamlined) while ensuring businesses cannot demand POA as a prerequisite.

A valid power of attorney under Probate Code §§ 4121–4130 is a written instrument executed with the formalities required by statute (signature, date, and either notarization or witness signatures under Cal. Prob. Code § 4121). The POA must grant the agent authority to act with respect to the consumer's personal information or property. If the consumer has granted POA, the business must accept the agent's submission upon presentation of the POA document.

Track 2 — All other authorized agents (11 CCR § 7063(a))

If the agent does not hold power of attorney, the business may require the agent to provide both:

1. Proof that the consumer gave the agent signed permission to submit the request on the consumer's behalf. 11 CCR § 7063(a)(1). "Signed permission" may be a physical or electronic signature. The regulation does not specify the form of the signed permission, but CPPA enforcement guidance suggests a signed authorization letter, a signed consent form on the agent's platform, or a consumer-signed declaration submitted with the request. The business may not demand a notarized signature unless the request involves sensitive personal information and the business applies notarization requirements consistently to all agent requests of that type.

1. Direct verification of the consumer's identity or direct confirmation from the consumer that they provided the agent permission to submit the request. 11 CCR § 7063(a)(2). The business may contact the consumer directly (via email, telephone, or other means) to confirm the agent's authority, or require the consumer to log in to their password-protected account and confirm the request there. This step protects against fraudulent or unauthorized agent submissions.

The statute specifies that the business may require "that the consumer directly confirm with the business that the consumer provided the authorized agent permission to submit the request" or "directly verify the consumer's identity." Cal. Civ. Code § 1798.135(e)(2). Courts and the CPPA read "may" as permissive, not mandatory: businesses are not required to verify agent submissions under Track 2, but they may do so. However, if a business chooses to impose verification, it must do so consistently and in compliance with the verification standards in 11 CCR §§ 7060–7062 (reasonable degree of certainty for categories; reasonably high degree of certainty for specific pieces, deletion, or correction).

The CPPA March 7, 2025 Hearing and Modification Order in In re Honda Motor Co., Case No. ENF23-V-HO-2, clarified that a business may not deny an authorized-agent request solely because the business sent correspondence to the consumer's email address (the address the agent listed as the consumer's preferred contact method) and the consumer did not respond. The business must take reasonable steps to verify the agent's authority, but silence from the consumer is not grounds for automatic denial if the agent has provided the signed permission required by § 7063(a)(1). The Order noted that Honda's practice of sending an email to the consumer and denying the agent's request when the consumer did not respond within a short window was inconsistent with § 7063 and constituted an impermissible verification requirement.

No verification for opt-out and limit requests — 11 CCR §§ 7026(j), 7027(i)

A business may not require a consumer to verify their identity in order to submit a request to opt out of sale/sharing (Cal. Civ. Code § 1798.120(c); 11 CCR § 7026(g)) or to limit use of sensitive personal information (Cal. Civ. Code § 1798.121(b); 11 CCR § 7027(h)). This prohibition also applies to authorized-agent submissions of opt-out and limit requests. 11 CCR § 7026(j) (opt-out); 11 CCR § 7027(i) (limit).

When an authorized agent submits a request to opt out or a request to limit on behalf of a consumer, the business shall process the request in a frictionless manner. The business may not require the agent to provide signed permission from the consumer, may not require the consumer to verify their identity or confirm that they gave the agent permission, and may not require the agent to hold power of attorney. 11 CCR §§ 7026(j), 7027(i); Cal. Civ. Code § 1798.135(e) (exception for opt-out requests).

This rule reflects the statute's policy determination that opt-out and limit requests are low-risk (the consumer is opting out of a disclosure, not requesting access to data) and high-friction verification would undermine the consumer's ability to exercise the right effectively. The business must honor the agent's opt-out or limit request using the same procedures it applies to direct consumer requests, including opt-out preference signals (Global Privacy Control).

Security and use restrictions on authorized agents — 11 CCR § 7063(c)–(d)

An authorized agent must implement and maintain reasonable security procedures and practices to protect the consumer's information. 11 CCR § 7063(c). The regulation does not define "reasonable," but it incorporates the data-security principles set forth elsewhere in the CCPA (encryption, access controls, audit logs, and breach response). The CPPA has stated in enforcement advisories that authorized agents handling large volumes of consumer requests (commercial privacy platforms, data-broker opt-out services) must implement enterprise-grade security commensurate with the sensitivity and volume of personal information they process.

An authorized agent shall not use a consumer's personal information, or any information collected from or about the consumer, for any purposes other than (1) fulfilling the consumer's requests, (2) verification, or (3) fraud prevention. 11 CCR § 7063(d). An agent that collects a consumer's name, email, and Social Security number to submit a deletion request may use that information to verify the consumer's identity with the business and to detect fraudulent requests, but may not sell the information to third parties, use it to build marketing profiles, or repurpose it for other commercial activities. Violations of § 7063(d) may constitute both a CCPA violation (unauthorized use of personal information) and an unfair business practice under California Business & Professions Code § 17200.

Practical compliance notes

Businesses frequently reject authorized-agent requests by (1) demanding notarized power of attorney, (2) requiring the consumer to create a password-protected account solely to confirm the agent's authority, or (3) denying the request if the consumer does not respond to an email within 48 hours. All three practices are inconsistent with 11 CCR § 7063 and Cal. Civ. Code § 1798.135(e). The CPPA has identified authorized-agent denials as a priority enforcement area in 2024–2026.

As a matter of best practice (not a hard legal mandate), businesses that receive high volumes of authorized-agent requests should implement intake procedures that (1) identify whether the agent holds POA (Track 1) or is submitting under the signed-permission pathway (Track 2); (2) request the signed permission document if Track 2 applies; (3) apply the same verification standards to agent requests as to direct consumer requests (11 CCR §§ 7060–7062); and (4) give the consumer a reasonable period to respond to any confirmation request before denying the agent's submission. While the regulations do not specify a minimum response window, industry guidance and the Honda enforcement order suggest that a denial based on lack of consumer response within 48–72 hours is inconsistent with the requirement to process requests in good faith; a 10- to 14-day window is more defensible.

Source: Cal. Civ. Code § 1798.135 Source: 11 CCR § 7063 (CPPA Regulations, effective March 29, 2023; updated Jan. 1, 2026) Source: 11 CCR §§ 7026, 7027 (Opt-Out and Limit Requests via Authorized Agents) Source: CPPA Hearing and Modification Order, In re Honda Motor Co., Case No. ENF23-V-HO-2 (March 7, 2025)