California Data Privacy Laws: CCPA, CPRA & Consumer Rights (2026)

California's data privacy law, the CCPA as amended by the CPRA (Cal. Civ. Code §§ 1798.100-1798.199.100), gives residents six enforceable rights: to know, delete, correct, and opt out of the sale or sharing of their personal information, to limit use of sensitive data, and to be free from discrimination for exercising those rights.

California has the most comprehensive data privacy framework in the United States. The state's protections go well beyond what federal law requires, giving residents powerful rights over how businesses collect, use, and share their personal information.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), forms the foundation of that framework. Additional statutes covering data breaches, student data, online privacy policies, data brokers, and specific data categories layer further protections on top.

This guide covers every major California data privacy law currently in effect, including the latest 2025-2026 regulations and enforcement actions.

The CCPA and CPRA: California's Core Privacy Law

The California Consumer Privacy Act was signed into law in 2018 and took effect January 1, 2020. California voters then approved Proposition 24 in November 2020, creating the CPRA. The CPRA did not replace the CCPA. Instead, it amended and expanded the existing law, added new consumer rights, and created the California Privacy Protection Agency (CPPA) as the first dedicated state privacy regulator in the country.

The CPRA amendments took effect January 1, 2023. The combined law is codified at California Civil Code Sections 1798.100 through 1798.199.100 and is still commonly called the CCPA. Two additional amendments signed in September 2024 took effect January 1, 2025: AB 1008, which clarified that personal information includes data embedded in AI and other abstract digital systems, and SB 1223, which added neural data to the sensitive personal information category.

Which Businesses Must Comply

The CCPA applies to for-profit businesses that do business in California and meet at least one of three thresholds, adjusted for inflation in January 2025:

• Annual gross revenue of $26.625 million or more
• Buy, sell, or share the personal information of 100,000 or more California residents or households
• Derive 50% or more of annual revenue from selling or sharing California residents' personal information

Nonprofit organizations and government agencies are not subject to the CCPA. Certain data categories are also exempt, including medical information covered by HIPAA, consumer credit data under the FCRA, and data collected under the Gramm-Leach-Bliley Act.

What Counts as Personal Information

Under Section 1798.140, personal information is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to a particular consumer or household. Examples include names, Social Security numbers, email addresses, purchase histories, browsing activity, geolocation data, fingerprints, and inferences used to build consumer profiles.

AB 1008, effective January 1, 2025, clarified that personal information retains its character regardless of format, including when it is embedded in generative AI systems or other abstract digital environments.

Sensitive Personal Information

The CPRA introduced a separate sensitive personal information category with stronger protections. Sensitive personal information includes:

• Social Security numbers, driver's license numbers, and state ID numbers
• Financial account numbers combined with access credentials
• Precise geolocation data
• Racial or ethnic origin, religious or philosophical beliefs, and union membership
• Contents of mail, email, and text messages (unless the business is the intended recipient)
• Genetic data
• Biometric information used for identification
• Health information
• Information about sex life or sexual orientation
• Neural data (added by SB 1223, effective January 1, 2025)

Consumers have the right to direct businesses to limit their use and disclosure of sensitive personal information to what is necessary to provide the requested goods or services.

Six Core Consumer Rights Under the CCPA

California residents have six fundamental privacy rights under the CCPA. Businesses must honor these rights regardless of whether the consumer is a current customer.

Right to Know

Consumers can request that a business disclose what personal information it has collected about them, the sources of collection, the business purposes, and the categories of third parties with whom the information is shared. Businesses must respond to a verifiable consumer request within 45 calendar days and may extend by an additional 45 days with notice. Consumers may submit this request up to twice per year at no cost.

Right to Delete

Consumers can request deletion of personal information a business has collected about them. The business must also direct its service providers and contractors to delete the data. Exceptions exist for data needed to complete a transaction, detect security incidents, or comply with legal obligations, among others listed in Section 1798.105.

Right to Correct

Added by the CPRA and effective since January 1, 2023, consumers can ask businesses to correct inaccurate personal information. Businesses must make commercially reasonable efforts to correct the information within 45 calendar days of receiving a verified request.

Right to Opt-Out of Sale or Sharing

Consumers can direct a business to stop selling or sharing their personal information. Businesses that sell or share personal information must display a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website.

Businesses must also honor Global Privacy Control (GPC) browser signals. Once a consumer opts out, the business must wait at least 12 months before requesting the consumer opt back in.

Right to Limit Use of Sensitive Personal Information

Consumers can direct businesses to limit use of their sensitive personal information to what is necessary to perform the requested service. Businesses must provide a "Limit the Use of My Sensitive Personal Information" link, or combine it with the opt-out link.

Right to Non-Discrimination

Businesses cannot penalize consumers for exercising their CCPA rights. A business may not deny goods or services, charge different prices, or provide a different level of quality based on a consumer's exercise of privacy rights.

Business Obligations Under the CCPA

Privacy Notice Requirements

Businesses must provide a notice at collection listing the categories of personal information being collected and the purposes for each category, provided at or before the point of collection. Businesses must also maintain a privacy policy covering all personal information collected in the past 12 months, the sources, the purposes, the categories of third parties to whom it is disclosed, and a description of each consumer right.

Request Handling

Businesses must provide at least two methods for consumers to submit requests, including a toll-free telephone number and a website address. Businesses must acknowledge receipt within 10 business days and respond substantively within 45 days. For opt-out requests, businesses must comply within 15 business days.

Service Provider Contracts

Written contracts with service providers must prohibit the service provider from selling or sharing personal information, using it for purposes outside the contract, or retaining it after the business relationship ends.

Child Privacy Protections

The CCPA prohibits selling or sharing the personal information of consumers known to be under 16 without affirmative authorization. For children under 13, a parent or guardian must opt in. For consumers aged 13 to 15, the minor must opt in. The California AG has actively enforced these provisions against gaming and streaming companies.

2025-2026 CCPA Regulation Updates

The ADMT, Cybersecurity Audit, and Risk Assessment Package

The CPPA Board adopted a major regulation package on July 24, 2025. The Office of Administrative Law approved and filed the regulations with the Secretary of State on September 22, 2025. Most requirements took effect January 1, 2026. The package covers four areas:

Automated Decisionmaking Technology (ADMT): Consumers gain rights to receive notice about, access information regarding, and opt out of a business's use of ADMT for decisions with legal or similarly significant effects. Businesses that use ADMT in significant-decision contexts must comply starting January 1, 2027. Businesses using ADMT for profiling in workplace or educational contexts have until January 1, 2028.

Cybersecurity Audits: Businesses whose processing of personal information presents significant risk to consumers must complete annual cybersecurity audits. Which businesses qualify depends on data type and volume thresholds defined in the regulations.

Risk Assessments: Businesses engaged in high-risk processing activities must conduct and submit risk assessments to the CPPA. Assessments must evaluate the benefits and risks of each processing activity and identify safeguards.

Insurance Company Compliance: The regulations clarify when insurance companies must comply with CCPA requirements, addressing a prior gap in the regulatory framework.

CCPA Penalties and Enforcement

Enforcement authority is split between the California Privacy Protection Agency (CPPA) and the California Attorney General (AG). The CPPA handles violations occurring on or after July 1, 2023. The AG retains authority over earlier violations and exercises concurrent jurisdiction in some areas. Consumers have a limited private right of action in data breach cases.

Penalty Structure

As of January 2025, penalties are adjusted for inflation and stand at:

These amounts adjust every odd-numbered year based on the California Consumer Price Index.

Private Right of Action for Data Breaches

Under Section 1798.150, consumers may sue businesses directly when their unencrypted and unredacted personal information is stolen because the business failed to maintain reasonable security. Statutory damages range from $107 to $799 per consumer per incident, or actual damages, whichever is greater. Consumers must provide 30 days' written notice and an opportunity to cure before filing suit.

Recent Enforcement Actions: CPPA

The CPPA has brought the following notable actions since it assumed enforcement authority in 2023:

Honda Motor Co. (March 2025): The CPPA settled with American Honda for $632,500 over violations including requiring consumers to provide excessive personal information before exercising CCPA opt-out rights, making the verification process unduly burdensome.

Todd Snyder, Inc. (May 2025): The clothing retailer paid $345,178 for failing to properly configure its opt-out infrastructure for 40 days, requesting more consumer information than necessary, and requiring identity verification for opt-out requests.

Tractor Supply Company (September 2025): The CPPA issued its largest fine to date, $1,350,000, for failing to maintain proper privacy notices, failing to inform job applicants of their privacy rights, lacking effective opt-out mechanisms including Global Privacy Control, and sharing data with third parties without contractual privacy protections.

Recent Enforcement Actions: California Attorney General

Sephora (August 2022): The AG secured a $1,200,000 settlement for failing to disclose that it was selling consumers' personal information and failing to honor Global Privacy Control opt-out signals.

DoorDash (February 2024): The AG obtained a $375,000 settlement after DoorDash sold customers' personal information through a marketing cooperative without providing notice or an opt-out opportunity.

Tilting Point Media (June 2024): The AG and Los Angeles City Attorney secured a $500,000 settlement against the maker of "SpongeBob: Krusty Cook-Off" for collecting and sharing children's personal data without parental consent, violating both the CCPA and the federal COPPA.

Healthline Media (July 2025): The AG obtained the largest AG-led CCPA settlement to date at $1,550,000 for sharing health-related user data with third-party advertisers without required protections, including data suggesting users may have serious medical conditions.

General Motors (2025-2026): The AG, together with multiple district attorneys and with CPPA support, announced a $12,750,000 settlement against GM for selling hundreds of thousands of Californians' OnStar driving and location data to data brokers, which then sold the data to insurance companies for rate-setting purposes. The settlement is subject to court approval.

Disney (February 2026): The AG secured a $2,750,000 settlement against The Walt Disney Company for failing to honor opt-out requests across Disney+, Hulu, and ESPN+. This is currently the largest CCPA settlement in California history.

California Data Breach Notification Law

California's data breach notification law, Civil Code Section 1798.82, was one of the first of its kind in the nation when enacted in 2003.

When Notification Is Required

A business or person who owns or licenses computerized personal information and does business in California must notify affected residents when their unencrypted personal information is acquired, or reasonably believed to have been acquired, by an unauthorized person. If encrypted data is breached along with the encryption key, notification is still required.

What Triggers Notification

A data breach notification is required when the compromised data includes a person's first name or initial and last name combined with any of the following:

• Social Security number
• Driver's license number or California identification card number
• Financial account number or credit or debit card number combined with any required access code
• Medical information or health insurance information
• Biometric data collected for authentication
• Genetic data
• Tax identification number, passport number, or military identification number

A breach of a username or email address combined with a password or security question and answer also requires notification.

Notification Timeline and Requirements

Businesses must notify affected consumers within 30 calendar days of discovering the breach. A reasonable delay is permitted for law enforcement purposes or to determine the breach's scope. When a breach affects more than 500 California residents, the business must submit a sample notice to the Attorney General within 15 days.

The required notice must be written in plain language, use a minimum 10-point font, and contain five labeled sections: "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information."

California's Delete Act and the DROP Platform

The California Delete Act, signed in 2023, established the Delete Request and Opt-Out Platform (DROP), a state-hosted website where California residents can submit a single deletion request that applies to every registered data broker in the state. The DROP launched in January 2026.

Starting August 1, 2026, registered data brokers must check the DROP at least every 45 days and process deletion requests for any matching consumer records. Data brokers must report the status of each deletion request within 45 days of retrieving it.

Data Broker Registration Requirements

Businesses operating as data brokers must register with the CPPA by January 31 each year and pay an annual fee of $6,000. The CPPA manages the registry (transferred from the AG effective January 1, 2024) and has launched a dedicated data broker enforcement strike force.

The CPPA has already fined unregistered data brokers. In January 2026, it fined Rickenbacher Data LLC $45,000 for selling personal information of millions of people with serious health conditions without registering.

Other California Privacy Statutes

California Online Privacy Protection Act (CalOPPA)

CalOPPA (Bus. & Prof. Code §§ 22575-22579), enacted in 2003, requires operators of commercial websites and online services that collect personal information from California residents to post a privacy policy. The policy must identify the categories of personal information collected, the categories of third parties with whom information may be shared, the process for consumers to review and request changes to their information, and how the operator responds to "Do Not Track" browser signals.

Shine the Light Law

California's "Shine the Light" law (Civil Code §§ 1798.83-1798.84) gives consumers the right, once per year, to request a list of the categories of personal information shared with third parties for direct marketing purposes and the names and addresses of those third parties. Businesses may instead offer consumers an opt-out from such sharing.

Student Online Personal Information Protection Act (SOPIPA)

SOPIPA (SB 1177, 2014) prohibits operators of K-12 educational technology services from using student data to build profiles for non-educational purposes, selling student information, or engaging in targeted advertising based on student data. Operators must maintain reasonable security procedures to protect student information.

Age-Appropriate Design Code Act

California enacted the Age-Appropriate Design Code Act (AB 2273) in 2022, requiring online businesses likely to be accessed by children to conduct data protection impact assessments and implement default privacy protections. As of May 2026, enforcement remains blocked by a federal court injunction following a First Amendment challenge. The AG has appealed.

Federal Privacy Law Overlay

Several federal statutes apply alongside California's state law.

HIPAA covers covered entities and their business associates in the healthcare sector. GLBA applies to financial institutions. FCRA governs consumer reporting agencies. COPPA protects children under 13 in online contexts and was central to the Tilting Point enforcement action described above.

FTC Act Section 5 gives the Federal Trade Commission authority to pursue deceptive and unfair data practices by businesses outside the sectors covered by sector-specific laws.

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025): This federal law criminalizes knowingly publishing or threatening to share non-consensual intimate imagery, including AI-generated images of real identifiable individuals. Criminal provisions took effect immediately at signing. Platform notice-and-takedown obligations, enforced by the FTC, took effect May 19, 2026. Platforms must remove reported images within 48 hours.

American Privacy Rights Act (APRA): A bipartisan federal comprehensive privacy bill was introduced in 2024 as H.R. 8818 but expired at the end of the 118th Congress in January 2025 without passing. The bill has not been reintroduced in the current Congress. No federal comprehensive privacy law has been enacted as of May 2026.

How California Compares to Other State Privacy Laws

California's privacy framework stands apart from other state laws in several respects:

Dedicated enforcement agency: California is the only state with a standalone privacy enforcement agency (the CPPA). Every other state relies on its attorney general for CCPA-type enforcement.

Private right of action: California allows consumers to sue directly for data breaches. Most other state privacy laws provide no private right of action at all.

Data broker registry and DROP: No other state requires data brokers to register and provides a centralized one-click deletion mechanism.

Revenue threshold: California's $26.625 million revenue threshold has no equivalent in Virginia, Colorado, Connecticut, or most other states with comprehensive privacy laws.

Sensitive data scope: California's sensitive personal information category, now including neural data, is among the broadest of any state law. For a full comparison across all 50 states, see the world data privacy laws overview.

Practical Compliance Steps for Businesses

Businesses subject to the CCPA should take these steps to reduce enforcement risk:

First, confirm whether you meet any of the three CCPA thresholds (revenue, data volume, or revenue-from-sale percentage). If you do, audit the personal information you collect, process, and share. Map it to the categories in Section 1798.140 and identify which categories are sensitive.

Second, update your privacy policy to cover all 12-month collection activity and add the required opt-out links. Verify that your opt-out and limit-sensitive-data links are conspicuous and functional. Configure your privacy portal to accept Global Privacy Control signals automatically.

Third, put written contracts in place with every service provider and contractor that receives personal information. Contracts must include the restrictions specified in Section 1798.140(ag).

Fourth, review your data retention practices. Businesses should only retain personal information as long as reasonably necessary for the disclosed purpose. The GM case illustrates the risk of retaining data beyond its original purpose and then selling it.

Fifth, if your processing activities will trigger the new cybersecurity audit or risk assessment requirements under the September 2025 regulations, begin planning those processes now. ADMT-specific opt-out mechanisms are required for businesses with significant-decision use cases beginning January 1, 2027.

How California Residents Exercise Their Rights

California residents can submit requests through any covered business's designated request methods, which must include at minimum a toll-free telephone number and a web form. Businesses must respond within 45 days (with a possible 45-day extension).

For opt-out requests specifically, businesses must comply within 15 business days. Consumers who have installed a Global Privacy Control-compatible browser or extension can trigger opt-out automatically without submitting a manual request.

For data broker deletions, the CPPA DROP platform at cppa.ca.gov accepts single deletion requests that apply to all registered data brokers starting in 2026. Data brokers must process matching requests within 45 days of retrieving them.

To file a complaint about a CCPA violation, consumers can contact the CPPA for violations occurring on or after July 1, 2023, or the California AG for earlier violations or violations falling under the AG's independent authority.

More California Legal Guides

Explore related California legal guides:

• California Recording Laws - Consent rules for recording conversations
• California Background Check Laws - Employment screening and Ban the Box
• All US Data Privacy Laws - Compare privacy laws across all 50 states

More California Laws

• California AI Meeting Recording Laws
• California Alimony Laws
• California At-Will Employment Laws
• California Car Accident Laws
• California Car Seat Laws
• California Child Custody Laws
• California Child Support Laws
• California Common Law Marriage Laws
• California Deepfake Laws
• California Divorce Laws
• California Dog Bite Laws
• California Emancipation Laws
• California Expungement Laws
• California Hit and Run Laws
• California Landlord-Tenant Laws
• California Lemon Laws