CCPA8 min readUpdated Feb 2026

CCPA Consumer Rights: Complete Guide to Data Subject Rights

The California Consumer Privacy Act grants California residents comprehensive rights over their personal information. Understanding these rights is essential for businesses to build compliant processes and respond to consumer requests effectively.

Alban Veauté

•

Security Engineer

Alban is a security engineer at Bastion with deep expertise in information security, SOC 2, and ISO 27001. He also specializes in data protection and privacy compliance, including GDPR requirements, and helps companies build robust security programs.

SOC 2ISO 27001GDPRCyber Essentials

Key Takeaways

Point	Summary
Number of rights	Six core rights plus non-discrimination protection
Who has rights	California residents (not limited to customers)
Response deadline	45 days, extendable to 90 days with notice
Verification required	Businesses must verify consumer identity before fulfilling requests
No fee	Businesses cannot charge for exercising rights (with limited exceptions)

Quick Answer: California consumers have the right to know, delete, correct, opt-out of sale/sharing, limit sensitive data use, and receive equal service and pricing. Businesses must respond within 45 days (extendable to 90) and cannot charge fees or discriminate against consumers who exercise their rights.

Overview of CCPA Consumer Rights

Right	Description	CPRA Addition?
Right to Know	Access personal information collected, used, and shared	Original CCPA
Right to Delete	Request deletion of personal information	Original CCPA
Right to Opt-Out	Opt out of sale or sharing of personal information	Enhanced by CPRA
Right to Non-Discrimination	Equal service and pricing regardless of rights exercise	Original CCPA
Right to Correct	Request correction of inaccurate personal information	Added by CPRA
Right to Limit	Limit use of sensitive personal information	Added by CPRA

Right to Know

Consumers have the right to know what personal information a business collects, uses, and discloses.

Two Types of Know Requests

Request Type	What It Covers
Categories request	Categories of personal information collected, sources, purposes, and third parties
Specific pieces request	Actual personal information collected about the consumer

What Businesses Must Disclose

Disclosure Element	Details
Categories of personal information	What types of data have been collected
Specific pieces	The actual data (upon request)
Sources	Where the data came from
Business purposes	Why the data is collected and used
Third parties	Categories of entities data is shared with
Selling/sharing	Whether data has been sold or shared

Right to Know Requirements

Requirement	Details
Look-back period	12 months preceding the request (businesses may offer more)
Format	Portable, readily usable format (often JSON or CSV)
Delivery	Secure method, electronic if requested electronically
Free requests	At least 2 free Right to Know (specific pieces) requests per 12-month period

Right to Delete

Consumers can request that businesses delete their personal information.

Deletion Request Handling

Step	Business Obligation
Receive request	Accept through designated channels
Verify identity	Confirm consumer is who they claim to be
Locate data	Search all systems where data may be stored
Delete data	Permanently remove from active systems
Instruct service providers	Direct them to delete as well
Confirm deletion	Notify consumer of completion

Exceptions to Deletion

Businesses may deny deletion requests when the information is necessary for:

Exception	Example
Complete a transaction	Fulfilling an active order
Security	Detecting security incidents
Debug/repair	Fixing system errors
Free speech	Exercising speech rights
Legal compliance	Complying with other laws
Research	Certain statistical research
Internal uses	Reasonably aligned with expectations
Legal claims	Defending or exercising legal rights

Deletion vs. Anonymization

Businesses may anonymize rather than delete if they:

Cannot re-identify the data
Do not attempt to re-identify
Implement technical safeguards

Right to Opt-Out of Sale or Sharing

Consumers can direct businesses to stop selling or sharing their personal information. For detailed implementation requirements, see opt-out requirements.

What Constitutes "Sale"?

Activity	Considered Sale?
Exchanging data for money	Yes
Transferring data for other valuable consideration	Yes
Sharing with service providers (under contract)	No
Disclosing at consumer direction	No
Transferring as part of business acquisition	No

What Constitutes "Sharing"?

Activity	Considered Sharing?
Transferring data for cross-context behavioral advertising	Yes
Third-party advertising cookies	Yes
Behavioral retargeting	Yes
First-party contextual advertising	No

Opt-Out Implementation

Requirement	Details
Clear link	"Do Not Sell or Share My Personal Information"
Location	Homepage and privacy policy
No account required	Must be usable without login
Global Privacy Control	Must honor GPC browser signals
Response timing	Effect must be immediate
Re-authorization	12 months before asking consumer to opt back in

Global Privacy Control (GPC)

Aspect	Details
What it is	Browser-level opt-out signal
Legal status	Businesses must honor as valid opt-out request
How it works	Browser sends automatic opt-out signal to websites
Business obligation	Treat GPC as opt-out of sale/sharing

Right to Non-Discrimination

Businesses cannot penalize consumers for exercising their CCPA rights.

Prohibited Discrimination

Prohibited Action	Example
Denying services	Refusing to provide service after opt-out
Charging different prices	Higher prices for those who delete data
Different quality	Degraded service for rights exercisers
Suggesting different treatment	Implying worse service if rights used

Financial Incentives Exception

Businesses may offer financial incentives for data collection if:

Requirement	Details
Clear disclosure	Incentive terms must be explained
Opt-in consent	Consumer must affirmatively agree
Non-coercive	Cannot be structured as penalty
Proportional	Value must be reasonably related to data value
Easy withdrawal	Consumer can withdraw at any time

Right to Correct

Added by CPRA, consumers can request correction of inaccurate personal information.

Correction Request Handling

Step	Business Obligation
Receive request	Accept through designated channels
Verify identity	Confirm consumer identity
Evaluate accuracy	Assess whether data is inaccurate
Make corrections	Use commercially reasonable efforts
Instruct service providers	Direct them to correct as well
Document	Maintain correction records

Correction Considerations

Consideration	Details
Documentation	Business may request evidence supporting correction
Complexity	Multi-source data may require reasonable investigation
Scope	Applies to factual inaccuracies, not opinions
Refusal	Business may deny if accuracy cannot be verified

Right to Limit Use of Sensitive Personal Information

Consumers can limit how businesses use their sensitive personal information.

Permitted Uses After Limitation

When a consumer limits SPI use, businesses may only use it for:

Permitted Purpose	Description
Providing goods/services	Fulfilling the consumer's request
Security	Detecting security incidents
Quality and safety	Ensuring quality, verifying safety
Short-term use	Contextual advertising (not cross-context)
Performing services	Service provider activities
Debugging	Identifying and repairing errors
Protection	Protecting business and consumer rights

Implementation Requirements

Requirement	Details
Clear link	"Limit the Use of My Sensitive Personal Information"
Alternative	Combined link with opt-out is acceptable
Honor request	Stop non-essential SPI processing
Service providers	Instruct them to limit as well

Responding to Consumer Requests

Request Intake Methods

Businesses must provide at least two methods for submitting requests:

Method	Requirement
Toll-free number	Required for businesses with physical locations or offline operations
Email address	Sufficient for businesses operating exclusively online
Website form	Optional but common
In-app submission	Optional but recommended for apps

Note: Businesses operating exclusively online with direct consumer relationships may provide only an email address for requests. Businesses with offline components must provide a toll-free number.

Response Timeline

Phase	Timeline
Confirmation	Within 10 business days of receipt
Substantive response	Within 45 calendar days
Extension	Additional 45 days if reasonably necessary
Extension notice	Must inform consumer of delay and reason

Identity Verification

Request Type	Verification Level
Categories request	Reasonable degree of certainty
Specific pieces request	Reasonably high degree of certainty
Deletion request	Reasonable to reasonably high (depends on sensitivity)

Verification methods:

Matching data points (name, email, account info)
Signed declaration under penalty of perjury
Account authentication (for account holders)
Third-party verification services

Authorized Agents

Consumers may designate agents to make requests on their behalf.

Requirement	Details
Authorization	Signed permission from consumer
Verification	Business may verify both agent and consumer
Power of attorney	Alternative to signed permission
Direct contact	Business may contact consumer to confirm

Record Keeping Requirements

Requirement	Details
What to track	Request type, date, response time, outcome
Retention period	24 months minimum
Metrics disclosure	Businesses that buy, receive, sell, or share PI of 10M+ consumers must publish annually
Metrics to publish	Request counts, response times, denial rates

Common Questions

Can a business deny a request?

Yes, in certain circumstances:

Cannot verify consumer identity
Request is manifestly unfounded or excessive
Exception applies (e.g., legal compliance)
Information falls under exemption (e.g., HIPAA data)

What if a consumer requests "everything"?

The right to know covers the 12-month period preceding the request. For specific pieces requests, verify identity at a higher standard and provide data in a portable format.

Must businesses keep data just to fulfill future requests?

No. Businesses are not required to retain data solely to respond to potential requests. If data has been deleted, they simply inform the consumer.

How Bastion Helps

Building compliant consumer rights processes requires systems, procedures, and trained personnel.

Challenge	How We Help
Request intake	Design and implement multi-channel intake systems
Verification processes	Develop verification procedures matching request types
Response workflows	Create efficient workflows meeting CCPA timelines
Training	Staff training on handling consumer requests
Record keeping	Systems for tracking requests and maintaining required records

Ready to build your consumer rights handling program? Talk to our team →

Sources

California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page
CPPA Regulations - Official CCPA regulations
CCPA Text - California Civil Code 1798.100-1798.199.100
Global Privacy Control - Official GPC specification

← PreviousCCPA vs CPRA: Understanding the Amendments Next →CCPA Sensitive Personal Information: Categories and Requirements

Back to CCPA guides

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company