The California Consumer Privacy Act (CCPA): 2026 Data Rights Guide

In the modern economy, personal data is a highly lucrative corporate asset. For decades, tech conglomerates, data brokers, and retailers operated in an environment of total legal impunity, harvesting, analyzing, and selling consumer profiles without transparency or consent. The State of California fundamentally changed this dynamic with the passage of the California Consumer Privacy Act (CCPA).

At Law In California, we recognize the CCPA—and its subsequent expansion via the California Privacy Rights Act (CPRA)—as the most aggressive and comprehensive digital consumer protection framework in the United States. It grants California residents unprecedented control over their personal information and levies massive statutory fines against corporations that fail to secure or respect that data. This guide outlines your exact legal rights as a digital consumer and the mechanisms available to enforce them in 2026.

Who Must Comply? The CCPA Thresholds

It is important to understand that the CCPA does not apply to every small business or local mom-and-pop shop. The legislature designed the law to target entities that process data on a massive scale or generate significant profits from data brokering. According to the California Attorney General’s Office, a for-profit business doing business in California must comply with the CCPA if it meets any one of the following thresholds:

  • Has a gross annual revenue of over $25 million.
  • Buys, receives, or sells the personal information of 100,000 or more California residents, households, or devices annually.
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.

If a business meets any of these criteria, it is legally bound by the California Civil Code to honor your digital rights, regardless of whether the business is headquartered in Silicon Valley or on the other side of the globe.

The 5 Fundamental Consumer Privacy Rights

The CCPA, bolstered by the CPRA amendments, establishes five core pillars of consumer control. A covered business must provide a clear, accessible way for consumers to exercise these rights, typically via a toll-free number or a prominent webpage link.

1. The Right to Know (Data Access)

You have the legal right to request that a business disclose the exact pieces of personal information they have collected about you over the past 12 months. Furthermore, you have the right to know the categories of sources from which that data was collected, the business purpose for collecting or selling it, and the categories of third parties with whom the business shared it. Upon receiving a “Verifiable Consumer Request,” the business has 45 days to provide this data to you free of charge.

2. The Right to Delete

If a business possesses your personal information, you have the right to demand its permanent deletion from their servers and the servers of their direct service providers. There are legal exceptions (e.g., if the business needs the data to complete a financial transaction, detect security incidents, or comply with a legal obligation), but the general rule is that your data must be destroyed upon request.

3. The Right to Opt-Out of Sale or Sharing

This is arguably the most recognizable mandate of the CCPA. Every covered business that sells or shares personal data for cross-context behavioral advertising must feature a clear, conspicuous link on their homepage reading: “Do Not Sell or Share My Personal Information.” Clicking this link legally bars the business from monetizing your data or feeding it into third-party ad networks.

4. The Right to Correct Inaccurate Information

Added by the CPRA, if you discover that a business holds inaccurate personal information about you—which could negatively impact your credit, insurance rates, or employment prospects—you have the right to demand they correct it based on documentation you provide.

5. The Right to Non-Discrimination

A business cannot legally retaliate against you for exercising your privacy rights. They cannot deny you goods or services, charge you higher prices, or provide a lower quality of service simply because you demanded they delete or stop selling your data. (However, businesses are permitted to offer “financial incentives,” such as a loyalty discount, in exchange for the voluntary retention of your data).

Sensitive Personal Information Limit: The law also grants you the right to limit the use of “Sensitive” data. This includes your social security number, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, and contents of private communications. You can legally restrict a business from using this data for any purpose other than providing the base service you requested.

Editorial Integrity & Statutory Review

The consumer protection guides maintained within this hub are subject to rigorous quarterly reviews by the Law In California Editorial Board. We cross-reference all privacy statutes directly with the California Privacy Protection Agency (CPPA) and the state Civil Code to ensure consumers receive accurate, actionable legal intelligence.

Global Privacy Control (GPC) Signals

Under current California regulations, consumers are not required to manually click the “Do Not Sell” link on every single website they visit. The law requires covered businesses to respect Global Privacy Control (GPC) signals broadcasted by the user’s web browser or browser extension. If your browser sends a GPC signal indicating that you wish to opt-out of data tracking, the business must honor that signal as a valid, legally binding opt-out request.

Enforcement and the Private Right of Action

The enforcement mechanisms of the CCPA are divided into two distinct categories: Administrative Enforcement and the Consumer’s Private Right of Action.

Administrative Enforcement: General privacy violations—such as a business ignoring your request to delete data, failing to provide a “Do Not Sell” link, or hiding their privacy policy—are enforced exclusively by the California Attorney General and the newly established California Privacy Protection Agency (CPPA). These agencies can levy massive administrative fines of $2,500 per violation, or $7,500 per intentional violation (which multiplies rapidly when a business has thousands of users).

The Private Right of Action (Data Breaches): While consumers cannot sue a business directly for failing to delete their data, they can sue directly if their non-encrypted, non-redacted personal information is exposed in a data breach as a result of the business’s failure to implement reasonable security procedures.

This is a critical distinction. In standard civil law, a plaintiff must usually prove exact financial damages to win a lawsuit. However, the CCPA grants “Statutory Damages” for data breaches. If a company’s negligence results in your data being hacked, you can sue them for statutory damages between $100 and $750 per consumer, per incident, or actual damages, whichever is greater.

Because of these statutory damages, CCPA data breach class action lawsuits are incredibly potent. However, before filing a lawsuit, the consumer must provide the business with a 30-day written notice to “cure” the violation. If the business fails to secure the data and remedy the breach within those 30 days, the litigation can proceed. For smaller, individualized disputes involving actual financial damages resulting from a company’s negligence, consumers may also utilize the California Small Claims Court system to seek rapid restitution.

The CCPA has effectively shifted the balance of power back to the individual. By understanding these mandates and utilizing the legal mechanisms provided by the state, California residents can finally reclaim control over their digital footprint and hold negligent corporations financially accountable.