Everything you need to exercise your CCPA rights in 2020

News ¦ May 4th, 2020, 10:00 pm

To exercise your CCPA rights, you need to know what they are and how to use them. Here’s a quick guide on how to reclaim your privacy in 2020.

The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020. Businesses that are subject to the CCPA should have been complying with the new privacy law since then — even with everything going on in this first half of the year — as enforcement will not be delayed, according to the Attorney General. 

The CCPA grants these 5 new rights to California residents:

  • The right to access personal information that businesses collect about you.You have the right to request that businesses disclose what personal information is collected, used, shared, or sold about you. You may ask which specific pieces are collected, the categories of data, the reason this information is being collected or shared, the source, and the third parties with whom your information is shared. You also have a right to know whether your personal information is sold or disclosed and to whom.

  • The right to have your personal information deleted.You have the right to request that a business deletes your personal information, held by both the company and, by extension, the business’s service providers.

  • The right to say no to the sale of your personal information.You may direct a business to cease the sale of your personal information. As required by the law, companies who sell personal information must provide a “Do Not Sell My Info” link on their websites or mobile apps.

  • The right for minors to provide opt-in consent.Children under the age of 16 must provide opt-in consent, with a parent or guardian consenting for children under 13.

  • The right to equal service and price, even if you exercise your privacy rights.Businesses may not discriminate against you in terms of price or service when you exercise your privacy rights under CCPA.

Side note: If you don’t live in California, you may still benefit from the CCPA’s requirements. Businesses are now more transparent about what information they collect about you and why.

How can I figure out if a business needs to comply with the CCPA?

In some cases, it is hard to tell whether a business must comply with the CCPA because the criteria are based on pieces of information that are not publicly available.  However, most big-name companies will fall under CCPA because of the criterion based on annual gross revenue. 

For the curious and investigative sort you can take a look at our resource base for more information on this topic.

How can I exercise my CCPA data rights?

Your right to know basic information about businesses data practices

Provided a company has complied with the CCPA, some of your rights can be exercised by simply reading through their privacy policy. An in-scope company must provide the following information in their privacy policy:

  • A summary of the consumer rights guaranteed in the CCPA 

  • Separated lists: one list that describes the categories of information collected (including purposes for collection, sources, categories of third parties shared with), a second list that describes the categories of information that were disclosed for a business purpose (including the categories of third parties the data was disclosed to)), (if applicable) a third list that describes the categories of information sold (including the  categories of third parties this data was sold to). (AB-375 1798.130 (5) (B, C))

  • Whether or not the company sells personal information

  • If the company sells personal information, a statement about its collection of data from minors

  • The available contact methods available to submit requests

Your right to know, access, delete, and opt-out

In order to exercise the rest of your rights, you need to submit a data subject request (DSR) to know, access, delete, or opt-out of the sale of your data. Companies are required to provide a minimum of two methods for you to submit your requests easily, for instance via email, web form, or phone. Information on how you can submit a request  has to be in a business’s privacy policy.

Companies that “sell” data are required to add a “Do Not Sell My Info” link on their homepage, which the CCPA defines as every page where the business collects data. These “Do Not Sell My Info” links are usually displayed at the bottom of the page. Click the link and follow the steps if you want companies to stop selling your data. (If there is no link on the bottom of the screen, the company might still provide a way to opt-out of sales within its privacy policy.)

Businesses that are subject to the CCPA usually include a CCPA section in their privacy policy or add a separate privacy notice for Californian consumers. This notice includes information about what data is collected, the sources, purpose, and categories of third parties with whom the data is shared. For example, Apple has a of privacy disclosures per service.

…In case of a data breach

Under the CCPA, you have the right to institute a civil action if your personal information is subject to an unauthorized breach as a result of a business’s failure to reasonably secure your data.  You can either file an action on your own or join a class action to recover your damages. You or your lawyer should notify the CA Attorney General Xavier Becerra within 30 days after filing the action.

Datawallet helps you get compliant with powerful out-of-the box tools in a matter of minutes. We’ve got you covered with our intuitive Data Subject Request web form and DSR-handling workflows, our automated data-exploration and mapping tool, and our Consent Management Platform. If you want to jump right in, start your free trial of our easy-to-use compliance platform here.

Need something tailormade for your organization? Contact us at

Get the Data Digest in your inbox