Data Privacy Rights in California

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

Last reviewed:

Written in plain language for general understanding. This is educational content, not legal advice. Content is researched from federal statutes, state codes, and official government sources. Each article is reviewed for accuracy before publication. Our editorial process

Federal Law

What is this right?

The United States does not have a single comprehensive federal data privacy law like the EU's GDPR. Instead, privacy is protected through a patchwork of federal sector-specific laws and an expanding number of state privacy laws. Several states — led by California — have passed comprehensive consumer privacy laws giving you the right to know what data companies collect about you, to delete it, and to opt out of its sale.

At the federal level, key privacy laws include HIPAA (health data), FERPA (education records), COPPA (children under 13), GLBA (financial data), and the FTC Act (unfair or deceptive practices). For general consumer data — your browsing history, purchase history, location data, and online behavior — state laws provide the most protection.

When does it apply?

Your data privacy rights apply when:

  • A company collects, stores, or sells your personal data — including name, email, phone, location, browsing history, and purchase history
  • You want to know what data a company has about you
  • You want a company to delete your personal data
  • You want to opt out of the sale or sharing of your personal data
  • A company experiences a data breach that exposes your information

State privacy laws (as of 2026):

  • California (CCPA/CPRA): The strongest state privacy law. Right to know, delete, opt out of sale/sharing, correct inaccurate data, and limit use of sensitive data. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from data sales. Enforced by the California Privacy Protection Agency.
  • Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and 10+ other states have passed comprehensive privacy laws with varying effective dates through 2026. Most include rights to access, delete, correct, and opt out.
  • States without privacy laws: If your state doesn't have a comprehensive privacy law, your primary protection is the FTC's authority to pursue "unfair or deceptive" data practices.

Common misconceptions:

  • "I have no privacy rights because there's no federal privacy law" — While there's no comprehensive federal law, sector-specific federal laws and state laws provide significant protections depending on the type of data and where you live.
  • "If a service is free, they can do anything with my data" — No. Companies must disclose their data practices in a privacy policy, and state laws may give you opt-out rights regardless of whether you paid for the service.
  • "Deleting my account deletes my data" — Not necessarily. Companies may retain data for legal or business reasons. Under state privacy laws, you can submit a specific deletion request that the company must honor.

What should you do?

Step 1: Check whether your state has a comprehensive privacy law. If you are in California, Colorado, Connecticut, Virginia, Texas, or one of the other states with privacy laws, you have specific rights you can exercise.

Step 2: Submit a data access request to any company you want to know about. Most companies have a "Privacy" or "Do Not Sell My Information" link in their website footer. California residents can use the phrase "right to know" in their request.

Step 3: Opt out of data sales. Under California law and similar state laws, companies must provide a clear mechanism to opt out. Look for "Do Not Sell or Share My Personal Information" links.

Step 4: If your data was exposed in a breach, check whether your state requires the company to notify you and offer credit monitoring. Most states have breach notification laws.

Step 5: File complaints with your state attorney general (most state privacy laws are enforced by the AG) or with the FTC at reportfraud.ftc.gov. California residents can also file with the California Privacy Protection Agency.

What should you NOT do?

Don't ignore data breach notifications. If a company tells you your data was compromised, take it seriously. Change passwords, enable two-factor authentication, and monitor your credit.

Don't accept cookies without thinking. Many websites use cookie banners that default to accepting all tracking. Choose "Reject All" or customize your settings to limit data collection.

Don't assume privacy policies protect you. Most privacy policies are written to maximize what the company can do with your data, not to protect you. Read the sections on data sharing, third parties, and your rights.

Don't pay for data removal services without researching them. Some data removal services charge fees for actions you can take yourself for free under state law. Submit your own requests first.

California Law
CA

How California differs from federal law

California has the strongest state privacy law in the nation — the California Consumer Privacy Act as amended by the California Privacy Rights Act:

  • CCPA/CPRA (Cal. Civ. Code § 1798.100 et seq.): Gives California consumers the right to know what personal data businesses collect, the right to delete it, the right to correct inaccurate data, the right to opt out of the sale or sharing of personal data, and the right to limit the use of sensitive personal information.
  • California Privacy Protection Agency (CPPA): California created the first dedicated state privacy enforcement agency in the country. The CPPA issues regulations, investigates violations, and brings enforcement actions. Fines up to $2,500 per violation or $7,500 per intentional violation.
  • Private right of action for data breaches (§ 1798.150): Consumers can sue businesses directly when their unencrypted personal information is exposed in a data breach due to the business's failure to maintain reasonable security. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
  • Data broker registration (SB 362, 2024): Data brokers must register with the CPPA and honor deletion requests through a centralized mechanism. California consumers can request all registered data brokers delete their information through a single portal.
  • Broad applicability: Applies to for-profit businesses that collect California residents' personal data and meet certain thresholds (annual revenue over $25 million, buy/sell data of 100,000+ consumers, or derive 50%+ of revenue from selling data).

Additional Steps in California

Submit data access, deletion, or opt-out requests directly to businesses (they must provide methods on their websites). File complaints with the California Privacy Protection Agency at cppa.ca.gov. For data breaches, consult a privacy attorney about your right to sue under § 1798.150. Use the CPPA data broker deletion portal for bulk deletion requests.

Relevant Law: Cal. Civ. Code § 1798.100 et seq. (CCPA/CPRA), Cal. Civ. Code § 1798.150 (private right of action for data breaches), SB 362 (2024 — Delete Act, data broker registration)

Common Questions

When does data privacy rights apply?

Your data privacy rights apply when:A company collects, stores, or sells your personal data — including name, email, phone, location, browsing history, and purchase historyYou want to know what data a company has about youYou want a company to delete your personal dataYou want to opt out of the sale or sharing of your personal dataA company experiences a data breach that exposes your informationState privacy laws (as of 2026):California (CCPA/CPRA): The strongest state privacy law. Right to know, delete, opt out of sale/sharing, correct inaccurate data, and limit use of sensitive data. Applies...

What should I do about data privacy rights?

Step 1: Check whether your state has a comprehensive privacy law. If you are in California, Colorado, Connecticut, Virginia, Texas, or one of the other states with privacy laws, you have specific rights you can exercise.Step 2: Submit a data access request to any company you want to know about. Most companies have a "Privacy" or "Do Not Sell My Information" link in their website footer. California residents can use the phrase "right to know" in their request.Step 3: Opt out of data sales. Under California law and similar state laws, companies must provide a clear mechanism to opt out. Look for...

What mistakes should I avoid with data privacy rights?

Don't ignore data breach notifications. If a company tells you your data was compromised, take it seriously. Change passwords, enable two-factor authentication, and monitor your credit.Don't accept cookies without thinking. Many websites use cookie banners that default to accepting all tracking. Choose "Reject All" or customize your settings to limit data collection.Don't assume privacy policies protect you. Most privacy policies are written to maximize what the company can do with your data, not to protect you. Read the sections on data sharing, third parties, and your rights.Don't pay for da...

More in Consumer Rights

Debt Collector RulesThe Fair Debt Collection Practices Act (FDCPA) is a federal law that limits what debt collectors can do when trying to c...Read more →Credit Report RightsThe Fair Credit Reporting Act (FCRA) gives you the right to see what is in your credit report, dispute mistakes, and hav...Read more →Small Claims CourtSmall claims court is a special court where you can sue someone for a relatively small amount of money without hiring a ...Read more →

Related Topics

Workers' RightsWorkplace HarassmentTax RightsPenalty Abatement
← Browse all Consumer Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LawDepotSend a formal demand letter to a business or creditor. State-specific financial and consumer documents ready in minutes.Create a Demand LetterCredit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit FreeIdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity

You came here to know your rights — help someone else know theirs.

Support This Mission