California Privacy Laws: CCPA, CPRA & Your Rights in 2025

Who the law covers (and who it does not)

The CCPA protects California residents. Under the statute, a "consumer" is defined as a natural person who is a California resident, not every U.S. consumer. If you live in Texas or New York, the CCPA is not your law (Texas has its own; see our Texas email privacy guide).

The law does not apply to every business, either. It governs for-profit businesses that do business in California and meet at least one of three thresholds:

The $25 million figure is the original statutory number and is adjusted for inflation. As of January 1, 2025, the revenue threshold is $26,625,000. The practical takeaway is that the small newsletter or hobby shop you handed your email to may fall below every threshold, in which case it owes you none of these rights. That gap is one reason prevention beats correction.

Why your email address is in scope

The CCPA defines personal information broadly as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household". An email address is explicitly listed as an example. So every right below applies to the address you used to sign up: the categories of data tied to it, who it was sold to, and a request to erase it. (Per [ccpa-official], the law grants Californians the right to delete personal data a business holds.)

Your rights, applied to your email address

The CCPA as amended by the CPRA gives California residents a set of consumer rights. Here is each one, and what it does for the email address a company holds.

Right to know (access)

You can ask a business to disclose the categories and specific pieces of personal information it has collected about you, the sources, the business purpose, and the third parties it shares with. You may make this request up to twice a year, free of charge, and the business must cover the 12-month period before your request. For your email, this is how you learn which data brokers or ad partners received it.

Right to delete

You can request that a business delete the personal information it holds about you, subject to limited exceptions (for example, completing a transaction you asked for, security, or a legal obligation). A valid deletion request reaches your email address and the profile attached to it.

Right to opt out of sale or sharing

You can direct a business not to sell or share your personal information with third parties. The CPRA extended this beyond outright "sales" to cover "sharing" for cross-context behavioral advertising, the engine that turns one signup into years of targeted mail.

Right to correct

Added by the CPRA effective January 1, 2023, you can ask a business to correct inaccurate personal information it holds about you.

Right to limit use of sensitive personal information

Also added by the CPRA, you can limit how a business uses sensitive categories of data. The statute's definition of sensitive personal information includes Social Security, driver's license, and passport numbers; account log-in or financial-account numbers combined with an access code; precise geolocation; racial or ethnic origin and religious beliefs; genetic and biometric data; health information; sex life or sexual orientation; and the contents of your mail, email, and text messages.

Right to non-discrimination

A business cannot deny you goods or services, charge a different price, or provide a different level or quality of service just because you exercised these rights. Exercising your right to delete should not get you locked out or upcharged.

How to exercise your rights: a step-by-step

Businesses must offer at least one designated method to submit requests (online-only businesses can use an email address). Here is a workable sequence.

1. Find the request mechanism. Look for the "Privacy Policy" link and the "Do Not Sell or Share My Personal Information" link, which covered businesses must publish. Many also offer a "Limit the Use of My Sensitive Personal Information" link.
2. State the right you are exercising. Be explicit: know, delete, correct, opt out, or limit. For a known/delete request, name the email address the account uses.
3. Verify your identity. The business may ask you to confirm control of the account, usually by responding from, or to, the email on file.
4. Track the clock. For know, delete, and correct requests, the business must respond within 45 calendar days of a verifiable request, extendable once by another 45 days when reasonably necessary. For opt-out and limit requests, the deadline is shorter: 15 business days.
5. Escalate if ignored. If a business does not comply, you can file a complaint with the regulators (below).

Use the Global Privacy Control to opt out at scale

You do not have to click a "do not sell" link on every site. Businesses that handle online personal information must honor the Global Privacy Control (GPC) browser signal as a valid request to stop the sale or sharing of your data. Turn it on once (it is built into some browsers and available as an extension) and it broadcasts your opt-out automatically.

A note on data brokers

Under a separate California law (the Delete Act, or SB 362, not the CCPA itself), data brokers must register annually with the state privacy agency. Its Delete Request and Opt-out Platform (DROP) went live in January 2026 and is designed to let you direct every registered broker to delete your data with a single request; brokers must begin processing those requests at least every 45 days starting August 1, 2026. It is a useful complement to your CCPA rights, given that the broker economy is valued in the hundreds of billions of dollars (per [iapp-data-broker-study]).

Penalties, breaches, and what the law cannot do

The CCPA is enforced by two bodies. The California Attorney General has civil enforcement authority, and the CPRA established the California Privacy Protection Agency (CPPA), an independent agency governed by a five-member board. The CPPA began accepting consumer complaints on July 1, 2023 for violations occurring on or after that date; the two share jurisdiction.

Civil penalties

The familiar statutory caps are up to $2,500 per unintentional violation and up to $7,500 per intentional violation (and violations involving the data of consumers under 16 are treated as intentional). Those amounts are adjusted for inflation; as of January 1, 2025 they are $2,663 and $7,988 respectively. One change worth noting: the original CCPA gave businesses a 30-day window to cure a violation before the AG could act, but as of January 1, 2023 the CCPA no longer requires notice or an opportunity to cure before a regulatory enforcement action.

When your email is breached, you can sue

The CCPA includes a private right of action for data breaches under Civil Code §1798.150. It covers unauthorized access to nonencrypted, nonredacted personal information, and specifically names an email address in combination with a password or a security question and answer that would permit access to the account. You may recover the greater of actual damages or statutory damages, originally set at $100 to $750 per consumer per incident and CPI-adjusted to $107 to $799 as of January 1, 2025.

Be precise about the cure period, because two different rules get conflated. For this private breach lawsuit, you must give the business 30 days' written notice; if it actually cures the noticed violation and gives you an express written statement to that effect, no statutory-damages action may proceed (though bolting on security after a breach does not count as curing that breach). That 30-day cure is for private suits; it is the regulatory cure period that the CPRA removed.

The honest limits

These rights are real, but they are reactive. Requests can take 45 days, then another 45. Businesses below the thresholds owe you nothing. And nothing fully undoes data that has already changed hands: deletion stops future use, it does not retrieve copies a broker already resold. Concern about exactly this kind of exposure is widespread: 68% of internet users report being concerned about their online privacy (per [pew-privacy-survey-2023]).

That is the case for prevention. The address you never give out cannot be sold, leaked, or require a deletion request. For low-stakes signups (a trial, a download, a one-time discount), a disposable address sidesteps the whole cycle. A disposable inbox gives you a working address in seconds with a default 10-minute lifespan you can extend; new mail appears automatically (the inbox polls frequently at first, then eases off), and TempMailSpot can also send a confirmation reply with a CAPTCHA, where most rivals are receive-only. Using temp email is one privacy tactic alongside your statutory rights; it does not, on its own, guarantee anonymity or exempt anyone from any law. For the broader picture of how access, deletion, and opt-out rights apply to email across jurisdictions, see our pillar guide on privacy laws and your email rights. If you are based in Southern California, our Los Angeles privacy overview puts these rights in local context.