California Privacy Laws: CCPA, CPRA & Your Rights in 2025

Understanding CCPA and CPRA

**CCPA (California Consumer Privacy Act - 2020):**

The original landmark legislation established: - Right to know what data is collected - Right to delete personal information - Right to opt out of data sales - Right to non-discrimination for exercising rights

**CPRA (California Privacy Rights Act - 2023):**

CPRA amended and strengthened CCPA: - Created California Privacy Protection Agency - Added right to correction - Added right to limit sensitive data use - Strengthened opt-out rights for sharing (not just sales) - Extended protections to employee data

**Who Must Comply:**

Businesses must comply if they: - Have $25M+ annual gross revenue, OR - Buy, sell, or share data of 100,000+ Californians, OR - Derive 50%+ revenue from selling California consumer data

Many businesses exempt due to thresholds—another reason temp email is valuable.

Your California Privacy Rights

**Right to Know:**

You can request: - Categories of personal information collected - Specific pieces of personal information held - Sources of the information - Business purposes for collection - Third parties with whom data is shared

Businesses must respond within 45 days.

**Right to Delete:**

You can request deletion of personal information. Businesses must: - Delete from their records - Direct service providers to delete - Notify third parties to delete

Exceptions exist for legal obligations, security, and completing transactions.

**Right to Opt Out:**

"Do Not Sell or Share My Personal Information": - Must be honored for data sales - Extended by CPRA to data sharing - Applies to targeted advertising - Global Privacy Control (GPC) must be honored

**Right to Correct:**

Added by CPRA: - Request correction of inaccurate information - Business must make reasonable efforts - Can request documentation of correction

**Right to Limit Sensitive Data:**

Sensitive data includes: - Social Security numbers - Financial account information - Precise geolocation - Race, ethnicity, religion - Health information - Biometric data - Sexual orientation

You can limit use to what's necessary for the service.

Exercising Your Rights

**Finding Privacy Notices:**

Every covered business must have: - "Privacy Policy" link on their website - "Do Not Sell or Share My Personal Information" link - "Limit the Use of My Sensitive Personal Information" link

**Submitting Requests:**

Methods businesses must accept: - Toll-free phone number - Website form or email address - For online-only businesses, email is sufficient

**What to Include:**

Your request should specify: - Which right you're exercising - Your identity verification information - Specific data if requesting access

**Response Timeline:**

- Confirmation within 10 business days - Substantive response within 45 days - Can be extended 45 more days with notice

**If Denied:**

Businesses must explain denial reasons. You can: - Appeal to the business - File complaint with California Privacy Protection Agency - Seek legal remedies for violations

CCPA vs. Temp Email

**Why Use Both:**

| Scenario | CCPA/CPRA Approach | Temp Email Approach | |----------|-------------------|---------------------| | New service | Sign up, delete later | No data collected | | Untrusted site | Exercise rights later | No rights needed | | One-time use | Deletion request | Auto-expires | | Time to protection | 45 days | Immediate |

**CCPA Limitations:**

- Only applies to businesses above thresholds - Takes time to process requests - Enforcement is limited - Can't undo data already shared

**Temp Email Advantages:**

- Prevents collection entirely - Works with all businesses, any size - Immediate, guaranteed - No action required

**Best Strategy:**

- Temp email for exploration and new services - Real email for valuable ongoing services - Exercise CCPA rights for services with your real data - Regular privacy audits of your digital footprint

Common California Use Cases

**Tech Companies:**

Many headquartered in California—but temp email still useful: - Beta testing new apps - Signing up for trials - Accessing gated content - Avoiding marketing databases

**Retail:**

California retailers must comply, but: - Small businesses may be exempt - Data sharing happens fast - Prevention easier than deletion

Use temp email for: - First-time discount codes - Loyalty programs you're testing - Online marketplace signups

**Media:**

LA-based entertainment companies: - Streaming trials - Newsletter sampling - Event access - Contest entries

**Real Estate:**

California housing market generates email: - Zillow, Redfin, Trulia alerts - Agent follow-ups - Mortgage quotes - Moving services

California Privacy Protection Agency

**CPPA Overview:**

Created by CPRA to enforce California privacy law: - Issues regulations - Investigates complaints - Assesses fines - Provides consumer education

**Filing Complaints:**

If businesses don't comply: 1. Document your request and response 2. File complaint at cppa.ca.gov 3. Provide evidence of non-compliance 4. CPPA investigates

**Enforcement Powers:**

- Fines up to $2,500 per unintentional violation - Fines up to $7,500 per intentional violation - Fines up to $7,500 for violations involving minors - Additional penalties for continued non-compliance

**Private Right of Action:**

Limited to data breaches. For breaches, Californians can: - Sue directly (no need to go through CPPA) - Seek $100-$750 per incident - Recover actual damages if higher