CCPA Rights Every Business Must Honor
For years, businesses collected, sold, and shared consumer data with almost no obligation to disclose it. The California Consumer Privacy Act (CCPA) changed that — and the businesses that take it seriously are turning compliance into a competitive advantage.
Whether you're a franchise brand serving California customers or a SaaS platform with users across the state, these six rights define your legal obligations and your opportunity to build lasting consumer trust.
What Is the CCPA?
The California Consumer Privacy Act took effect in January 2020 and was significantly expanded by the California Privacy Rights Act (CPRA) in 2023. It gives California residents meaningful control over their personal information and places clear obligations on the businesses that collect it.
The CCPA applies to for-profit businesses that do business in California and meet at least one of these thresholds:
Annual gross revenue over $25 million
Buying, selling, or sharing the personal information of 100,000 or more consumers or households
Deriving 50% or more of annual revenue from selling consumers' personal information
That scope captures a wide range of companies — from national franchise brands to SaaS platforms serving California users.
Here are the six CCPA rights every consumer and business needs to understand.
The 6 CCPA Rights Explained
Right to Know
Consumers have the right to request details about what personal information a business has collected about them, where it came from, how it's being used, and whether it has been sold or disclosed to third parties.
In practice: A California resident signs up for a loyalty program and later wants to know exactly what data the brand collected — purchase history, location data, browsing behavior — and who received it. They submit a Right to Know request, and the business must respond within 45 calendar days.
For businesses: Maintain a clear, accessible privacy policy and a verified process to respond to consumer requests. You must disclose the categories of information collected, the purposes for collection, and the categories of third parties with whom data is shared.
Right to Delete
Consumers can request that a business delete the personal information it has collected about them. This right to delete applies to both the business itself and, in many cases, its service providers.
In practice: A former customer wants their account and associated data — email address, purchase history, payment information — fully removed from a company's systems after they stop using the service.
For businesses: Honor verified deletion requests within 45 days. Be aware of legal exceptions: data needed to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech may be retained. Document your exemption reasoning.
Right to Correct
If a business holds inaccurate personal information about a consumer, that consumer has the right to request a correction. This CPRA-added right closes a significant gap in the original CCPA.
In practice: A consumer notices their address is wrong in a company's records, causing them to miss important communications. They submit a correction request, the business must update the record, and notify any service providers that received the incorrect data.
For businesses: Build a correction workflow into your data management system. When a correction is made, it needs to flow downstream to third parties that received the inaccurate information.
Right to Opt-Out
Consumers have the right to direct a business to stop selling or sharing their personal information with third parties. This is one of the most commonly exercised CCPA rights — and one of the most visible compliance requirements.
In practice: A consumer notices targeted ads that seem to follow them across websites. They visit a company's privacy page, click “Do Not Sell or Share My Personal Information,” and opt out of data sharing for advertising purposes.
For businesses: The opt-out mechanism must be easy to find and easy to use. Most businesses place the opt-out link prominently in the footer of their website. The Global Privacy Control (GPC) browser signal must also be honored as a valid opt-out under California law.
Right to Limit
Consumers can restrict how a business uses or discloses their sensitive personal information. Sensitive categories under the CPRA include Social Security numbers, precise geolocation, financial account details, health information, race, ethnicity, and biometric data.
In practice: A consumer using a fitness app doesn't want their precise GPS location or health metrics sold to data brokers or used for advertising. They exercise their Right to Limit, restricting the business to using that data only to provide the service they signed up for.
For businesses: Offer a clear “Limit the Use of My Sensitive Personal Information” option, separate from general opt-out controls. Sensitive PI may only be used beyond service provision if the consumer explicitly opts in.
Right to Non-Discrimination
Businesses cannot penalize consumers for exercising any of their CCPA rights. That means no denying service, charging different prices, providing a lower quality of service, or suggesting that any of these consequences will follow.
In practice: A consumer opts out of data selling. The business cannot respond by removing their account, raising their subscription price, or downgrading their access.
For businesses: This right is often overlooked but carries real enforcement risk. Review your retention programs, pricing tiers, and loyalty structures to confirm that privacy choices don’t quietly disadvantage consumers who exercise their rights.
Why Compliance Is Good for Business
Privacy compliance isn’t just about avoiding enforcement actions from the California Privacy Protection Agency (CPPA) — though fines of up to $7,500 per intentional violation are a real risk. Businesses that make it easy for consumers to understand and exercise their rights build measurable trust.
In an era where data breaches and privacy scandals regularly make headlines, a clear, accessible privacy program is a competitive differentiator. Franchise brands serving California customers have an especially strong incentive: one non-compliant location or one undisclosed data flow can create liability across the entire organization.
Honoring CCPA rights also prepares businesses for the expanding patchwork of state privacy laws now active in Virginia, Colorado, Texas, and beyond. The compliance infrastructure you build for California translates across jurisdictions.
Take Action
For franchise brands, now is the time to audit your data practices, verify your consumer request workflows, and confirm your privacy disclosures reflect what you actually do with data.
Understanding CCPA rights isn’t just a legal checkbox. It’s the foundation of a privacy-first relationship between businesses and the people they serve.