CCPA Primer

Lesson 4 | Data Subject Rights under CCPA

Download Lesson PDF

Data Subject Rights

Data subject rights are rights granted to individuals around collecting, using, and disclosing their personal information. CCPA creates several new classes of data subject rights that CA consumers can exercise and to which business must comply. The two-pronged goals of these rights are to 1) increase transparency of data collection practices and 2) enable consumers to limit their data that is collected, used, and sold.

Below are the data subject rights created by CCPA.


Consumers have the right to know the types of personal data that a business collects and how it is used. This right to notice is required before the company collects or uses personal information. Businesses are not allowed to collect additional personal information or use it for other purposes without first notifying consumers.


Consumers have the right to request and be granted access to the personal information that a business collects and retains about them. Presumably, because of the burden of these requests, businesses only need to provide personal information to individuals twice in 12 months.


Consumers have the right to request the deletion of their personal information. Businesses are obligated to delete personal information upon request and to direct service providers to delete personal data for the requesting consumer.

There are many exceptions in which a business does not have to comply with deletion requests. Some of the more vague and interpretable exceptions include:

  • To enable solely internal uses that are reasonably aligned with consumer expectations based on the consumer’s relationship with the business.
  • Otherwise, use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided it.


Consumers have the right to request their personal information in a format that is readily usable. The intent is to enable the consumer to move data from one business to another.


Consumers have the right to request a listing of the disclosures of their personal information to 3rd parties. This information should include the data that was disclosed and the purpose to which it was disclosed.


Consumers have the right to opt-out of the sale of their personal information. Businesses that sell personal information to third parties must have a link on their homepage that reads “Do Not Sell My Personal Information.”

Rights for Minors

Minors are afforded slightly different rights under CCPA. For minors under 13, parents or guardians must opt-in to personal data collection. For minutes aged 13-16, the minor has to opt-in.