We all understand that privacy is a thing of the past – after all, we enter our credit card numbers and other personal information multiple times each month, often without giving it a second thought. Still, most people would be shocked to learn just how much information companies have about us.

California residents have a greater right to data privacy than ever before as of January 1, 2020 thanks to the California Consumer Privacy Act. The law, passed in June 2018, gives California consumers the right to know what information a company has saved on them and the ability to prevent that information from being collected. The law also gives you the power to sue companies for violations of your privacy rights.

Here’s what you need to know.

California Consumer Privacy Act provides extensive rights

In broad terms, the CCPA gives you the following rights as a consumer:

  • The right to know what personal information a company is collecting, using, sharing, or selling.
  • The right to receive a comprehensive report showing the type of information a company has, whether that information was sold, and to whom.
  • If a business has sold any of your information to third parties within the past 12 months, you have a right to know the names and addresses of third parties that received the information.
  • The right to demand that businesses delete your personal information.
  • The right to demand that a business stop sharing or selling your information. Businesses aren’t allowed to sell personal information of children under age 16 without specific authorization to do so. For children under 13 years old, only the parent may give that permission.
  • The right to non-discrimination in terms of price or service when you exercise your privacy rights under CCPA.
  • The right to sue companies for money damages when they do not correct privacy violations after notice.

By providing you with a higher level of security and protection than any other U.S. law, the CCPA reflects the concern surrounding the need for online privacy. In fact, had the CCPA not been signed by June 29, 2018, a similar initiative would have appeared on the ballot in the November 2018 general election.

Types of personal information covered by the California Consumer Privacy Act

The law takes a wide view of what is considered to be personal information. Included in the definition are the following:

  • Personal identifiers such as:
    • Your real name
    • Any and all aliases by which you’ve been known
    • Your home and mailing addresses
    • Any unique personal identifiers
    • The IP addresses of your computers, laptops, mobile phones, and other Internet-connected devices
    • Email addresses
    • Account name and password
    • Social Security number
    • Driver’s license number
    • Passport number
    • Any other similar identifying information
  • Characteristics of protected classifications under California or federal law
  • Commercial information including:
    • Records of personal property
    • Records of products or services you’ve purchased, obtained or considered
    • Other purchasing or consuming histories or tendencies
  • Biometric information such as:
    • Fingerprints
    • Palm veins
    • Facial recognition information
    • DNA
    • Hand geometry
    • Iris recognition
    • Retina information
    • Odor/scent
    • Typing rhythm
    • Gait
    • Voice
  • Internet or other electronic network activity information such as:
    • Browsing history
    • Search history
    • Information regarding your interactions with a website, application or advertisement
  • Geolocation data
  • Information related to your profession or employment
  • Education information not considered to be publicly available personally identifiable information (PII) under federal law
  • Any inference that is drawn from any of the information and used to create a profile about you reflecting your preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes

Essentially, the law covers everything about you – who you are, what you’re about, what you like, where you are, and have been, and anything that could possibly identify you as you.

The CCPA applies to many businesses (but not all of them)

If a business serves California residents and has gross revenues of more than $25 million, it is required to comply with the law. Companies with less than $25 million in revenue are also subject to the California privacy laws if they:

  1. Have personal data on at least 50,000 people; or
  2. Collect more than half of their revenues from the sale of personal data.

The law also applies to companies headquartered outside of California or operating without a physical location in the state. In fact, companies that are based in other countries are required to comply with the CCPA.

How to get your information and request deletion

The law allows you to request a copy of your data, and demand that it be deleted. To do so, you’ll need to make separate requests to each company that has your information.

Many companies and websites have updated their privacy policies to includes directions, so spend some time reading those documents.

Some of the larger online companies have developed tools to help you access your information without filing a request:

How to demand that a company stop selling your information

You may also require that a business stop selling your data. Once again, you have to request that from each company that has it separately.

The process for asking a company to stop selling your data varies from site to site because it’s unclear as to what is considered a “sale” of personal information. Most large companies make the majority of their income through the sale of user information, so they probably want to increase barriers for you to opt-out.

Without a clear way to opt-out, consumers should make a written request and have their signature notarized. The letter should include as much identifying information as possible, and be sent by certified mail to the company’s headquarters.

What if a company violates your privacy rights?

The California Attorney General can assess civil penalties of up to $7,500 per record for violations that aren’t corrected within 30 days. None of that money goes into your pocket, nor are the penalties designed to compensate you for any violations.

The CCPA also allows you to sue for money damages if your sensitive personal information is exposed because of a failure to implement and maintain reasonable security procedures.

Even if you haven’t been damaged, the law allows California residents to recover statutory damages between $100 and $750 per incident. You’ll need to give the business thirty days’ notice of your intent to sue before filing a lawsuit for statutory damages. So long as the company responds within 30 days with an “express written statement,” demonstrating that the violation has been cured and won’t occur again, you can’t sue for statutory damages.

If you do file a lawsuit, you’re required to provide notice to the Attorney General within 30 days after filing. The Attorney General then has 30 days to notify you that they will prosecute the action or that you must not proceed with the case. If neither happens, you may continue with your lawsuit.

My best advice to California residents about their privacy rights

Privacy is dead, and has been for a long time. Websites track your physical location and your online habits. Your credit card information resides on thousands of data servers around the world.

If you don’t like it, you should live off the grid and communicate by handwritten letter or face-to-face. You should spend only cash, and eliminate all relationships with financial institutions.

You and I both know that’s not going to happen. We’re all willing to give up our privacy in exchange for free same-day shipping, late night food deliveries, and the ability to use Facebook, Instagram, LinkedIn, Snap and TikTok without spending any money. Privacy is the currency we use to buy those conveniences.

The issue, then, isn’t our privacy – it’s the fact that we should each remain in control over the information we disclose. To do that, we all need to pay a little more attention.

Log out of your accounts when you stand up from the computer – even if it’s your own machine.

Learn how to clear your browser cache.

Use a VPN when engaging in financial transactions or using a public wifi network.

Turn on 2-factor authorization whenever possible.

Use a password manager like 1Password.

Whenever there’s a data breach, change your login information and review your credit reports to make sure you haven’t been the victim of identity theft.


Meet Jay

Since I became a lawyer in 1995, I’ve represented people with problems involving student loans, consumer debts, mortgage foreclosures, collection abuse, and credit reports. Instead of gatekeeping my knowledge, I make as much of it available at no cost as possible on this site and my other social channels. I wrote every word on this site.

I’ve helped thousands of federal and private student loan borrowers lower their payments, negotiate settlements, get out of default and qualify for loan forgiveness programs. My practice includes defending student loan lawsuits filed by companies such as Navient and National Collegiate Student Loan Trust. In addition, I’ve represented thousands of individuals and families in Chapter 7 and Chapter 13 bankruptcy cases. I currently focus my law practice solely on student loan issues.

I played a central role in developing the Student Loan Law Workshop, where I helped to train over 350 lawyers on how to help people with student loan problems. I’ve spoken at events held by the National Association of Consumer Bankruptcy Attorneys, National Association of Consumer Advocates, and bar associations around the country. National news outlets regularly look to me for my insights on student loans and consumer debt issues.

I’m licensed to practice law in New York and California and advise federal student loan borrowers nationwide.