Frequently Asked Questions (FAQs)
The California Privacy Protection Agency’s (Agency) mission is to protect consumer privacy, ensure businesses and consumers are well‐informed about their rights and obligations, and vigorously enforce the California Consumer Privacy Act (CCPA).
These FAQs provide information about the Agency and the CCPA, the rights consumers have under the CCPA, and how to exercise these rights. The FAQs also provide information about the Agency’s rulemaking process to adopt regulations to implement the CCPA.
These FAQs are not legal advice, regulatory guidance, or an opinion of the California Privacy Protection Agency, nor do they implement, interpret, or make specific any law or regulation. We will update this information periodically.
General Information about the CCPA
The California Consumer Privacy Act of 2018 gives consumers certain rights over the personal information businesses collect about them and requires businesses to inform consumers about how they collect, use, and retain their personal information. This landmark legislation was the first comprehensive consumer privacy law passed in the United States.
In 2020, California voters approved Proposition 24, the California Privacy Rights Act. The CPRA amended the CCPA by adding additional consumer privacy rights and obligations for businesses. It also established this Agency and tasked it with responsibilities including implementing and enforcing the law and educating the public on their rights and obligations under the law. The CPRA amended the CCPA; it did not create a separate, new law. As a result, the Agency typically refers to the law as “CCPA” or “CCPA, as amended.” The CPRA amendments to the CCPA went into effect on January 1, 2023.
As of January 1, 2023, California residents have the following rights:
- L – Right to LIMIT the use and disclosure of sensitive personal information collected about them.
- O – Right to OPT-OUT of the sale of their personal information and the right to opt-out of the sharing of their personal information for cross-context behavioral advertising.
- C – Right to CORRECT inaccurate personal information that businesses have about them.
- K – Right to KNOW what personal information businesses have collected about them and how they use and share it.
- E – Right to EQUAL treatment. Businesses cannot discriminate against consumers for exercising their CCPA rights.
- D – Right to DELETE personal information businesses have collected from them (subject to some exceptions).
Businesses that are subject to the CCPA must honor these rights and provide methods by which consumers can exercise these rights. They must also comply with the law’s purpose limitation and data minimization rules. This means businesses must limit the collection, use, and retention of your personal information to only those purposes that: (1) a consumer would reasonably expect, (2) are compatible with the consumer’s expectations and disclosed to the consumer, or (3) purposes that the consumer agreed to, as long as the consent given wasn’t obtained through dark patterns. For all of these purposes, the business’ collection, use, and retention of the consumer’s information must be reasonably necessary and proportionate to serve those purposes.
Businesses also have additional responsibilities, including making certain disclosures to consumers about their privacy practices, such as posting a privacy policy.
The California Privacy Protection Agency was created to protect Californians’ consumer privacy. Established in 2020 by Proposition 24, the Agency is governed by a five-member board. The Agency implements and enforces the CCPA, and has several responsibilities, including:
- Promoting public awareness of consumers’ rights and businesses’ responsibilities under the CCPA.
- Adopting regulations in furtherance of the CCPA. The Agency may issue regulations to achieve the CCPA’s goals, including rules that implement consumers' rights and the responsibilities of business(es) with the goal of strengthening consumer privacy.
- Enforcing the CCPA. The Agency is tasked with enforcing the CCPA through administrative enforcement actions. It can investigate possible violations, audit businesses to ensure compliance with the CCPA, and bring enforcement actions.
- Cooperating with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.
- Providing technical assistance and advice to the Legislature with respect to privacy-related legislation.
The CCPA provides privacy rights to California residents. A California resident is a person (not a corporation or other business entity) who resides in California, even if the person is temporarily outside of the state. It includes California residents that are employees or job applicants, and contacts for business customers, vendors, or independent contractors. For more information about the rights California residents have under the CCPA, see For California Residents section.
The CCPA applies to for-profit businesses that collect consumers’ personal information (or have others collect personal information for them), determine why and how the information will be processed, do business in California, and meet any of the following thresholds:
- Have a gross annual revenue of over $25 million for the preceding calendar year;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
The CCPA also applies to some entities controlled by these businesses, certain joint ventures or partnerships made up of these businesses, and those persons that voluntarily certify to be subject to the CCPA.
Additionally, the CCPA imposes separate obligations on service providers and contractors (who contract with businesses to process personal information) and other recipients of personal information from businesses.
The CCPA does not generally apply to nonprofit organizations or government agencies.
For more information about businesses' obligations under the CCPA, see For Businesses section.
Personal information is information that identifies, relates to, or could reasonably be linked to a particular consumer or household. For example, it could include a consumer’s name, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences about the consumer’s preferences and characteristics.
Personal information includes sensitive personal information, which is a term used to describe certain kinds of personal information that are more sensitive in nature. For example, sensitive personal information includes things like social security numbers and driver’s license numbers; information that would allow someone to access your financial account or other kind of account; your precise geolocation; the contents of your mail, email, and text messages; genetic data; biometric information used to identify a consumer; or information about a consumer’s health, sex life, sexual orientation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership. Consumers have the right to limit a business’s use and disclosure of their sensitive personal information.
Personal information does not include publicly available information. The definition of publicly available information includes information a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or certain information disclosed by a consumer and made available if the consumer has not restricted the information to a specific audience.
You can find a copy of the California Consumer Privacy Act, as amended, as well as information regarding the purpose and intent of the law, on our Law & Regulations page.
The Office of the Attorney General also provides information about the CCPA, how consumers can exercise their rights and file complaints, and information about other California privacy laws.
For California Residents
The CCPA provides California residents with six major privacy rights. Learn how to exercise those rights here.
- L – Right to LIMIT the use and disclosure of sensitive personal information: You can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, precise geolocation data, or genetic data) for limited purposes, such as providing you with the services you requested.
- O – Right to OPT-OUT of sale or sharing: You may request businesses stop selling or sharing (for cross-context behavioral advertising) your personal information (“opt-out”), including through a user-enabled opt-out preference signal. Businesses cannot sell or share your personal information after they receive your request to opt-out of sale/sharing unless you later consent to the sale or sharing of your personal information.
- C – Right to CORRECT: You may ask businesses to correct inaccurate information they have about you.
- K – Right to KNOW: You can request a business disclose to you: (1) the categories and/or specific pieces of personal information they have collected about you, (2) the categories of sources for that personal information, for example if the business obtained the information from a data broker, (3) the purposes for which the business uses that information, (4) the categories of third parties with whom the business discloses the information, and (5) the categories of information the business sells or discloses to third parties. You can make a request to know up to twice a year, free of charge.
- E – Right to EQUAL treatment: Businesses cannot discriminate against consumers for exercising their CCPA rights.
- D – Right to DELETE: You can request businesses delete personal information they collected from you and tell their service providers to do the same. Some exceptions apply, such as if the business is legally required to keep the information.
The CCPA also gives you the right to be notified of the types of personal information a business is collecting and what they may do with the information. Businesses cannot make you waive these rights, and any contract provision that says you waived these rights is unenforceable.
Delete, Correct, or Know: Review the business’s privacy policy, which must include instructions on how you can submit your request. Businesses must generally designate at least two methods for you to submit your requests to delete, correct, or know your personal information — for example, an email address, website form, or hard copy form. One of those methods has to be a toll-free phone number and, if the business has a website, one of those methods has to be through its website. However, if a business operates exclusively online, it only needs to provide an email address for submitting requests. Make sure you submit your request to delete, correct or know through one of the business’s designated methods, which may be different from its normal customer service contact information.
Opt-out of sale or sharing: Businesses must honor opt-out preference signals (“OOPS”) that meet certain requirements, such as the Global Privacy Control, as a valid request to opt-out of sale/sharing. An opt-out preference signal is a simple way to opt-out of the sale or sharing of personal information. For example, an OOPS may be a setting on your internet browser or a browser extension that automatically sends your choice to opt-out of sale/sharing of your personal information to covered businesses you visit online. In most instances, businesses must also provide a clear and conspicuous link on their websites labeled “Do Not Sell or Share My Personal Information,” “Your Privacy Choices,” or “Your California Privacy Choices” in the footer or header of their website. The link must allow you to individually exercise your right to opt-out of sale/sharing with that business.
Limit use and disclosure of sensitive personal information: Businesses that use or disclose your sensitive personal information for purposes outside those provided for in the statute must provide a clear and conspicuous link on their websites labeled “Limit the Use of My Sensitive Personal Information,” “Your Privacy Choices,” or “Your California Privacy Choices” in the footer or header of their website. The link must allow the visitor to individually exercise the right to limit the use and disclosure of sensitive personal information.
Businesses subject to the right to opt-out of sale/sharing and the right to limit are also required to include information about how to exercise those rights in their privacy policy. If it is difficult to find or use the business’s methods for submitting CCPA requests, you should notify the business through the contact information provided in their privacy policy. You can also file a complaint with the Agency.
Delete, Correct, or Know: Businesses must confirm receipt of your request within 10 business days and must substantively respond to your request to delete, correct, or know your personal information within 45 calendar days. They can extend the deadline by another 45 days (90 days total) if they notify you.
Opt-out of Sale/Sharing, Limit the Use of Sensitive Personal Information: Businesses must comply with your request as soon as feasibly possible, up to a maximum of 15 business days from the date they received your request.
In some instances, a business may deny your request to delete, correct, know, opt-out of sale/sharing, or limit:
Delete: Common reasons why businesses may deny your request to delete your personal information include:
- The information was not collected directly from you. Businesses are required to delete personal information they have collected from you, and in some instances, personal information that was collected about you from other sources. However, even if a business denies your request to delete, if they sell or share your personal information, they must inform you of your right to opt-out of the sale or sharing of your personal information.
- The business cannot verify your identity to complete your request.
- The information falls within certain exceptions provided for in the law, which include:
- The business needs your information to complete your transaction, provide a reasonably anticipated product or service, for certain warranty and product recall purposes, or for certain business security practices.
- The business needs your information for certain internal uses that are compatible with reasonable consumer expectations or the context in which the information was provided.
- To comply with legal obligations, exercise legal claims or rights, or defend legal claims.
- The information is publicly available information, certain medical information, consumer credit reporting information, or other type of information exempt from the CCPA.
Correct: Common reasons why businesses may deny your request to correct your personal information include:
- The business has determined that, based on the totality of the circumstances (e.g. documentation, nature of the personal information, etc.), the information is more likely than not accurate.
- The business cannot verify your identity to complete your request.
- The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.
Know: Common reasons why businesses may deny your request to know your personal information include:
- The business cannot verify your identity to complete your request.
- The business has already provided personal information to you more than twice in a 12-month period, or the request is manifestly unfounded or excessive.
- Businesses cannot disclose certain sensitive information, such as your social security number, financial account number, or account passwords, but they must tell you if they’re collecting that type of information.
- Disclosure would restrict the business’s ability to comply with legal obligations, exercise legal claims or rights, or defend legal claims.
- The information is publicly available information, certain medical information, consumer credit reporting information, or other types of information exempt from the CCPA.
Opt-out of sale or sharing of personal information: Common reasons why businesses may deny your request to opt-out of the sale or sharing of your personal information include:
- The business does not sell or share personal information. For example, a business’s disclosure of personal information at your direction, is not considered a sale of personal information.
- The information is publicly available information, certain medical information, consumer credit reporting information, or other type of information exempt from the CCPA.
- The business believes the request is fraudulent and provides an explanation as to why the request is fraudulent.
Limit use and disclosure of sensitive personal information: Common reasons why businesses may deny your request to limit the use and disclosure of your sensitive personal information include:
- The business is only using or disclosing your sensitive personal information for purposes that are allowed by the statute, which include:
- Performing services or providing goods that you reasonably expect.
- Preventing security incidents, resisting deceptive, fraudulent, or illegal activities, and ensuring the physical safety of natural persons.
- Performing services on behalf of the business, like maintaining or service accounts, providing customer service, verifying customer information, providing storage, etc.
- Short-term, transient use of the information, including for nonpersonalized advertising, subject to certain requirements.
- Verifying, maintaining, or improving the quality or safety of a product, service, or device.
- Comply with legal obligations, exercise legal claims or rights, or defend legal claims.
- The information is publicly available information, certain medical information, consumer credit reporting information, or other type of information exempt from the CCPA.
- The business believes the request is fraudulent and provides an explanation as to why the request is fraudulent.
If you do not know why a business denied your request, follow up with the business to ask for its reasons.
Data brokers are businesses that collect and sell the personal information of consumers with whom they do not have a direct relationship. California law requires data brokers to register with the Data Broker Registry and provide information to help you exercise your CCPA rights.
Beginning on January 1, 2024, the Agency will take over the management of the Data Broker Registry. The Agency is also tasked with establishing by January 1, 2026 a deletion mechanism that allows consumers to request from all data brokers the deletion of all personal information related to the consumer through a single deletion request. More information about the Data Broker Registry and the deletion mechanism can be found in this announcement.
Businesses subject to the CCPA are required to post their privacy policy through a link using the word “privacy” on their homepage and other webpages. A link can usually be found at the bottom of a business’s website. For mobile apps, a link to the privacy policy should also be available on the download page for the app or in the app’s settings menu.
If you believe a business, service provider, third-party, or contractor has violated the CCPA, you can submit a complaint. You can also file a consumer complaint with the Office of the Attorney General.
You cannot sue businesses for most CCPA violations. However, you can sue a business under the CCPA if there is a data breach. View more information about the types of data breaches for which you currently can sue a business under the CCPA.
For Businesses
No. The exemptions for employment-related personal information and personal information reflecting business-to-business transactions described in Civil Code Sec. 1798.145(m)-(n) expired on December 31, 2022.
Please see the response to "Who must comply with the CCPA?".
Filing a Complaint with the CPPA
While the Agency does not represent individual consumers and cannot act as your attorney, every complaint we receive provides insights into privacy problems that people are experiencing in California and helps us identify trends. Information from the public is vital in documenting those trends and, when appropriate, pursuing inquiries, sweeps, and investigations on behalf of the public.
If you believe a business, service provider, third-party, or contractor has violated the CCPA, you can submit a complaint.
You can also file a paper complaint by printing and filling out this form and mailing the complaint to the address listed on the form.
The Agency accepts sworn and unsworn complaints. Unsworn complaints can be filed anonymously but sworn complaints must attest to the truth of allegations under penalty of perjury in a court of law. See 11 CCR § 7300. Thus, sworn complaints require the following information:
- The name of the business, service provider, contractor, or person who allegedly violated the CCPA.
- Facts that support each alleged violation.
- Identification of documents or other evidence that support your allegations.
- Authorization for the Agency to communicate with the alleged violator regarding the complaint.
- The name and contact information of the complainant.
The Agency enforces the California Consumer Privacy Act (CCPA) and its regulations. It works on behalf of all Californians and does not represent individuals. If you have a complaint related to something other than consumer privacy, please report your issue through the California Department of Justice’s complaint system.
A helpful complaint provides all the information the Agency needs to evaluate whether a violation of the CCPA has occurred. It answers the following questions:
- Does the complaint involve a “consumer,” or in other
words a California resident?
The CCPA gives rights to natural persons who are California residents (see “Who has privacy rights under the CCPA?”). The person writing the complaint should ensure they believe the rights of California residents have been violated. - Who is the complaint about? Does it involve a person or
entity that is required to comply with the CCPA (e.g., a “business,” “service provider,”
“contractor,” or “third party”)?
The CCPA applies to businesses, service providers, contractors, and third parties as those terms are defined in Civil Code § 1798.140 (see “Who must comply with the CCPA?”). Different entities may have different obligations under the CCPA, and thus, a helpful complaint clearly identifies the person or entity that has allegedly violated the law. - Which part of the CCPA and/or its regulations have been
violated, and how?
The CCPA provides consumers with several different rights (see “What rights do I have under the CCPA?”) and places certain obligations on businesses and other entities. A helpful complaint clearly identifies which right(s) or other obligation(s) have been violated and includes specific facts and details that would help someone who was not involved understand exactly what happened. - When did the alleged violation occur?
The Agency may not enforce a violation that occurred more than five (5) years ago. Thus, a helpful compliant identifies the date(s), time(s), and year when the violation occurred. - What evidence do you have to support your claim? Are
there any documents or witnesses that will support your allegations?
A helpful complaint identifies all the documents that would support their claim, such as emails with the business or other documents with the business in question. It also identifies witnesses that can support their claims, as well as any others who have been affected by the violation, including minor children, other family members, members of the public, a business, or a specific group.
Examples:
A helpful complaint might say something like: “I submitted a request to delete my personal information to [Company] on [date] through their online portal that is found in their privacy policy: https://company.com/privacypolicy. They sent me an email acknowledging my request, which is pasted below, and stated they will delete my account. However, when I went to log into my account on [date], 2 months after my request, my account was still active, and I can still see the content I asked them to delete.”
A less helpful complaint might say something like: “[Company] isn’t deleting my information.” This provides the Agency some information but without the date, actions taken, and response from Company, it is difficult to know if Company violated the CCPA. The Company may not have deleted your information for any number of legal reasons (see “Why the businesses may deny your request”).
An unhelpful complaint might say something like: “I used an Internet Search Engine to search for my name and I can see my sensitive personal information posted on the internet.” This isn’t helpful because it doesn’t identify the Company posting the information. In addition, the Agency may not be able to replicate the action because search engines often personalize searches. In other words, the Agency’s search may show different results than the complainant’s search. In addition, the Search Engine may not be using or disclosing your sensitive personal information in a way that violates the CCPA.
A more helpful complaint might say something like: “I ran the following search [specific words searched for] using [internet search engine] on [date]. The results of the search list included the following website [include link], which listed the personal information about me pasted below. I made a deletion request on [date], but it’s been 2 months and the information is still on the website.”
Agency staff reads and reviews all complaints. The Agency is not required to take any action on your complaint, though it may choose to do so. In response to your complaint, the Agency may:
- Contact you for more information or evidence.
- Contact the business, contractor, third-party, service provider, or person involved in the complaint.
- Start an inquiry.
- Start an investigation.
- Conduct an audit.
- Use the information provided to inform the Agency’s work.
- Refer your complaint to a different agency (for example, the California Department of Justice).
- Bring an enforcement action.
Your complaint may be used to broadly monitor industry compliance or to inform an enforcement action. Investigations are generally confidential unless and until a matter becomes public through an enforcement action. The Agency does not represent individual consumers and cannot act as your attorney.
File a complaint with the authority in your jurisdiction, such as the Attorney General in your state.
File a complaint with the Federal Trade Commission (“FTC”). The FTC enforces federal consumer protection laws that prevent fraud, deception, and unfair business practices, which can include certain types of privacy violations.
Yes. You can file an unsworn complaint anonymously, but this means that we will not be able to follow up with you regarding the complaint.
Regulations
The Agency’s rulemaking authority is broad and inclusive of various topics, including regulations that further the purposes and intent of the CCPA. The Agency’s work on drafting and/or assessing the need for regulations on other topics is ongoing. The “Law & Regulations” page includes information on the Agency’s current and completed rulemaking activities.
Subscribing to the Agency's rulemaking email list is the best way to keep up with the Agency’s rulemaking activities, to be notified of opportunities to provide comment, and to learn when proposed regulations will go into effect. If you would like to receive notifications regarding rulemaking activities, please subscribe here.
The Agency’s pre-rulemaking activities on automated decision making, risk assessments, and cybersecurity audits are ongoing.
On February 10, 2023, the Agency issued an Invitation for Preliminary Comments on Proposed Rulemaking on the following topics: cybersecurity audits, risk assessments, and automated decision-making technology. The public provided preliminary written comments to the Agency from February 10, 2023 through March 27, 2023. More information, including a copy of the invitation are available here.
The Board discussed these topics, including draft language for potential regulations, during its May 15, July 14, and September 8, 2023 meetings. The Board will continue to deliberate on draft language for these regulations during upcoming meetings. Meeting agendas and records for past and upcoming Board meetings can be found in Meetings and Events Schedule.
Regulations concerning cybersecurity audits, risk assessments, and automated decision-making technology will not take effect or be enforced by the Agency until adopted by the Board in compliance with the Administrative Procedures Act and approved by the Office of Administrative Law. Subscribing to our email list is the best way to keep up with the Agency’s rulemaking activities and to be notified of opportunities to provide comment. If you would like to receive notifications regarding rulemaking activities, please subscribe here.
When Proposition 24 created the Agency, it established its governance by a five-member Board. The Board holds rulemaking authority and must make decisions about the rulemaking process in compliance with the Bagley-Keene Open Meeting Act. This means that when the Board decides to being the formal rulemaking process, it must do so during a public meeting. The Bagley-Keene Open Meeting Act requires the Agency to post notice of any Board meeting on its website at least 10 days in advance, with notice including the specific agenda for the meeting and a brief description of the items to be discussed. Any writings, that relate to an item to be discussed by the Board at a public meeting, such as draft proposed regulations, must also be made available to the public.
To start the formal rulemaking process under the California's Administrative Procedures Act (APA), the Agency publishes a Notice of Proposed Rulemaking Action (NOPA), the text of the proposed regulations, and an initial statement of reasons (ISOR) describing the reasons for the draft proposed regulations. The NOPA is posted on the Agency’s website and published in the California Regulatory Notice Register, which marks the first day that formal rulemaking begins.
The NOPA sets forth instructions on how the public may submit written comments on the proposed regulations. The APA requires at least a 45-day comment period, which starts when the NOPA is published. The Agency may also hold a public hearing at the end of the written comment period where people can make oral comments in person. Details regarding any public hearing would also be included in the NOPA. You can also find tips for submitting effective public comment.
If the Agency makes any substantive changes to the proposed regulations after the initial comment period, the Agency must give the public an additional 15 days to provide comments on the proposed modifications. The Agency is required to summarize and respond to every public comment in its Final Statement of Reasons (FSOR), which accompanies the text of the final regulations in a package submitted to the Office of Administrative Law. If you would like to receive notifications regarding rulemaking activities, please subscribe to our mailing list.
Subscribing to our email list is the best way to keep up with the Agency’s rulemaking activities and to be notified of opportunities to provide comment. If you would like to receive notifications regarding rulemaking activities, please subscribe here.
More information about the Agency’s current and completed rulemaking activities can be found here.
Data Broker Registry & Deletion Mechanism
A data broker is defined as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.
It does not include an entity to the extent that it is covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Confidentiality of Medical Information Act, and the Health Insurance Portability and Accountability Act.
On October 10, 2023, the Governor signed Senate Bill 362 into law. The law tasks the Agency with establishing, by January 1 2026, a deletion mechanism that allows consumers to request from all data brokers the deletion of all non-exempt personal information related to the consumer through a single deletion request to the Agency.
The law also transferred the administration and enforcement of the Data Broker Registry from the Office of the Attorney General to the California Privacy Protection Agency (“Agency”) as of January 1, 2024. The Agency now maintains the Data Broker Registry and posts publicly the required information disclosed by data brokers.
A data broker that has not registered by the January 31 statutory deadline may be liable for civil penalties for each day the data broker fails to register. More specific information can be found at: https://cppa.ca.gov/data_brokers/.
Registration is complete on the date the registration form and annual fee are received by the Agency. Pursuant to SB 362, data brokers will be required to disclose additional information about the types of personal information they collect when registering.
Please complete the following steps to register:
- Add yourself to the data brokers mailing list and request a link to the registration form by emailing databrokers@cppa.ca.gov.
- Complete the registration form.
- Once you've completed the form. Follow the instructions that appear on the confirmation page after you've successfully submitted the form.
- Pay the registration fee, including associated third-party payment processing fees, if paying by credit card.
- Print the Invoice and keep a copy for your records.
More information can be found at: https://www.cppa.ca.gov/data_brokers
The Agency is tasked with establishing by January 1, 2026, a deletion mechanism that allows consumers to request from all data brokers the deletion of all non-exempt personal information related to the consumer through a single deletion request through the Agency.
The registry contains information about the data broker, including whether they collect consumer reproductive health care data or precise geolocation, or the personal information of minors. The registry also contains the physical address and website for the business, as well as the website where consumers may exercise their privacy rights.
More information for data brokers on how to register and other legal requirements can be found on the Data Brokers page.
A data broker must disclose the number of consumer requests they received in the previous calendar year on their website privacy policy by July 1st each year, and then report those same metrics each year they register with the Agency, as required by Civil Code §§ 1798.99.85 (a)(1)-(2).
The metrics include reporting on the number of consumer requests to delete personal information, access personal information, know what personal information is sold or shared and to whom it is sold or shared, opt-out of sale or sharing, and limit the use and disclosure of sensitive personal information. In addition, for each category of privacy rights requests, a data broker must report whether it complied in part or in whole with the request, and the median and mean number of days it took the business to respond to each type of request.
These metrics are reported during the data broker annual registration period (January 1-31 of each calendar year) and can be found on the Agency's data broker registry page.