CCPA Consumer Rights in 2026: Know, Delete, Opt-Out, and More
California consumers have five core rights under the California Consumer Privacy Act (CCPA) in 2026: the right to know what personal information businesses collect, the right to delete that information, the right to opt-out of its sale or sharing, the right to non-discrimination when exercising these rights, and the right to know about data sharing practices. These protections trace back to the CCPA, enacted in 2018 and effective from 2020, with key amendments from the California Privacy Rights Act (CPRA) that took effect January 1, 2023. They give residents greater control over their data [California Consumer Privacy Act (CCPA)] [TrustCloud].
A 2026 update could expand the right to know by revising the standard 12-month look-back period, though most sources stick to the 12-month standard [TrustCloud; Lathrop GPM; Bastion Tech]. Businesses need to build in mechanisms such as homepage links and Global Privacy Control (GPC) support to make these rights easier to use. This guide outlines steps for consumers to exercise their rights and timelines for businesses to stay compliant.
The Five Core CCPA Consumer Rights Explained
The CCPA provides California consumers with specific, enforceable rights over their personal information. Each one targets a different part of how businesses handle data.
The right to know lets consumers request details on the categories and specific pieces of personal information a business has collected about them over the 12 months before the request. Some 2026 regulations may extend this period beyond 12 months [TrustCloud; Lathrop GPM; Bastion Tech].
The right to delete allows consumers to direct businesses to delete their personal information, with exceptions for legal obligations, security, or internal operations [California Consumer Privacy Act (CCPA); Bastion Tech].
The right to opt-out of sale or sharing enables consumers to stop businesses from selling or sharing their personal information. Businesses must respect these choices and support tools like GPC. They also need to include a "Do Not Sell or Share My Personal Information" link--updated from the pre-CPRA "Do Not Sell My Personal Information" version--on the homepage and data collection pages. Responses must come within 15 business days or as soon as feasible, and businesses cannot ask for opt-back-in for 12 months [TrustCloud; CookieYes; Bastion Tech].
The right to non-discrimination shields consumers from retaliation, like higher prices or worse service, for using any CCPA right. Businesses cannot impose fees or offer unequal service or pricing [Bastion Tech].
The right to know about data sharing requires businesses to disclose if and with whom they share personal information, adding transparency to their practices [TrustCloud].
These rights cover California residents and focus on personal information managed by qualifying businesses.
How Businesses Must Respond to CCPA Rights Requests
Businesses must follow strict procedures for CCPA requests to give consumers reliable access and keep things efficient.
They confirm receipt of a request within 10 days and provide a full response within 45 days, with a possible 45-day extension if they notify the consumer ahead of time [California Consumer Privacy Act (CCPA); CookieYes].
For opt-out of sale or sharing requests, businesses act within 15 business days or as soon as feasible and put the preference in place right away. They also cannot request opt-back-in for 12 months after an opt-out [TrustCloud; Rumpl].
These timelines help ensure accountability and set clear expectations for consumers.
Exercising Your CCPA Rights: Step-by-Step Mechanisms
California consumers can use designated channels that businesses are required to offer.
Look for the "Do Not Sell or Share My Personal Information" link--or the pre-CPRA "Do Not Sell My Personal Information" version--on the business homepage and data collection pages. Clicking it sets an opt-out preference, often backed by GPC browser signals for automatic compliance [CookieYes; Bastion Tech].
For requests to know or delete:
- Find the request method (online form, email, toll-free number) in the business privacy policy.
- Submit verifiable details to confirm identity.
- Expect the 10-day confirmation, then the full response within 45 days (plus extension if notified).
- Use GPC to track opt-outs for ongoing protection.
Businesses must keep these mechanisms accessible to support smooth use of rights in 2026.
Choosing the Right CCPA Right for Your Situation
The best CCPA right depends on your main data concern--whether that's learning about collection practices, halting future sharing, or erasing existing data. This table compares the options:
| Right | Purpose | Best For | Timeline |
|---|---|---|---|
| Right to Know | Access categories/pieces of data collected | Understanding what data exists and sources | 45 days (+45 extension) |
| Right to Delete | Direct deletion of personal information (with exceptions) | Removing stored data permanently | 45 days (+45 extension) |
| Opt-Out of Sale/Sharing | Prevent sale or sharing of data | Stopping data monetization/sharing | 15 business days |
| Non-Discrimination | Protection from retaliation | All rights exercises, ensuring fair treatment | Applies immediately |
| Know About Data Sharing | Disclosure of sharing practices | Transparency on third-party access | 45 days (+45 extension) |
Choose the right to know for details on collection over the standard 12-month period. Go for opt-out to address sales immediately, or deletion for erasure. Non-discrimination protects every action, and data sharing disclosure shows third-party involvement [TrustCloud; Bastion Tech].
FAQ
What are the five core CCPA consumer rights in 2026?
The five core rights are: right to know, right to delete, right to opt-out of sale or sharing, right to non-discrimination, and right to know about data sharing.
How far back does the right to know cover personal information?
It covers the 12 months preceding the request, though 2026 revisions may expand this scope beyond the limit in some regulations.
What must businesses do for opt-out of sale or sharing requests?
Provide homepage links like "Do Not Sell or Share My Personal Information," support GPC, respond within 15 business days, and wait 12 months before opt-back-in requests.
Can businesses charge fees or discriminate for CCPA requests?
No, businesses cannot charge fees or discriminate, such as through unequal service or pricing, when consumers exercise rights.
What are the timelines for businesses to respond to CCPA requests?
Confirm receipt within 10 days; full response within 45 days (extendable by 45 days with notice); opt-out within 15 business days.
Do CCPA rights apply only to California residents?
Yes, CCPA rights protect California residents.
To act next, review a business's privacy policy for request links or use GPC-enabled browsers. Businesses should audit their response systems for 2026 compliance.