Companies Are Selling Your Data. Here's How to Stop Them.

Every website you visit. Every app you use. Every purchase you make.

Companies are tracking you.

They collect your data:

• 📍 Your location, minute by minute

• 🛒 Everything you buy, browse, or consider

• 👤 Your age, income, health conditions

• 📱 Your contacts, messages, photos

• 🔍 Every search, every click, every scroll

Then they sell it.

To advertisers. Data brokers. Insurance companies. Employers. Governments.

Without asking you. Without paying you. Often without telling you.

But if you're a California resident (or your data is processed in California), you have powerful rights under CCPA (California Consumer Privacy Act).

This guide shows you:

✅ What data companies collect about you (prepare to be shocked)

✅ Your 7 legal rights under CCPA

✅ How to request your data (step-by-step)

✅ How to delete your data

✅ How to opt-out of data sales

✅ How to sue companies that violate CCPA

✅ Real examples of CCPA in action

By the end, you'll know exactly how to take back control of your personal information.

What is CCPA?

CCPA = California Consumer Privacy Act

Passed: June 28, 2018Effective: January 1, 2020Updated: CPRA (California Privacy Rights Act) effective January 1, 2023Latest amendments: 2026 (expanded coverage)

What it does:

• Gives California residents control over their personal data

• Requires companies to disclose data collection

• Allows you to opt-out of data sales

• Lets you delete your data

• Imposes heavy penalties on companies that violate

Similar to: Europe's GDPR (but CCPA is even stronger in some ways)

Who Does CCPA Apply To?

You're protected if:

• You're a California resident (living in CA)

• You're physically in California when accessing services

• The company does business in California

Companies must comply if they:

• Do business in California

• AND meet ONE of these thresholds:

  • Annual gross revenue > $25 million

  • OR Buy/sell personal data of 100,000+ consumers/households

  • OR Derive 50%+ revenue from selling personal data

Examples of companies covered:

• Google, Facebook/Meta, Amazon, Apple

• X (Twitter), TikTok, Instagram, Snapchat

• Banks, insurance companies

• Retailers (Target, Walmart, Best Buy)

• Data brokers (Acxiom, Experian, Oracle)

• Most websites and apps you use

Estimated coverage: 500,000+ businesses

What is "Personal Information" Under CCPA?

Much broader than you think!

CCPA defines personal information as: "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

In plain English: Pretty much EVERYTHING about you.

Categories of Personal Information:

1. Identifiers:

• Name, alias, postal address

• Email address, phone number

• Social Security number

• Driver's license, passport number

• IP address

• Device ID

• Cookie identifiers

• Account name, username

2. Personal Records:

• Signature

• Physical characteristics

• Bank account number

• Credit/debit card number

• Insurance policy number

• Education records

• Employment history

• Medical information

3. Protected Classifications:

• Race, ethnicity

• Age, date of birth

• Gender, sex

• Sexual orientation

• Marital status

• Disability status

• Citizenship, immigration status

• Veteran status

4. Commercial Information:

• Purchase history

• Products/services considered

• Browsing history

• Consumer profiles

• Purchasing tendencies

5. Biometric Data:

• Fingerprints, faceprints

• Voiceprints

• Iris/retina scans

• Keystroke patterns

• Gait/walking patterns

• Sleep patterns, health data

6. Internet Activity:

• Browsing history

• Search history

• Website interactions

• Ad interactions

• Social media activity

• App usage

7. Geolocation Data:

• Physical location

• Movements and patterns

• GPS coordinates

• Device location history

8. Audio/Visual:

• Photos, videos

• Voice recordings

• Security camera footage

• Call recordings

9. Professional/Employment:

• Job title, employer

• Work history

• Performance reviews

• Salary information

• References

10. Education:

• School records

• Transcripts, grades

• Student ID number

• Disciplinary records

11. Inferences/Profiles:

• Consumer preferences

• Psychological profiles

• Behavior predictions

• Aptitudes, abilities

• Likely future actions

Essentially: If a company knows it about you, it's probably "personal information"

Your 7 Rights Under CCPA

Right #1: Right to Know

What it means: You can ask companies: "What data do you have about me?"

They must tell you:

✅ Categories of personal information collected

✅ Specific pieces of personal information

✅ Sources of information

✅ Business purpose for collecting

✅ Categories of third parties they share with

✅ How long they keep it

Example request:

I am a California resident exercising my Right to Know under CCPA.

Please provide:
1. All personal information you have collected about me
2. Categories of sources
3. Business purposes for collection
4. Third parties you've shared my data with
5. Specific pieces of data (not just categories)

Name: [Your Name]
Email: [Your Email]
Account: [If applicable]

The company has 45 days to respond (can extend to 90 days)

Right #2: Right to Delete

What it means: You can demand: "Delete all my data."

Companies must:

✅ Delete your personal information from their records

✅ Direct service providers to delete

✅ Confirm deletion in writing

Exceptions (they can keep data if needed for):

• Completing transaction you requested

• Detecting security incidents

• Complying with legal obligations

• Internal research (if anonymized)

• Enabling free speech

• Complying with California Electronic Communications Privacy Act

Example request:

I am a California resident exercising my Right to Delete under CCPA.

Please delete ALL personal information you have collected about me, including:
- Account information
- Purchase history
- Browsing data
- Location data
- Any profiles or inferences

Confirm deletion within 45 days.

Name: [Your Name]
Email: [Your Email]

Right #3: Right to Opt-Out of Sale

What it means: Companies cannot sell your data if you say no.

"Sale" includes:

• Selling to data brokers

• Sharing for money/valuable consideration

• Targeted advertising using your data

• Cross-context behavioral advertising

How to opt-out:

• Look for "Do Not Sell My Personal Information" link on website

• Usually in footer of every page

• Click and follow instructions

• No account login required (must work for everyone)

Companies must:

✅ Respect opt-out for at least 12 months

✅ Not discriminate against you

✅ Not ask again for 12 months

Example:

• Visit Amazon.com (if in California)

• Scroll to footer

• Click "Your Privacy Choices" or "Do Not Sell My Personal Information"

• Toggle off data sales

• Done!

Right #4: Right to Opt-Out of Sharing for Targeted Ads

Added by CPRA (2023): Separate from "sale" - companies cannot share your data for cross-context behavioral advertising.

What this stops:

• Tracking you across websites

• Building advertising profiles

• Following you with retargeted ads

• Sharing data with ad networks

How to exercise: Same as opt-out of sale, but specifically for advertising.

Many sites now have: "Do Not Share My Personal Information" link

Right #5: Right to Correct Inaccurate Information

Added by CPRA: If company has wrong info about you, you can demand corrections.

Example:

• Company lists wrong address

• Wrong birth date

• Incorrect purchase history

• False profile attributes

They must:

✅ Correct the information

✅ Use commercially reasonable efforts

✅ Notify you of correction or denial

Right #6: Right to Limit Use of Sensitive Personal Information

Added by CPRA: For "sensitive" data, you can limit how companies use it.

Sensitive personal information:

• Social Security, driver's license, passport number

• Account login + password/security questions

• Precise geolocation (within 1,850 feet)

• Racial/ethnic origin

• Religious/philosophical beliefs

• Union membership

• Mail, email, text content (not publicly available)

• Genetic data

• Biometric data

• Health data

• Sex life/sexual orientation

Limitation: Companies can only use for:

• Providing services you requested

• Security and fraud prevention

• Short-term, transient use

• Performing services

Cannot use for:

• Creating profiles about you

• Inferring characteristics

• Targeted advertising

How to exercise: Look for: "Limit the Use of My Sensitive Personal Information" link

Right #7: Right to Non-Discrimination

Companies CANNOT:

❌ Deny goods/services

❌ Charge different prices

❌ Provide different quality of service

❌ Threaten any of the above

BECAUSE you exercised CCPA rights

But companies CAN:

✅ Charge different price IF difference related to value of your data

✅ Offer financial incentive for NOT opting out (must be voluntary)

Example of illegal discrimination:

• You opt-out of data sale

• Website says: "Premium features now $10/month for you" (was free)

• VIOLATION

Example of legal incentive:

• "Get 10% discount if you allow us to use your data for personalized offers"

• You can decline and still use service at regular price

• ALLOWED

How to Exercise Your CCPA Rights (Step-by-Step)

Step 1: Identify the Company

Who are you requesting from?

• Google, Facebook, Amazon, etc.

• The company that collected your data

• Data brokers (if you know which ones)

Step 2: Find Their Privacy Request Portal

Check these places:

A. Footer of website:

• Look for: "Do Not Sell My Personal Information"

• "Privacy Choices"

• "California Privacy Rights"

• "Your Privacy Rights"

B. Privacy Policy:

• Usually has section: "California Residents' Rights"

• Contains instructions for requests

C. Contact page:

• Some have dedicated "Privacy Rights" contact

D. Email:

• Look for: privacy@company.com

• dpo@company.com (Data Protection Officer)

Step 3: Submit Your Request

Most companies have online forms:

Example (Google):

1. Go to: https://myaccount.google.com/data-and-privacy

2. Click "Request to delete your data"

3. Select data categories

4. Submit request

Example (Facebook/Meta):

1. Settings → Your Facebook Information

2. Click "Access Your Information"

3. Download Your Information

4. Request Data Deletion

If no online form, send email:

Subject: CCPA Data Request - Right to Know and Delete

To Whom It May Concern,

I am a California resident exercising my rights under the California Consumer Privacy Act (CCPA).

REQUEST:
1. RIGHT TO KNOW: Please provide all personal information you have collected about me, including:
   - Categories and specific pieces of data
   - Sources of collection
   - Business purposes
   - Third parties you've shared with
   - How long you retain data

2. RIGHT TO DELETE: Please delete all personal information about me from your systems and direct your service providers to do the same.

3. RIGHT TO OPT-OUT: I opt-out of the sale and sharing of my personal information for targeted advertising.

VERIFICATION INFORMATION:
Name: [Full Legal Name]
Email: [Email associated with account]
Phone: [If applicable]
Account ID: [If you have one]
Address: [California address]

Please respond within 45 days as required by law.

Sincerely,
[Your Name]
[Date]

Step 4: Verify Your Identity

Companies will ask you to verify you're really you:

Common verification methods:

• Email confirmation link

• Account login (if you have account)

• Answering security questions

• Providing ID (driver's license)

• Multi-factor authentication

Why: Prevents someone else from accessing your data or deleting it

Note: Companies cannot require you to create account just to make CCPA request

Step 5: Wait for Response

Timeline:

• 45 days (can extend to 90 days with notice)

• Must acknowledge receipt within 10 days

Response will include:

• Data collected about you (Right to Know)

• Confirmation of deletion (Right to Delete)

• Confirmation of opt-out status

If they deny request:

• Must explain why

• You can appeal or file complaint with California Attorney General

Step 6: Review and Follow Up

Check their response:

• Is all data included?

• Did they actually delete?

• Are there unexplained gaps?

If unsatisfied:

• Send follow-up requesting clarification

• File complaint with California AG

• Consider legal action

How to Opt-Out of Data Sales (Quickest Method)

Universal Opt-Out (Automated)

Use browser signals:

Global Privacy Control (GPC):

• Browser extension/setting

• Automatically sends "Do Not Sell" signal to websites

• Legally binding under CCPA

How to enable:

Chrome/Edge/Brave:

1. Install Global Privacy Control extension

2. Enable "Send GPC signal"

3. All California websites you visit must respect it

Firefox:

1. Settings → Privacy & Security

2. Enable "Tell websites not to sell or share my data"

Safari (iOS 17.2+):

1. Settings → Safari → Advanced

2. Enable "Global Privacy Control"

Works automatically for:

• Any website that recognizes GPC

• Legally required in California

• No manual opt-out needed for each site

Manual Opt-Out (Top Data Collectors)

Big Tech:

Google:

• https://adssettings.google.com

• Turn off "Ad Personalization"

• https://myactivity.google.com → Delete activity

Facebook/Meta:

• Settings → Ad Preferences

• Ad Settings → Data About Your Activity From Partners → Off

• Settings → Privacy → Off-Facebook Activity → Clear History

Amazon:

• Account → Privacy Settings

• Advertising Preferences → Do Not Sell My Personal Information

Apple:

• Settings → Privacy & Security

• Tracking → Off

• Personalized Ads → Off

Microsoft:

• Privacy Dashboard: https://account.microsoft.com/privacy

• Ad Settings → Off

Data Brokers:

Acxiom: https://www.acxiom.com/about-acxiom/privacy/ccpa-opt-out/

Experian: https://www.experian.com/privacy/opt-out.html

Oracle: https://www.oracle.com/legal/privacy/marketing-cloud-data-cloud-privacy-policy.html

Epsilon: https://www.epsilon.com/us/privacy-consumer

LexisNexis: https://optout.lexisnexis.com

Spokeo: https://www.spokeo.com/optout

PeopleFinders: https://www.peoplefinders.com/opt-out

WhitePages: https://www.whitepages.com/suppression-requests

Note: Hundreds of data brokers exist. Full opt-out requires contacting many.

Tip: Use services like DeleteMe ($129/year) that automate opt-outs from 750+ data brokers

What Happens to Your Data After Request?

Right to Know Request:

You'll receive:

• PDF or downloadable file

• Categories of data collected

• Specific data points (name, email, purchases, searches, etc.)

• Often MASSIVE files (Google data can be 50+ GB!)

What to do with it:

• Review for accuracy

• Identify unexpected data collection

• See which third parties received your data

• Use as basis for deletion request

Right to Delete Request:

Company must:

• Delete from active systems

• Delete from backups (within reasonable time)

• Instruct service providers to delete

• Provide confirmation

What gets deleted:

• Your account (if you have one)

• Purchase history

• Browsing data

• Location data

• Search history

• Profiles and inferences

What might NOT be deleted (exceptions):

• Transaction records (legal requirement)

• Security logs (fraud prevention)

• Data needed for ongoing legal matters

Verification:

• Try to log in (should fail)

• Submit new "Right to Know" request (should show minimal data)

Opt-Out of Sale:

Effect:

• Your data won't be sold to third parties

• Must be honored for 12 months minimum

• Company can ask again after 12 months (but must respect your choice)

Check:

• Visit "Do Not Sell" page again after a week

• Should show opt-out active

• Some sites have dashboard showing opt-out status

CCPA Violations: What Can You Do?

If Company Ignores Your Request:

Step 1: Send Follow-Up

• Reference original request date

• Request update on status

• Remind of 45-day legal deadline

Step 2: File Complaint with California Attorney General

• Online: https://oag.ca.gov/contact/consumer-complaint-against-business-or-person

• Provide details of violation

• Attach copies of your requests and company responses

Step 3: Consider Legal Action

Private Right of Action (Data Breaches Only):

You can sue IF:

✅ Company had data breach

✅ Your personal information was exposed

✅ Due to company's failure to maintain reasonable security

✅ You suffered harm

Damages:

• $100 - $750 per incident

• OR actual damages (whichever is greater)

• Can be class action lawsuit

Recent example:

• T-Mobile data breach (2021): $350 million settlement

• Yahoo data breach: $117.5 million settlement

• Equifax data breach: Up to $425 million

If your data was breached:

• Check if class action lawsuit filed

• Join the lawsuit

• May receive compensation

Attorney General Enforcement:

AG can:

• Investigate companies

• Issue fines: $2,500 per violation

• Intentional violations: $7,500 each

• Order corrective action

Recent enforcement:

• Sephora (2022): $1.2 million fine for failing to honor opt-out requests

• Multiple companies fined for not having "Do Not Sell" links

CCPA vs GDPR: Which is Stronger?

CCPA (California) vs GDPR (Europe):

CCPA advantages:

✅ Clearer definitions

✅ Easier to exercise rights

✅ Applies to more companies (lower threshold)

GDPR advantages:

✅ Stronger default (opt-in vs opt-out)

✅ Higher fines

✅ Can sue for any violation (not just breaches)

If you're in California: CCPA protects you

If you're in EU: GDPR protects you (even stronger)

If you're elsewhere in US: Limited federal privacy laws (CCPA doesn't apply, but some states have similar laws)

Other State Privacy Laws (2026 Update)

States with CCPA-like laws:

Virginia (VCDPA):

• Effective: January 1, 2023

• Similar rights to CCPA

• Applies to companies processing data of 100,000+ Virginians

Colorado (CPA):

• Effective: July 1, 2023

• Opt-out of targeted advertising, sale, profiling

Connecticut (CTDPA):

• Effective: July 1, 2023

• Right to know, delete, correct, opt-out

Utah (UCPA):

• Effective: December 31, 2023

• Right to know, delete, opt-out

Coming soon:

• Texas (2024)

• Oregon (2024)

• Montana (2024)

• Delaware, Indiana, Iowa, Tennessee (2025)

Expected: 15-20 states by 2027

Trend: Moving toward national privacy standard

Tips for Maximizing Your Privacy

1. Request Data Annually

Make it a habit:

• Set calendar reminder: January 1st each year

• Request data from top 10 companies you use

• Review what they collected

• Delete what you don't want

2. Use Privacy-Focused Tools

Browser:

• Brave (built-in privacy features)

• Firefox with privacy extensions

• Safari (strong privacy by default)

Search Engine:

• DuckDuckGo (doesn't track)

• Startpage (anonymous Google results)

Email:

• ProtonMail (encrypted)

• Tutanota (private)

VPN:

• Hides IP address

• Encrypts traffic

• Prevents tracking

3. Check Privacy Settings Regularly

Every 3-6 months:

• Google: myaccount.google.com/privacy

• Facebook: Settings → Privacy

• Apple: Settings → Privacy & Security

• Amazon: Account → Privacy Settings

Turn off:

• Ad personalization

• Location tracking (when not needed)

• Voice recording storage

• Third-party data sharing

4. Use Burner Emails/Phone Numbers

For signups:

• Temp email: temp-mail.org, guerrillamail.com

• Email aliases: SimpleLogin, AnonAddy

• Virtual phone: Google Voice, Burner app

Prevents:

• Companies from creating profile across services

• Spam

• Data aggregation

5. Read Privacy Policies (At Least Summary)

Look for:

• What data is collected

• How it's used

• Who it's shared with

• How to opt-out

Red flags:

• "We share with partners" (who?)

• "For marketing purposes" (selling your data)

• "Affiliates" (sister companies get your data)

6. Limit App Permissions

Mobile apps:

• Settings → Apps → [App Name] → Permissions

• Turn off unnecessary permissions:

  • Location (always → only while using)

  • Contacts, photos, microphone

  • Tracking

Many apps request far more than they need

7. Use "Do Not Sell" Signal Everywhere

Enable Global Privacy Control:

• One-time setup

• Protects across all websites

• Legally binding in California

Frequently Asked Questions

1. I don't live in California. Does CCPA apply to me?

Partially YES if:

• You're visiting California

• Company does business in California

• Your data is processed in California

But enforcement is stronger for California residents

Check your state: You may have similar state law

2. Can companies charge me for exercising CCPA rights?

NO—exercising rights is FREE

Companies cannot:

• Charge fees

• Require payment

• Make you buy something

Exception: If request is "manifestly unfounded or excessive" (like requesting data 10 times a day), they can charge reasonable fee

3. How often can I make CCPA requests?

Right to Know: Twice per 12-month period

Right to Delete: As often as you want (but must be reasonable)

Right to Opt-Out: Anytime, at least 12 months between company asking you to opt back in

4. What if I don't have account with the company?

You still have rights!

Example:

• Website tracks you via cookies

• Bought data about you from data broker

• Collected your info from public records

You can still:

• Request what they have

• Demand deletion

• Opt-out of sales

Verification might be harder (need to prove you're you without account)

5. Do small businesses have to comply?

Only if they meet threshold:

• $25 million+ annual revenue

• OR 100,000+ consumers/households

• OR 50%+ revenue from selling personal data

Most small local businesses: Not covered

But: If they sell data or are very successful, might be covered

6. Can I request data about my children?

YES—if you're parent/guardian

COPPA (Children's Online Privacy Protection Act) also applies for under-13

For kids 13-17:

• Parent can make CCPA request

• Provide proof of parenthood

• Child's personal information must be disclosed/deleted

7. What about employee data?

CCPA applies to employees

BUT: Limited until January 1, 2023

Now (2026): Full CCPA rights for employees and B2B contacts

You can request:

• What employment data employer has

• Delete old employment records (with exceptions)

• Opt-out of employer selling your data (unusual, but possible)

8. How long do companies keep data after deletion request?

Immediately from active systems

Backups: "As soon as commercially reasonable"

• Usually 30-90 days

Legal retention: Some data must be kept (tax records, transaction history for 7 years)

9. Can I sue a company for violating my CCPA rights?

Only for data breaches (private right of action)

For other violations:

• File complaint with California AG

• AG investigates and fines company

• You don't get money directly (unless class action settlement)

10. Will CCPA become federal law?

Likely eventually, but not yet

Current status:

• Multiple federal bills proposed

• Strong state laws creating pressure

• Tech companies actually WANT federal law (easier than 50 state laws)

Expected: Federal privacy law by 2027-2028

Take Action Today: Your Privacy Checklist

This Week:

☐ Enable Global Privacy Control in your browser

☐ Request your data from Google

☐ Request your data from Facebook/Meta

☐ Request your data from Amazon

☐ Opt-out of data sales on top 10 websites you use

This Month:

☐ Delete accounts you don't use

☐ Review privacy settings on all major accounts

☐ Opt-out of top 20 data brokers

☐ Set up privacy-focused email for new signups

☐ Install privacy browser extensions (uBlock Origin, Privacy Badger)

This Year:

☐ Annual data request from all major companies (January)

☐ Quarterly privacy settings review

☐ Teach family members about CCPA rights

☐ Consider paid privacy service (DeleteMe, Privacy.com)

Final Thoughts

Your data is valuable. That's why companies want it.

Estimates suggest:

• Your personal data is worth $100-500/year to companies

• Data broker industry: $200+ billion annually

• You get none of it (unless you exercise your rights)

CCPA gives you power:

✅ Know what companies know about you

✅ Delete what you don't want them to have

✅ Stop them from selling your data

✅ Hold them accountable for violations

But you must act. Rights aren't automatic.

Start today:

1. Visit Google, Facebook, Amazon

2. Click "Do Not Sell My Personal Information"

3. Request your data

4. Review what they have

5. Delete what you don't need

10 minutes of action = years of privacy protection

Questions? Drop a comment! Our privacy law team responds within 24 hours.

Found this helpful? Share with friends and family. Everyone deserves privacy!