10: CCPA data privacy legislation enables access to personal data collected

Updated: May 30

We explore the actions US residents can take in light of the California Consumer Privacy Act (CCPA), the first major US data privacy legislation, particularly, but not solely, if they are residents of California (CA).

The steps we have outlined so far in several posts can reduce the amount of personal data collected going forward, but do nothing for the likely massive amount of data already collected about all of us over years. There is a growing body of thought that some data privacy legislation is needed to help consumers discover what has been collected about them and to enable them to request that personal data be deleted.

Data privacy legislation

California’s CCPA is the first US comprehensive data privacy legislation

As the first such initiative in the US (Europe began enforcing its General Data Protection Regulation or GDPR in 2018), CA passed the CCPA, which just went into effect in January 2020. It provides CA residents with certain rights to know what data is collected by companies and to request that they stop selling and/or delete personal data. Details of the CCPA data privacy legislation have been published widely. Examples of resources that will tell you more are as follows, ranging from the detailed legislation on CA’s official site, to a succinct summary on Wikipedia, to several excellent articles on the impact of the new law in leading newspapers and journals:

CCPA Key Provisions

The key provisions allow CA consumers to

  • request a copy of personal data collected

  • prevent the further sale of personal data

  • request that personal data be deleted

  • gain special protections for children

Compliance is demanded of companies above certain designated thresholds of revenue or users, so small businesses are not burdened with this cost for now.

Why you should care if you live in a different US state

Although strictly for CA residents, many major companies, though not all, are applying the same privacy provisions to users not in CA, either for altruistic or PR reasons, or simply because it is less hassle to have one uniform policy rather than separate procedures for CA and non-CA residents, or perhaps because personal data is not a major source of revenue for them anyway. The Washington Post article cited above lists some major companies that offer CCPA rights to all users vs. those that do so only for CA residents.

Benefits and challenges of this data privacy legislation

This legislation, in our view, balances consumer rights to privacy vs. placing a reasonable burden on larger companies, so as such, it is as an important step forward. There are, however, several challenges to users and companies alike:

For companies,

  • they need to institute procedures to process requests for personal information collected and to delete personal data upon request, which comes at a cost that will ultimately be passed on to everyone

  • those whose business model depends on selling or utilizing personal data may have that source of revenue impacted and may need to modify those business models

For consumers

  • companies' compliance with the new legislation is not yet a clear, mature concept; for example, some companies are pushing back on the interpretation of “sale of personal data” (e.g., does utilizing the data to serve third-party ads in a more targeted way constitute “sale of personal data?”)

  • users need to contact each company separately, filling out provided online forms for some and writing your own email message to others (see the New York Times article cited above for a sample letter CA residents could write)

  • some companies may comply with respect to CA residents only

  • the Washington Post article (cited above) documents companies that send you too little information about what they have collected, while others dump way too much

  • instructions on how to download the personal data collected about you or to request its deletion can be obscure


Despite these challenges, we believe it is worth your while, particularly for CA residents, to start by writing to request a copy of personal data collected. We suggest you start with the company websites that you use the most. For non-CA US residents, we suggest you start with those you use that are cited in the Washington Post article as responding positively to all users.


The CCPA is important privacy-rights legislation in the US. We advise the following:

  • Go to each website that you use, with priorities as delineated in the previous paragraph for CA and non-CA residents above

  • Look for their link to request a copy of personal data they have collected (if you cannot find such a link, try the privacy policy page)

  • If you cannot find a website form, then write an email requesting a copy (see sample letter in the NY Times article cited above) for CA residents

  • For US residents not in CA, start with companies cited in the Washington Post article that accommodate non-CA US residents

  • Also, consider a letter to your congressional representatives advocating for a national privacy act along the CCPA lines (There are several initiatives in Congress, about which we may write more in a future post).

Get email alerts for new posts

*We do not share your email with any third party.  See Privacy Policy.

Use of this blog site constitutes acceptance of its Terms of Use. Note that the terms are written in plain English for clarity and transparency.  Similarly, see also our Privacy Policy.

Brand names mentioned are trademarked or are the trade names of their respective owners.

Other than the logo, photos or illustrations are stock photos licensed from iStockPhoto.com

Books on privacy
Disclosure: As an Amazon Associate we earn from qualifying purchases.


This site is owned and operated by Adept Advice LLC.

Copyright (c) 2020 by Adept Advice LLC. All rights reserved.