Consumers have the right to require companies to inform them of the type of personal information they collect, the source of the information, the specific content, purpose, and third-party processing agencies. Enterprises should clearly inform consumers of the above information in their privacy clauses, otherwise their collection of consumers' personal information will be considered non-compliant.

Consumers have the right to request companies to provide free of charge the personal information they have collected and processed. This means that consumers can obtain their own personal data processed by enterprises, and self-manage and reuse personal data in an easy way. The right of access strengthens the use and control of personal information by information subjects, facilitates information circulation and sharing, and breaks the platform's data monopoly.

CCPA stipulates that consumers need to send requests to enterprises to obtain personal information, and enterprises can only send them to consumers by mail or electronic means after verifying consumers' requests. In addition, businesses should send personal information in a portable, easy-to-consume format that doesn't create barriers to secondary use by consumers. The implementation of access rights can bring many conveniences to real life. For example, during the epidemic, residents were required to apply for a local health code when traveling across provinces due to territorial control requirements. During this period, personal information was often filled in repeatedly, causing inconvenience to the user experience. If residents can download their personal health information after applying for a health code for the first time and filling in their personal information, then when re-applying for a health code, they can import the downloaded personal information into the new system after simple authorization without having to fill in repeatedly. It is worth noting that although consumers have the right to request companies to provide personal information free of charge, CCPA also stipulates that consumers can only make two applications per year. This limit on the number of times effectively prevents consumers from abusing access rights and putting excessive compliance pressure on companies.

Section 1798.105 of the CCPA states that "a consumer has the right to request that a business delete any personal information it has collected about that consumer." Enterprises should also clearly inform consumers that they have the right to delete. When an enterprise receives a consumer's request to delete personal information, it should delete the personal information after verification, and request other data service providers to delete the relevant information at the same time. Businesses have the right to deny a consumer’s deletion request under certain circumstances, including:

Consumers have the right to ask businesses not to sell their personal information at any time. Enterprises should fulfill their obligation of notification and provide the "Do Not Sell My Personal Information" option in a conspicuous place on their platform, which is also known as "Opt-out". On the premise of giving reasonable notification, as long as the consumer does not refuse, the company will tacitly agree that the consumer agrees to sell his personal information.

Blizzard Entertainment’s “Do Not Sell My Personal Information” source: Blizzard Entertainment’s official website Corresponding to the “opt-out right”, there is also the “opt-in” for minors under the age of 16. Information of minors is strictly protected in the United States. The CCPA clearly stipulates that "any behavior of an enterprise that deliberately ignores a consumer's age shall be deemed to have clearly known the consumer's age." For the personal information of minors (under the age of 16), companies should obtain the explicit consent of the consumers themselves (consumers between the ages of 13 and 16) or their parents and guardians (for consumers under the age of 13) before selling their personal information.

Businesses must not discriminate against consumers for exercising their rights under the CCPA, including:

right to bring individual lawsuits. Section 1798.150 of the CCPA provides that “a consumer may bring a civil action for unauthorized access and disclosure, theft, or disclosure because of a business’s breach of duty to protect personal information by failing to implement and maintain reasonable security measures and practices commensurate with the nature of the information.” Consumers can recover damages ranging from $100 to $750 per security incident, as well as other legal remedies such as an injunctive order. However, the CCPA also imposes a higher threshold on the individual's right to sue, and has a limited role in the implementation of personal information protection law enforcement. The CCPA's private litigation right is only for data leakage accidents, and consumers can file personal lawsuits only when the company causes personal data leakage of consumers due to its own reasons.

Individual rights of action do not support non-compliance that has not yet caused damage to the enterprise. For example, regarding the fact that a company does not set the "Do Not Sell My Personal Information" option in a conspicuous position on its website, although it is not compliant, it does not cause serious consequences such as privacy data leakage, so it does not meet the conditions of a personal lawsuit. So far, California courts have received more than 150 individual lawsuits accusing companies of non-compliance with privacy protection, but none of the cases have been successfully accepted.

CCPA strengthens the six rights that consumers have in the field of privacy data protection, and puts forward specific operational regulations on how to protect consumers' personal information.

Enterprises should fulfill their duty of reminder in their privacy clauses and explain their rights to consumers in an easy-to-understand manner. At the same time, enterprises should allocate special personnel to deal with various requests from consumers within the specified time, and do a good job in keeping corresponding records.