RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJune 29, 2026

CCPA Consumer Rights for AI-Processed Data: Access, Deletion & Opt-Out in 2026

California consumers have the right to know how your AI uses their data, demand deletion from trained models, and opt out of AI-driven profiling. Most businesses aren't ready to honor these requests — here's what compliance actually requires.

45 Days
Maximum time to respond to a verified CCPA data access or deletion request
$7,500
Maximum civil penalty per intentional CCPA violation (CPPA-enforced)
100K+
California consumers who have filed CCPA data access requests since 2023

Why AI Makes CCPA Harder to Comply With

CCPA's consumer rights framework was written before businesses were routinely training models on customer data and using AI to make inferences about individual users. The rights themselves — access, deletion, correction, opt-out — are straightforward in a database context. They become genuinely difficult when the personal information has been absorbed into the weights of a neural network.

The core CCPA questions are simple: what data do you hold on a consumer, what are you doing with it, and will you stop if they ask? The AI-specific complication is that "holding data" now includes "learned patterns encoded in a model," and "stopping" may require retraining. California privacy regulators — specifically the California Privacy Protection Agency (CPPA) — are aware of this friction and are actively developing AI-specific guidance.

Businesses that collect California residents' personal information and use it to train, fine-tune, or power AI systems cannot treat CCPA as a database-only compliance exercise. The consumer rights reach the AI use cases too.

The Five CCPA Rights and How AI Complicates Each

Right to Know

What it is: Consumers can ask what personal information you've collected and how you've used or shared it.

AI complication: You must disclose if AI processes their data — for personalization, recommendations, risk scoring, or inference generation. Your privacy policy must describe AI processing, not just database storage. If an AI system generated a prediction or inference about the consumer, they can request that too.

Right to Delete

What it is: Consumers can request that you delete their personal information and direct service providers to do the same.

AI complication: If you used their data to train a model, deletion may require retraining the model without that data — which is expensive and sometimes not technically feasible to do precisely. The CPPA has acknowledged this tension. Best practice: document why model-level deletion isn't feasible, segregate training data so you can retrain if necessary, and cease using outputs from that model for that specific consumer.

Right to Correct

What it is: Consumers can request correction of inaccurate personal information (added by CPRA).

AI complication: If an AI system generated an inaccurate inference about a consumer that was stored as their profile data — an incorrect income estimate, a miscategorized preference, a false behavioral prediction — the consumer can request correction. You must update both the stored inference and any downstream system that relies on it.

Right to Opt Out of Sale/Sharing

What it is: Consumers can opt out of the sale or sharing of their personal information for cross-context behavioral advertising.

AI complication: If your AI-powered ad targeting system shares consumer behavioral data with ad networks or uses it for cross-site profiling, the consumer can opt out. A 'Do Not Sell or Share My Personal Information' link is required if you engage in these practices. AI-based targeting doesn't create an exemption — it's often the primary mechanism triggering this right.

Right to Limit Use of Sensitive Data

What it is: Consumers can limit use of sensitive personal information (health, biometric, financial, location, etc.) beyond necessary purposes.

AI complication: Many AI health, fintech, and HR tools process sensitive data as their core product. If an AI system processes health-related inferences, biometric patterns, or financial data to build consumer profiles beyond what's needed to provide the requested service, consumers can demand you limit that use. This right is increasingly relevant for AI wellness apps, AI hiring tools, and AI lending platforms.

The Deletion Problem: When Personal Data Lives in Model Weights

The hardest CCPA obligation for AI businesses is model-level deletion. When a consumer's personal information was used to train a model, that information doesn't exist in a database row you can delete — it's woven into the model's learned parameters. There's no "DELETE WHERE user_id = X" command that works on a neural network.

The emerging consensus among privacy attorneys is that businesses must:

  • Maintain records of which consumers' data was used in which training runs
  • Retrain the model if technically and economically feasible after enough deletion requests accumulate
  • Stop applying that model's outputs to the requesting consumer even if full retraining isn't immediate
  • Document in writing why immediate model-level deletion wasn't technically feasible
  • Implement machine unlearning techniques where they exist for the model architecture

The CPPA is expected to issue formal guidance on model-level deletion in 2026. Until then, the safest approach is proactive: don't train on consumer personal information you don't need, keep training data segregated from production databases, and design for unlearning from day one.

The Automated Decision-Making Opt-Out: What's Coming

The CPRA granted consumers the right to opt out of automated decision-making technology (ADMT) for significant decisions. California's ADMT regulations — which the CPPA has been developing since 2023 — would require businesses to:

Opt-Out Mechanism

  • Provide a clear opt-out link for AI profiling in significant decisions
  • Honor opt-out within 15 business days
  • Inform consumers of the categories of ADMT used about them
  • Tell consumers which decisions were made using ADMT

Human Review Right

  • Allow consumers to request human review of significant ADMT decisions
  • Explain the rationale for the automated decision
  • Correct errors in the underlying data that drove the decision
  • Document the review process and outcome

The ADMT regulations cover decisions significantly affecting consumers in areas including employment, credit, housing, education, insurance, health care access, and access to places of public accommodation. Any AI tool that automates these decisions for California consumers is in the crosshairs.

Building a Consumer Rights Response Process for AI

Most businesses have some form of data subject request process, but very few have extended it to cover AI-specific scenarios. Here's the minimum you need:

Map your AI data flows

Identify every place personal information flows into or through an AI system — training data pipelines, inference calls, stored predictions, personalization engines. You can't honor consumer requests for data you haven't mapped.

Extend your DSR intake to capture AI-specific requests

When a consumer submits a data request, add questions that let you identify if they're asking about AI-generated inferences, model training, or automated decisions. Generic 'what data do you have on me' forms often miss AI use cases entirely.

Train your response team on AI data

The person reviewing consumer requests needs to know what AI systems process personal data, where AI outputs are stored, and how to pull AI-generated inferences into a disclosure package. This is a training and tooling problem, not just a policy problem.

Build a deletion workflow that includes AI systems

Your deletion process must route to AI teams, not just database admins. Flag training data records for eventual model retraining. Stop serving that consumer outputs from the relevant model while the longer-term deletion process is underway.

Update your privacy policy to disclose AI processing

Consumers can only exercise rights they know they have. Your privacy policy must describe what AI systems process personal data, what inferences they generate, and how consumers can request access, deletion, or opt-out. Vague 'we use technology to improve your experience' language won't hold up under CPPA scrutiny.

Frequently Asked Questions

We only use AI features from third-party vendors. Do CCPA consumer rights still apply to us?

Yes. If your third-party AI vendor processes personal information on your behalf, they are typically your service provider, and you remain the business responsible for consumer rights. A consumer's right to know, delete, or opt-out runs to you — not to your vendor. You must be able to pass deletion requests through to your service providers and verify completion. Make sure your vendor contracts include data subject request cooperation clauses.

Can a consumer opt out of AI-based product recommendations?

Depends on the type of AI. If the recommendation engine uses cross-context behavioral data (data collected from other websites or contexts), the opt-out-of-sharing right applies. If it uses only first-party data within a single service (e.g., your own purchase history), the standard opt-out right may not apply — but the forthcoming ADMT opt-out regulations may require offering an alternative if the recommendations affect significant decisions.

We're a B2B SaaS — our customers are businesses, not California consumers. Does CCPA apply?

CCPA protects California residents as natural persons. If your B2B SaaS processes personal information about California employees or end users of your business customers — even in aggregate or for product analytics — those individuals have CCPA rights. CCPA has a B2B exemption for data collected in the context of business-to-business communications, but that exemption doesn't extend to AI that builds profiles of individual employees or end users.

We're not based in California. Does CCPA still apply to our AI?

CCPA applies to for-profit businesses that collect personal information from California residents and meet one of these thresholds: annual gross revenue over $25M, process data on 100,000+ California consumers or households annually, or derive 50%+ of revenue from selling personal information. Location of the business doesn't matter — location of the consumer does.

Consumer Rights Don't Stop at Your Database

The hardest part of CCPA compliance for AI businesses isn't the rights framework — it's extending that framework to cover systems where personal information lives in ways that don't respond to traditional deletion and access commands.

Start with data mapping across every AI system that touches personal information. Know what data trained your models, what inferences those models generate, and where those inferences are stored. Without that map, you can't honor consumer rights — and the CPPA is increasingly asking for it.