CCPA vs CPRA vs Your State's Law: Which Privacy Rights You Actually Have
The short version: the CCPA and CPRA are not competing laws — the CPRA (2020 ballot measure) amended the CCPA (2018 statute), so California has one privacy law, usually written "CCPA/CPRA," and it is the strongest in the country. Nineteen other states have passed their own comprehensive privacy laws as of 2026, nearly all granting a right to delete and a right to opt out of data sales, but with weaker enforcement than California's. If your state has no law, you still have brokers' voluntary opt-out processes, FTC protection against deceptive practices, and sector-specific federal laws — but no general deletion right.
Here is how to figure out what you can actually demand, based on where you live.
CCPA vs CPRA: one law, two acronyms
The confusion is understandable, so let's kill it precisely:
- CCPA (California Consumer Privacy Act, 2018) created the baseline rights: know what a business collects, request deletion, opt out of the sale of personal information, and non-discrimination for exercising rights.
- CPRA (California Privacy Rights Act, 2020) amended the CCPA effective January 2023. It did not replace it. The CPRA added:
- The right to correct inaccurate personal information
- The right to limit use of sensitive personal information (precise geolocation, race, health, biometrics)
- Opt-out of "sharing" (cross-context behavioral advertising), closing the "we didn't technically sell it" loophole
- CalPrivacy (the California Privacy Protection Agency) — a dedicated enforcement agency, the only one of its kind in the US
- Data minimization and retention obligations on businesses
So when a privacy policy says "CCPA/CPRA rights," it means the current, amended California law. On top of it sits the Delete Act and the DROP platform, which since January 2026 lets Californians send one deletion request to 600+ registered data brokers at once.
The rights that matter for data broker removal
Whatever state you are in, these are the four rights that determine whether you can force a broker to act:
- Right to delete — the removal hammer. All 20 state laws include some version.
- Right to opt out of sale — stops the resale pipeline. All 20 include it, but the definition of "sale" varies: California's covers any value exchange; Virginia's requires monetary consideration, which lets more conduct escape.
- Right to know/access — makes brokers show you what they hold.
- Universal opt-out signals — California, Colorado, Connecticut, Texas, Oregon, Montana and others require businesses to honor browser-level opt-out signals like Global Privacy Control.
What varies most is enforcement. California has a dedicated agency plus a private right of action for breaches. Almost every other state relies solely on its Attorney General — your rights there are real, but nobody is proactively auditing on your behalf.
Which tier is your state in?
As of July 2026, 20 states have comprehensive consumer privacy laws. Our state-by-state guide covers each in detail; here is the practical tiering for removal purposes:
Tier 1 — Maximum leverage: California. Full CCPA/CPRA rights, CalPrivacy enforcement, broker registration, and DROP. If you live here, submit a DROP request (free) and use direct CCPA deletion requests for non-broker businesses.
Tier 2 — Strong: Colorado, Connecticut, Texas, Oregon. Deletion + opt-out rights, universal opt-out mechanism support, active AG enforcement. Texas has been notably aggressive: its AG has brought enforcement actions under the Texas Data Privacy and Security Act, including against data brokers.
Tier 3 — Standard: Virginia, Utah, Iowa, Indiana, Tennessee, Montana, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Minnesota, Maryland, Rhode Island, and other recent adopters. Deletion and opt-out rights exist; definitions are narrower and enforcement is AG-only. Utah and Iowa are the weakest — Utah has no right to correct and narrower deletion scope.
No comprehensive law (30 states). No general deletion right. You still have: brokers' voluntary opt-out processes (every major people-search site has one — walkthroughs here), the FTC Act's prohibition on unfair and deceptive practices, and federal sector laws (FCRA for credit data, HIPAA for health records, COPPA for children).
The practical playbook by situation
- You're in California: DROP first (free, one request, 600+ brokers), then targeted CCPA requests for anything outside the registry.
- You're in a Tier 2/3 state: send deletion requests citing your state statute — brokers' compliance teams process them through the same pipeline as CCPA requests. Use our CCPA template and swap the citation.
- Your state has no law: use each broker's voluntary opt-out. It works — Consumer Reports found manual opt-outs achieve roughly 70% removal within a week — it just isn't legally compelled, and reappearance maintenance is on you.
- Everyone: check whether your data is circulating in breach dumps; no state deletion right reaches stolen copies.
Frequently asked questions
Is the CPRA a different law from the CCPA?
No. The CPRA amended and expanded the CCPA effective January 2023 — one California law, commonly cited as CCPA/CPRA. The CPRA's biggest additions were the right to correct, the right to limit sensitive data use, opt-out of "sharing" for behavioral advertising, and the creation of CalPrivacy as a dedicated enforcement agency.
How many states have privacy laws in 2026?
Twenty states have comprehensive consumer privacy laws as of 2026, covering roughly half of the US population. All twenty include some form of deletion right and opt-out of sale; they differ mainly in definitions, thresholds, and enforcement. The other thirty states have no general-purpose privacy statute.
Can I use the CCPA if I don't live in California?
The CCPA's rights belong to California residents. But many businesses — data brokers especially — apply one deletion pipeline nationwide because segmenting requests by state costs more than processing them. Send the request citing your own state's law if you have one; if not, most brokers will still honor a well-formed request through their voluntary process.
Which state privacy law is the strongest?
California, and it is not close: the broadest definition of "sale," a right to correct, sensitive-data limits, a private right of action for breaches, mandatory broker registration, a dedicated enforcement agency, and the DROP one-request deletion platform. Colorado, Connecticut, Texas, and Oregon form the next tier.
Do these laws cover government records?
No. State consumer privacy laws regulate businesses. Records held by government agencies — court records, property records, agency files — are governed by public records law and, for federal agencies, FOIA and the Privacy Act. See how to file a FOIA request for your own records.
Wherever your state lands, Sirveil prepares removal requests citing the specific statute that applies to you — Sammy scans 200+ data brokers, people-search sites, and breach databases, shows you the evidence, and you review and initiate every takedown. $7.99/month or $79.99/year, on Google Play and the App Store.
Sources cited: Cal. Civ. Code § 1798.100 et seq. (CCPA as amended by CPRA); privacy.ca.gov (DROP); state statutes surveyed in our data privacy laws by state guide; Consumer Reports data removal study. Last verified July 2026. This article is general information, not legal advice.