If you’re a Chief Privacy Officer, Legal Counsel, or a team member that takes privacy seriously then you understand that regulators have the clarity right now to come after any business that they find not respecting users privacy under CCPA/CPRA. Data subjects in California are learning from Facebook & Instagram ads what their rights are and with ads asking if they’ve been retargeted without their consent you can imagine what the next decade of privacy regulation will look like.
On August 5, 2025, the California Privacy Protection Agency (CPPA) dropped a timely blog post as part of their “LOCKED” series, demystifying two powerhouse consumer rights under the California Consumer Privacy Act (CCPA): the right to limit the use of sensitive personal information and the right to opt out of data sales and sharing.
What is the LOCKED Series?
The CPPA’s blog series introduces “LOCKED” as an acronym for key CCPA rights: Limit (use of sensitive data), Opt-out (of sales and sharing), Correct (inaccurate info), Know (what data is collected), Equal treatment (no discrimination for exercising rights), and Delete (personal info). This post zeros in on the first two, empowering consumers to curb data collection at its source. For the full series, check out the CPPA’s main site.
Understanding Personal Information vs. Sensitive Personal Information
Before diving into rights, the CPPA clarifies the basics. “Personal information is any data that identifies, relates to, or could reasonably be linked to you or your household,” they explain. Sensitive personal information (SPI) is a heightened subset, warranting extra protections.
Here are some examples of personal information:
- Name or nickname
- Email address
- Purchase history
- Browsing history
- Location data
- Employment data
- IP address
- Profiles businesses create about you, including pseudonymous profiles (“user1234”)
And for SPI, which includes more intimate details:
- Identifying information (e.g., social security number, driver’s license)
- Financial data (e.g., debit or credit card numbers)
- Precise geolocation (within a radius of 1,850 feet)
- Demographic or protected-class information (e.g., race/ethnicity, religion, union membership)
- Biometric and genetic data (e.g., fingerprints, palm scans, facial recognition)
- Communications and content (e.g., mail, email, text messages)
- Health and sexual orientation (e.g., vaccine records, health history)
These distinctions are crucial because they dictate which rights apply and how businesses must handle your data.
The Right to Opt-Out: Stopping the Data Flow
Californians can opt out of the sale or sharing of their personal information, preventing it from being peddled to data brokers or used for cross-site targeted ads. As the CPPA puts it: “That means you have the right to opt-out of the sale of your personal information to third parties (e.g., data brokers, advertisers). You also have the right to opt-out of the sharing of your personal information to prevent the targeting of ads across different businesses, websites, apps, or services.”
Businesses must provide a clear link, often at the bottom of their site, labeled “Do Not Sell or Share My Personal Information” (some call it DNSMI) or “Your Privacy Choices.” To make it easier, the CPPA highlights Opt-Out Preference Signals (OOPS), like the Global Privacy Control. “An OOPS is a user-friendly and straightforward way for consumers to automatically exercise their right to opt-out of the sale and sharing of their personal information with the businesses they interact with online,” they note. Set it once in your browser, and it handles the rest—no more site-by-site requests.
The Right to Limit: Reining in Sensitive Data Use
For SPI, you can direct businesses to limit its use and disclosure. Look for links like “Limit the Use of My Sensitive Personal Information.” Once exercised, businesses can only use your SPI for essentials, such as providing goods/services, ensuring security, preventing fraud, maintaining systems, or complying with laws.
The CPPA emphasizes: “Businesses covered under the CCPA must provide a link on their website that allows you to request the limiting of your SPI, if they plan on using it in certain ways.”
Key Differences Between Limit and Opt-Out
While both empower consumers, they target different scopes:
- Opt-Out: Applies to all personal information; stops sales to third parties and sharing for targeted advertising.
- Limit: Specific to sensitive personal information; restricts uses beyond core business necessities, like security or service delivery.
Choosing the right tool depends on your concerns—broad data commodification or intimate details at risk.
Organizations’ CCPA Compliance Obligations
Businesses aren’t off the hook. They must honor these requests promptly, provide accessible links, and support tools like OOPS. Failure can lead to enforcement actions, as seen in recent cases like the Honda fine for CCPA violations and Healthline that could have been avoided had they used Captain Compliance’s privacy software solutions and recommended settings. Even Todd Snyder the clothing retailer could have avoided their fine.
For more on compliance, visit the CPPA’s business resources page.
As privacy pros and consumers alike, this series is a game-changer to alert them and help data subject ensure their rights are respected. It simplifies complex rights into actionable steps, fostering a culture of data respect. See the CPPA blog to read it yourself, and stay tuned for the next installments on Correct, Know, Equal Treatment, and Delete.
