California Consumer Privacy Rights

What it is

If you live in California, you have specific legal rights under the CCPA and CPRA to see, delete, or opt out of the sharing of your personal information, and Delta cannot penalize you for exercising those rights.

Why it matters (compliance & governance perspective)

California's comprehensive privacy laws give residents more control over their personal data than federal law currently provides, including the right to stop Delta from sharing data with promotional partners.

Consumer impact (what this means for users)

California residents have enforceable rights to request a copy of the personal information Delta holds about them, request its deletion, and opt out of its sharing with marketing partners; exercising these rights is an available, specific action that can limit how broadly personal data is distributed.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision directly engages the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. The CPRA expanded CCPA to cover sharing of personal information for cross-context behavioral advertising, added a sensitive personal information category with additional opt-out rights, and established the CPPA as a dedicated enforcement authority with rulemaking and audit powers. GOVERNANCE EXPOSURE: High for California operations. The CPRA requires not only that opt-out rights be available but that they be implemented through specific technical mechanisms (including Global Privacy Control recognition) and that responses to consumer requests be fulfilled within 45-day statutory windows. Noncompliance with request response timelines or opt-out mechanisms is a direct enforcement trigger. JURISDICTION FLAGS: This provision applies specifically to California residents, though similar rights frameworks exist under Virginia CDPA, Colorado Privacy Act, Connecticut CTDPA, and Texas Data Privacy and Security Act, among others. Compliance teams should evaluate whether Delta's privacy rights infrastructure satisfies the operational requirements of each applicable state, not just California. CONTRACT AND VENDOR IMPLICATIONS: Delta's service providers and third-party partners receiving California residents' data must be subject to contracts that restrict them to using the data only for the purposes disclosed in the policy and complying with consumer request obligations. The CPRA's contractor and service provider definitions impose specific contractual requirements that should be reflected in vendor agreements. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Delta's privacy portal fully implements all required CPRA rights including access, deletion, correction, portability, and opt-out of sharing; that Global Privacy Control signals are recognized and acted upon; that sensitive personal information opt-out rights are separately available; and that response time tracking meets the 45-day statutory requirement. Annual CCPA/CPRA training and policy reviews should confirm ongoing alignment with CPPA regulatory guidance.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Promotional Partner Data Sharing medium
• Biometric Data Collection for Voluntary Identity Programs high
• Government Authority Disclosure medium
• Cookies and Behavioral Tracking medium
• SkyMiles Loyalty Program Data Use medium
• Data Retention Practices low