California Resident Rights and Do Not Sell or Share

What it is

California residents have specific legal rights under CCPA, including the right to know what data Figma has about them, delete it, correct it, and opt out of Figma sharing their information with advertising partners.

Why it matters (compliance & governance perspective)

California's CCPA and CPRA give residents enforceable rights over their data that go beyond what most other US users have, including the right to stop Figma from sharing personal data with advertising partners for cross-context behavioral advertising.

Consumer impact (what this means for users)

California residents can opt out of data sharing with advertising partners and request access to or deletion of their personal information by submitting a request through Figma's Privacy Request Portal or by emailing privacy@figma.com. Exercising these rights is free and Figma cannot discriminate against you for doing so.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision engages the California Consumer Privacy Act as amended by the California Privacy Rights Act, with enforcement authority held by the California Privacy Protection Agency and the California Attorney General. The CPRA introduced the right to correct inaccurate personal information and the right to limit use of sensitive personal information, both of which are referenced in this provision. Figma's characterization of advertising partner sharing as subject to the Do Not Sell or Share right reflects the CPRA's expansion of CCPA to cover sharing for cross-context behavioral advertising, not only outright sale. GOVERNANCE EXPOSURE: Medium. The policy asserts operational CCPA/CPRA compliance including a Privacy Request Portal, but compliance teams should verify that the portal functions correctly, that response timelines meet the 45-day statutory requirement, and that the Do Not Sell or Share opt-out is implemented across all relevant data flows including third-party advertising integrations. JURISDICTION FLAGS: This provision applies specifically to California residents. Other US states with comprehensive privacy laws, including Virginia, Colorado, Connecticut, and Texas, have enacted similar but not identical rights frameworks. Figma's policy addresses California specifically but may need to be evaluated for compliance with these other state frameworks as well. CONTRACT AND VENDOR IMPLICATIONS: California-based enterprise customers should confirm whether Figma's data processing agreements reflect CPRA service provider restrictions, including prohibitions on using customer personal information for Figma's own business purposes outside the service relationship. The Do Not Sell or Share opt-out should be operationally verified for all California users in the organization. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the Privacy Request Portal for functionality and response time compliance. Internal escalation procedures for California privacy rights requests should be documented. Organizations with California employees who use Figma should consider whether employee personal data processed through Figma is subject to CPRA's employee privacy requirements.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• AI Feature Content Used for Model Training high
• Third-Party Data Sharing and Advertising Partners medium
• GDPR Legal Bases and Data Subject Rights medium
• Cross-Border Data Transfers via Standard Contractual Clauses medium
• Age Restriction and Children's Privacy medium
• User Content and Design File Data Collection medium

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.