California Consumer Privacy Rights

What it is

California residents have specific legal rights to access, delete, correct, and limit how T-Mobile uses their personal data, and to opt out of T-Mobile selling or sharing their data with advertising partners.

Why it matters (compliance & governance perspective)

These rights are legally enforceable under California law and give California residents meaningful control over their data, including the ability to request deletion and stop data sharing for advertising purposes.

Consumer impact (what this means for users)

California residents can exercise legally enforceable rights to access, delete, and opt out of data sharing for advertising purposes; these rights apply to the full range of data categories T-Mobile collects and are enforceable against T-Mobile by the California Privacy Protection Agency.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision implements obligations under the California Consumer Privacy Act as amended by the California Privacy Rights Act, enforced by the California Privacy Protection Agency and the California Attorney General. The CPRA creates rights to know, delete, correct, opt out of sale and sharing, and limit sensitive personal information processing. These are legal entitlements, not contractual concessions; T-Mobile's description of them in its privacy policy does not limit or expand the underlying statutory rights. Failure to honor these rights within legally required response timeframes is directly actionable. GOVERNANCE EXPOSURE: High. California-specific rights create mandatory compliance obligations with defined response timelines of 45 days (extendable to 90 days) for access and deletion requests. The CPRA's requirement to verify consumer identity before processing requests, and to honor opt-out signals including Global Privacy Control, creates operational compliance obligations. Non-compliance can result in enforcement actions by the California Privacy Protection Agency and private rights of action for data breaches. JURISDICTION FLAGS: These rights apply specifically to California residents and are enforceable under state law. Similar but not identical rights exist in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws. Compliance teams should assess whether T-Mobile's rights-response mechanisms satisfy the varying requirements across all applicable state privacy laws, not only California. CONTRACT AND VENDOR IMPLICATIONS: Service providers and contractors that process T-Mobile consumer data must be bound by written agreements that prohibit them from retaining, using, or disclosing personal information outside the service provider relationship under CPRA. Vendor assessments should confirm that all downstream processors are contractually constrained and that deletion requests are cascaded to sub-processors. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the consumer rights request intake process to confirm response timelines are met, identity verification procedures are not unduly burdensome, and opt-out mechanisms including Global Privacy Control are honored. The categories of sensitive personal information identified in the policy should be mapped against CPRA's statutory definition to confirm completeness. Annual data protection assessments may be required for high-risk processing activities under CPRA regulations.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Precise Geolocation Data Collection and Sharing high
• CPNI Use for T-Mobile Marketing medium
• Advertising Profiling and Third-Party Data Sharing high
• Data Retention medium
• Data Security and Breach Notification high
• Children's Privacy and COPPA medium