California CCPA/CPRA Rights

What it is

If you live in California, you have a set of legally enforceable rights over your personal data, including the right to see it, delete it, correct it, and stop Udemy from sharing it with advertising partners.

Why it matters (compliance & governance perspective)

These rights, backed by California law, give California residents meaningful control over their personal data at Udemy and cannot be waived by the privacy policy terms.

Consumer impact (what this means for users)

California residents can exercise enforceable rights to access, delete, correct, and opt out of sharing of their personal information, and Udemy is prohibited from retaliating against users who exercise these rights.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision directly implements rights conferred by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Enforcement authority rests with the California Privacy Protection Agency (CPPA) and the California Attorney General. Udemy's obligation to honor these rights is a legal requirement, not merely a policy commitment, and the anti-discrimination provision reflects CCPA Section 1798.125. Failure to honor timely requests (generally within 45 days) can trigger regulatory action. 2. GOVERNANCE EXPOSURE: Medium. The provision reflects standard CCPA/CPRA compliance language. Governance exposure arises primarily from operational implementation: whether request fulfillment timelines are met, whether the opt-out mechanism is sufficiently prominent and functional, and whether the 'sensitive personal information' limitation right is operationally supported. The CPPA has signaled active enforcement interest in the technical implementation of opt-out mechanisms. 3. JURISDICTION FLAGS: Applies specifically to California residents. Other U.S. states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, and others) may confer analogous rights that Udemy's policy does not explicitly address; compliance teams should assess whether Udemy's rights-response infrastructure covers multi-state obligations. EU and UK users have parallel rights under GDPR/UK GDPR. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise clients with California-based employees should confirm that their Udemy Business agreements address CCPA service provider obligations, including restrictions on Udemy's use of employee data for purposes beyond the contracted service. The policy's anti-discrimination commitment should be reviewed in the context of any tiered service models. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Udemy's data subject request (DSR) intake process is documented, that response timelines are tracked, and that the opt-out mechanism is tested for functionality. Particular attention should be paid to the 'sharing' opt-out given CPRA's expanded definition relative to CCPA's original 'sale' standard.

Applicable agencies

Provision details

Other risks in this policy

• Udemy Business Employer Data Sharing high
• Third-Party Advertising and Analytics Data Sharing medium
• Data Sharing in Merger or Acquisition medium
• Cross-Border Data Transfers (EU-U.S. Data Privacy Framework) medium
• Children's Privacy and Age Restriction medium
• Data Retention medium