How to Handle Consumer Requests Under CCPA (Before it’s too late!)

Demystifying consumer rights under the CCPA: A guide for organizations

The California Consumer Privacy Act (CCPA), significantly bolstered by the California Privacy Rights Act (CPRA), has fundamentally reshaped how businesses must handle personal information. For any organization, understanding these consumer rights isn’t just about ticking boxes for compliance; it’s about building genuine trust and showing you care about responsible data practices.

This article gives you a clear and easy-to-understand rundown of these important individual rights and what businesses need to do.

Understanding the landscape: Who must comply?

Before we dive into specific rights, let’s quickly clarify which businesses are covered by the CCPA. Generally, if a for-profit business collects personal information from California residents, it likely falls under the law if it meets one or more of these criteria:

• It has annual gross revenues exceeding $26,625,000 million.
• It annually buys, sells, or shares the personal information of 100,000 or more California consumers or households.
• It gets 50% or more of its annual revenue from selling or sharing California consumers’ personal information.
• Now, let’s explore the core consumer rights and what your organization needs to do to respect them.

1. The right to know and access personal information

This is a big one for transparency! The right to know under the CCPA lets consumers understand exactly what personal information (PI) your organization has collected about them and how it’s used, sold, or shared.

When you receive a verifiable consumer request, your organization is required to provide the following:

• The categories of personal information you’ve collected about the consumer.
• The categories of sources from which that personal information was collected.
• Your business or commercial purpose for collecting, selling, or sharing personal information.
• The categories of third parties to whom you disclose personal information.
• If you’ve sold or shared personal information, you need to provide the categories of personal information that you sold/disclosed, and for each category, the categories of third parties who received that specific type of personal information.
• The actual, specific pieces of personal information you’ve collected about that consumer.

A few important things to keep in mind:

Sensitive information:

While you must inform consumers if you’ve collected sensitive information like Social Security numbers or financial account details, you are not required to disclose the specific values of such highly sensitive data. This is for the consumer’s security, to prevent unauthorized access.

“Inferences” count:

Even if your organization creates inferences about a consumer based on the data you have (like predicting their interests), these are considered personal information under the CCPA and must be disclosed if requested.

Looking back:

You generally need to show information from the past 12 months. However, if a consumer requests disclosures beyond this period (for information collected on or after January 1, 2022), you must provide it unless doing so is genuinely impossible or would take an extraordinary effort. (Just a note: this doesn’t mean your organization has to hold onto personal information for a certain amount of time.)

No sale/sharing? Tell them!

If your organization hasn’t sold, shared, or disclosed a consumer’s personal information, you’re required to explicitly inform the consumer of this fact.

Service provider assistance:

Companies that process data on your behalf (called “service providers” or “contractors”) aren’t directly obligated to respond to consumer access requests for PI collected in their role. However, they must assist your organization in fulfilling these requests by providing the necessary information or enabling access.

Request limit:

You’re not required to provide the same information to a consumer more than twice within a 12-month period.

Legal roadblocks:

If a state or federal law prevents you from disclosing certain information, you’ll need to explain why (unless the law itself prohibits that explanation).

2. The right to correct inaccurate personal information

Introduced by the CPRA, this right empowers consumers to request that businesses correct inaccurate personal information they maintain about them.

What your organization needs to do:

Commercially reasonable efforts:

Upon receiving a verifiable request, you must use “commercially reasonable efforts” to fix any inaccurate personal information.

Getting partners involved:

You also need to instruct all service providers and contractors to make necessary corrections in their systems. While these partners must comply, they might have a slight delay for data stored in archives or backups until that data is restored or next accessed.

Asking for proof:

You can ask for documentation from the consumer if deemed necessary to confirm the accuracy of the information, keeping in mind the type of information and the impact on the consumer.

When correction might be denied:

Your organization can deny a correction request if you determine the information is more likely than not accurate based on all the circumstances. If you’re not the original source of the information and lack supporting documentation, the consumer’s assertion of inaccuracy might be sufficient. Requests can also be denied if you can’t verify the requestor’s identity.

3. The right to limit use and disclosure of sensitive personal information

The CPRA also gave consumers more control over their sensitive personal information (SPI). This includes highly personal details like Social Security numbers, exact location, racial or ethnic origin, health information, and more. Consumers can tell your organization to limit how you use and share this sensitive data.

What your organization needs to do:

Easy ways to ask:

You must offer at least two simple methods for consumers to submit limit requests, ideally methods you already use to interact with customers. You cannot force them to create an account or provide unnecessary information to make this request.

Stopping the use:

Once you receive a request, you must stop using or disclosing the consumer’s SPI for any purpose beyond what’s absolutely necessary to perform the services or provide the goods they’d reasonably expect.

No verification needed here:

Interestingly, you don’t need to verify identity for a request to limit sensitive personal information. You can only ask for more details if it’s strictly necessary to fulfill the request.

Quick action:

You need to limit processing of SPI as soon as possible, and definitely within 15 business days. You must also notify any service providers or third parties involved to do the same.

Partners must obey:

Service providers cannot use SPI for any purpose after receiving instructions from your organization to limit its use; their contracts will also include these limitations.

Financial incentives:

If complying with the request means you’ll have to charge them differently or change how you provide a service, you need to give them a “notice of financial incentive.”

The “limit my sensitive information” link:

If your organization uses or shares sensitive personal information beyond what’s strictly necessary, you must have a clear link on your website titled “limit the use of my sensitive personal information.” Consumers might also be able to use opt-out preference signals.

12-month break:

Once a consumer has requested to limit, your organization is prohibited from using or sharing their SPI and will have to wait for at least 12 months before requesting further consent.

Temporary use exception:

There’s a small exception where limiting SPI use isn’t required if the use or disclosure is reasonably necessary and proportionate to the short-term, transient use of the information (e.g., non-personalized advertising during their current visit to a website). This applies only if the information isn’t shared with other companies or used to build a profile about the consumer outside that specific interaction.

4. The right to delete personal information

Consumers have the right to ask your organization to delete any personal information you’ve collected about them.

What your organization needs to do:

Partial or full deletion:

You can offer consumers the choice to delete all or just parts of their PI, with clear instructions.

Deletion obligations:

When you receive a verifiable request, you must:

• Permanently delete the consumer’s PI from your records, which includes erasing it from active systems (not necessarily backups right away) and making it unidentifiable or combining it with other data.
• Notify service providers and contractors to delete the consumer’s PI too.
• Inform all third parties who received the consumer’s PI to delete it, unless it’s truly impossible or would take an excessive amount of effort (in which case you’ll explain why).

Keeping a record:

Your organization is allowed to maintain a confidential record of deletion requests to make sure you don’t sell that PI again and for compliance purposes.

Partners’ role:

Service providers must assist your organization in fulfilling deletion requests, including telling their own partners to delete the data. They aren’t required to directly comply with consumer requests if they only collected the PI as a service provider.

Archived data:

For data stored in archives or backups, you may delay deletion until those systems are active again.

When data can’t be deleted:

There are situations where your organization can retain personal information, even if a consumer requests deletion. These include:

• To complete a transaction or fulfill warranties.
• For security reasons, like preventing fraud.
• To fix errors or “debug” your systems.
• To protect free speech rights.
• To comply with a legal obligation.
• If deleting the data would mess up research.

Denial explanation:

If a deletion request is denied, you must provide a detailed explanation unless a law prohibits it. If denied due to an exception, you still need to delete any parts of the information that aren’t exempt and tell the requestor if you couldn’t verify their identity.

Opt-out check:

If a consumer requests deletion but hasn’t opted out of the sale or sharing of their PI, you must ask if they wish to opt out and provide the relevant notice.

Some exemptions:

Things like student grades, educational test results, and PI used to create physical items (like yearbooks) can be exempt from deletion requests under certain conditions (e.g., if significant costs were already incurred or it’s not commercially reasonable).

5. The right to opt-out of sale or sharing

This right gives consumers the power to tell your organization to stop selling or sharing their personal information.

What your organization needs to do:

The “do not sell or share” link:

Your organization must have a clear link on your website homepage, usually titled “Do Not Sell or Share My Personal Information.” This link should lead consumers to a way to opt out, including allowing for automated “opt-out preference signals.”

Easy ways to opt out:

You need to offer at least two easy ways for consumers to opt out, matching how you usually interact with customers. You cannot require them to create an account or provide unnecessary information to opt out.

No verification needed:

Unlike other rights, you must not verify identity to opt out. However, if you need to apply the opt-out broadly (e.g., to online and offline activities), you might ask for a bit more information.

Stop immediately:

Once you receive an opt-out request, your organization must stop selling or sharing PI unless the consumer later gives you consent again.

Quick action & notifications:

You have 15 business days to stop selling or sharing personal information and to tell any third parties involved.

12-month hold:

After a consumer opts out, your organization is prohibited from selling or sharing their personal information and must wait at least 12 months before requesting further consent.

Global Privacy Control (GPC):

This is a key point: your organization is legally required to recognize universal opt-out signals, like Global Privacy Control (GPC). The California Attorney General has confirmed that GPC signals are valid opt-out requests. In fact, a major retailer, Sephora, faced a $1.2 million settlement in 2022 for failing to process these GPC opt-out requests.

Business transfers:

If personal information is transferred during a merger, acquisition, or bankruptcy, the new owner must honor the consumer’s original opt-out choices from the previous business.

Opting back in:

Consumers can always choose to opt back in after opting out, and your organization must provide clear methods for them to do so.
Fraudulent requests: You can deny opt-out requests you believe are fraudulent, and you’ll need to explain why.

6. The right to data portability

In response to a request for information, your organization must provide the specific pieces of personal information obtained from the consumer in a format that’s easily understandable.

Plus, whenever technically feasible, this information should also be in a structured, commonly used, and machine-readable format. This makes it easier for consumers to share that information with another company if they choose to.

7. No discrimination

Your organization is strictly prohibited from discriminating against consumers for exercising their CCPA rights. This means you can’t deny them services, charge them different prices or rates, or offer them a different quality of goods or services just because they’ve made a request.

While you can offer financial incentives for collecting or selling their data, these incentives must be fair and clearly disclosed, and consumers must have the option to opt-in.

Timelines for Response to CCPA Consumer Requests

Your organization must respond to verifiable consumer requests within 45 days of receipt, and the process of verifying identity does not extend this initial deadline. Within 10 business days of receiving a request to delete, correct, or know, you are required to confirm receipt of the request and inform the consumer of how you intend to handle it. The 45-day response period officially begins on the day you receive the request, regardless of how long the verification process takes.

If your organization genuinely requires more time, a one-time extension of an additional 45 days is permissible, but you must notify the consumer about the extension and the reasons for it within the initial 45-day window. Therefore, the absolute maximum response time is 90 days. If you are unable to verify a consumer’s identity within the 45-day period, or the extended 90-day period, you may have to deny the request.

From Regulation to Reputation

The CCPA and CPRA truly empower consumers with greater control over their personal information. For your organization, embracing these regulations isn’t just about following the law; it’s about building trust and showing that you value customer privacy. By clearly understanding these rights, establishing smooth processes for handling requests, communicating openly, and acting promptly, your organization can navigate the world of data privacy successfully. Staying on top of new rules and best practices will be essential as data privacy continues to evolve.