To handle data requests in accordance with the California Consumer Privacy Act (CCPA), your business needs clear internal procedures, verified request channels, and documented proof that it has complied with the 45-day response deadline.
The CCPA gives California residents five enforceable consumer rights, and your business must be able to receive, verify, track, and respond to those requests. This article will guide you through the five rights California residents can exercise and how your business can verify residency, which is required before you process any request.
We'll also look at how to build "Right to Know" and "Right to Delete" request portals, what the "Do Not Sell" requirement really means, how to handle Global Privacy Control (GPC) signals, and practical ways to meet the 45-day deadline.
- 1. Consumer Rights Under the CCPA
- 1.1. Five core consumer rights to uphold
- 1.2. Important requirement: Do not discriminate
- 1.3. New requirement: Honor Global Privacy Control (GPC) browser signals
- 2. Does the CCPA apply to all businesses?
- 3. How Your Business Can Handle CCPA Data Requests
- 3.1. Step 1: Set up "Right to Know" and "Right to Delete" request portals
- 3.1.1. Example privacy center: Pacific Gas & Electric Company (PG&E)
- 3.2. Step 2: Verify Identity and California Residency
- 3.2.1. Levels of identity verification
- 3.2.2. Verifying residency
- 3.3. Step 3: Formulate Your Response
- 3.3.1. 1. Template for Responding to Right to Know (Access) Requests
- 3.3.2. 2. Template for Responding to Right to Delete Requests
- 3.3.3. 3. Template for Responding to Right to Correct Requests
- 3.3.4. 4. Template for Responding to Opt-Out Requests ("Do Not Sell or Share")
- 3.3.5. 5. Responding to Requests to Limit the Use of Sensitive Personal Information
- 3.4. Step 4: Track Your Responses
- 4. Conclusion
Consumer Rights Under the CCPA
California residents have five core rights over their data under the CCPA and California Privacy Rights Act (CPRA). The CPRA is an additional set of laws that came into effect in January 2023 that strengthen the CCPA, but do not replace it. As shown below in a comment from the Office of the California Attorney General, they are usually collectively referred to as the CCPA, which is what we will do in this article.
Five core consumer rights to uphold
If your business targets California residents, you must provide a way to let consumers exercise each of these rights. This applies wherever in the country or the world your business is based, if it meets certain criteria.
The California Consumer Privacy Act (CCPA) gives every California resident five core rights that your business must be ready to support. Each right creates a corresponding business action that your business must act on through a clear, documented workflow.
Practically, this means your company needs systems to accept requests, verify identity, locate personal information, take the required action, and document your response. These steps apply to every category of CCPA request.
The table below describes each right and the operational tasks your business must carry out.
| Right | Description | Business Action Required |
| Right to Access (Right to Know) | Consumers may make a verifiable consumer request (VCR) to learn what personal information you hold about them, where it came from, why you collected it, and which third parties received it. | Maintain a data inventory; provide at least two intake methods; verify identity; search all systems; prepare and send a full response within 45 days; document the request and your response. |
| Right to Delete | Consumers may request deletion of their personal information unless a legal exception requires you to keep it. You must also instruct your service providers to delete that data. | Build a deletion workflow; identify legal exemptions; delete data across systems; notify service providers; notify the user within 45 days; log the deletion and actions taken. |
| Right to Correct | Consumers may ask you to correct inaccurate personal information. This requires assessing the data and updating your records accordingly. | Create a correction workflow; verify identity; evaluate accuracy; update systems; confirm to the user within 45 days; document completion. |
| Right to Opt Out of Selling or Sharing | Consumers can direct you to stop selling or sharing their personal information, including via browser signals such as Global Privacy Control (GPC). | Display a "Do Not Sell or Share" link; honor GPC automatically; adjust downstream data flows; stop selling/sharing upon request; notify the user within 45 days; document your actions. |
| Right to Limit Use of Sensitive Personal Information | Consumers can restrict how you use sensitive personal information (such as geolocation, financial data, or genetic data). | Identify where sensitive data is collected; provide a "Limit the Use of My Sensitive Personal Information" link; update internal rules; update your Privacy Policy; notify the user within 45 days; document request handling. |
Keep reading to see how to implement these processes in the real world.
Important requirement: Do not discriminate
Under the CCPA, businesses must follow through on legitimate data requests without discrimination. They are also prohibited from retaliating against customers who exercise their rights.
As Apple's Privacy Policy points out below, this means that exercising your rights will not affect the degree of service you receive from the company. Including a similar statement and following through with actions that match could also protect your business from allegations of CCPA-violating discrimination.
New requirement: Honor Global Privacy Control (GPC) browser signals
Since January 1, 2023, businesses that sell or share the data of California residents have been required to accept Global Privacy Control (GPC) browser signals as "a valid consumer request to stop the sale or sharing of personal information," as stated by the California Attorney General's Office below.
Enforcement actions show that ignoring GPC is not a theoretical risk. In a widely cited CCPA case, a major retailer agreed to pay a monetary penalty and accept injunctive terms after the California Attorney General alleged that its website failed to detect and honor GPC opt‑out signals and did not clearly disclose that it "sold" personal information.
Under the CCPA/CPRA, the sale of personal data is a broad concept that includes any communication of a user's personal data to a third party for valuable consideration. This means you don't necessarily have to be paid for it; you just have to receive something in return.
An important point for businesses is that this also includes cross-context behavioral advertising (CCBA), which is considered a sale, not just a share.
The GPC is a browser setting or extension that users can activate that automatically sends a signal to websites to stop selling or sharing the user's personal information. As mentioned below, the goal is to make it as easy as possible for users to exercise their privacy rights.
To implement this successfully, your business must:
- Ensure your consent management platform (CMP) is set up to follow through on GPC browser signals and block relevant scripts, tags, and cookies
- Adjust settings on your marketing systems and with third-party services, such as Google Ads and Meta Ads, to ensure GPC signals are honored
- Update your Privacy Policy to reflect how you honor GPC signals
Having these systems in place ensures your business is ready to respond to "Do Not Sell or Share" requests.
Does the CCPA apply to all businesses?
No, it only applies to businesses that target California residents and meet one or more of the following criteria, as emphasized below by the California Attorney General's Office:
- Gross revenue of more than $25 million
- Buy, sell, or share the personal data of over 100,000 individuals or households in California
- Generate 50% or more of their annual income through the sale of California residents' personal data
It's important to note that the revenue requirement refers to your entire business, not just business conducted in California.
Some businesses that do not qualify voluntarily certify to the California Privacy Protection Agency that they comply with the CCPA.
For businesses operating in multiple U.S. states, a well‑designed CCPA request workflow can often be extended to cover similar rights under other privacy laws (such as Virginia or Colorado), with state‑specific adjustments.
How Your Business Can Handle CCPA Data Requests
To handle CCPA requests correctly, your business needs a simple four‑step workflow: request intake, identity and residency verification, a structured response template, and centralized tracking.
The following steps can help you put an organized workflow in place to ensure your business acts on California residents' requests in a timely and comprehensive manner.
Step 1: Set up "Right to Know" and "Right to Delete" request portals
Step 1 is to make it obvious and easy for California consumers to find where and how to submit a CCPA request on your website.
To understand users' expectations around submitting data requests, consider the California Privacy Protection Agency (CPPA) guidance on how to submit a privacy request. Residents are told to locate the business's Privacy Policy and follow the instructions. So start by making your Privacy Policy easy to find: at the top or bottom of your homepage, as mentioned, is usually effective.
Next, you need to provide an easy way for them to submit their "Right to Know" and "Right to Delete" requests.
Under the CCPA, businesses must usually offer at least two ways of submitting requests. If you have a website, you must offer a web form submission option and either an email address or a paper copy method. If you are an online-only business, an email address fulfills your CCPA requirements, but may not be as user-friendly as a web form.
Your web form should include:
- The types of requests a consumer can submit
- How to verify identity and California residency
- The 45-day expected response time
- How to use an authorized agent
- What data cannot be deleted (e.g., legal compliance, security obligations)
Completing a data request should be a frictionless process for the user. Make the UI as easy to use as possible with drop-downs for request types, upload fields for verification documents, and a clear confirmation message at the end of the process.
Also, consider including a visible way consumers can track the status of their requests, such as a web dashboard.
Example privacy center: Pacific Gas & Electric Company (PG&E)
As shown below, PG&E has designed a simple yet compliant Privacy Center that makes it easy for California customers to submit data requests. It manages expectations with a simple line at the outset, stating that requests will be fulfilled within 45 days.
It then uses a series of simple inputs, first identifying who is submitting the request:
It then moves on to the request type:
Then it is ready to fulfill the next step – ensuring the person making the request has the legal right to do so.
Step 2: Verify Identity and California Residency
Businesses have an obligation to verify the identity and California residency of the person making the data request.
However, as the CPPA mentions below, they may only ask for the information needed to check that you are who you say you are and that you are a California resident. But if you go beyond what's needed, the consumer has the right to file a complaint.
You may only use this information for verification purposes and may not retain it for any other use.
Levels of identity verification
The level of identity verification required will depend on what the user wants to know. If they just want to know the categories of data you require, email verification may be enough.
But if they want to know specific personal information, such as their home address or transaction history, you may require stronger evidence, such as a government-issued ID. The same standard would apply to deletion requests.
Verifying residency
The CCPA only applies to California residents. It does not explicitly state how you must verify this, but requires you to take reasonable steps to do so.
Reasonable ways to verify residency could include:
- Asking a simple yes/no question: Are you a California resident?
- Requesting verification documentation, such as a government-issued ID card
What you cannot do is only allow requests from users who are physically present in California, such as by checking their IP address. Even when a California resident is temporarily out of state, they still have the same rights under the CCPA, wherever they make the request from.
If you do require additional verification documentation, remember that this is also subject to the CCPA. It would be best to immediately delete this data once it has served its purpose.
Step 3: Formulate Your Response
Once you have verified the requestor, searched your systems, and located data to fulfill their request, you are now ready to respond. Although the normal deadline for this is 45 days, this can be extended by 45 days if you notify the customer and explain the reason for the delay.
In addition to the 45‑day deadline, your business should confirm receipt of a verifiable consumer request within 10 business days and explain how you will process it (including your verification steps and when the consumer should expect a full response).
This 10‑day acknowledgment is emphasized in multiple CCPA/CPRA practice guides and helps demonstrate good‑faith compliance if your handling is later reviewed by regulators or courts.
Each request type should have its own response template. This will speed up processing time and also ensure a consistent, non-discriminatory outcome for consumers. Each template should include:
- Unique reference number
- Statement of rights under CCPA
- Details of how you fulfilled the request, or reasons why you were unable to fulfill it.
- Contact information in case the requester wishes to follow up
The following checklist outlines the granular details you must include on templates to fulfill each type of request.
1. Template for Responding to Right to Know (Access) Requests
Access requests fall into two categories:
- Category-level disclosures
- Specific information disclosures
Therefore, your template should disclose:
- Categories of personal information collected
- Sources of information
- Business purposes for collection
- Categories of third parties you share data with
- Whether the business sells or shares personal information
- Specific pieces of personal information (if requested and verified)
2. Template for Responding to Right to Delete Requests
Therefore, a regular right to delete confirmation template would include:
- Confirmation that the deletion request was fulfilled
- Method of deletion used
- Confirmation that third-party service providers also followed through on the deletion request
- Retention information about the deletion request
You must delete personal information unless an exception applies, such as:
- Legal compliance (e.g., tax records)
- Security and fraud prevention
- Completing a transaction
- Debugging errors
- Internal uses aligned with consumer expectations
As the Office of the California Attorney General shows below, certain types of information are exempt from the CCPA. If you deny the request, you must explain which legal exception applies.
3. Template for Responding to Right to Correct Requests
This right requires you to take reasonable steps to correct inaccurate information upon request. You may need to ask the consumer for clarification or documentation, and review internal records to confirm which information is incorrect.
Your response template could include:
- A summary of the information the consumer wishes to correct
- A statement requesting supporting documentation (if needed)
- Confirmation that the correction has been completed, or an explanation if the correction could not be made
- Notification that service providers have been informed (where relevant)
- A reminder that the consumer may contact you if they believe further updates are needed
You should only deny a correction request when:
- You cannot verify the consumer's identity
- You cannot reasonably conclude that the corrected information is accurate
- The information is already accurate
- The consumer requests changes that conflict with legal requirements
In practice, right-to-correct requests appear to be the least common data requests. For example, in 2024, Amazon did not receive a single request to correct information. By contrast, it received around 944,000 data access requests and 14.9 million deletion requests.
However, no business can afford to be complacent, and it's essential to have robust response mechanisms in place for all request types.
4. Template for Responding to Opt-Out Requests ("Do Not Sell or Share")
Under the latest version of the CCPA, "selling" means disclosing personal information to a third party for valuable consideration, which includes benefits other than money. The law defines selling and sharing broadly to include any disclosure of personal information to a third party for the third party's benefit, even when no payment is involved.
California consumers can tell you at any time to stop selling or sharing their personal information.
This requires you to immediately:
- Stop the transfer of identifiers to ad and analytics partners
- Add the consumer to your internal opt-out list
- Communicate the opt-out decision to relevant service providers
As illustrated by the Los Angeles Times subscription example below, activities such as cross-context behavioral advertising, including interest-based ads, retargeting, and third-party tracking, can qualify as selling or sharing. Consumers must be able to opt out of these practices.
Therefore, your opt-out confirmation template should include:
- A clear acknowledgment that the consumer has opted out of selling or sharing their personal information
- The effective date of the opt-out
- A statement confirming that all selling and sharing activities associated with that consumer have stopped
- Confirmation that the opt-out signal has been communicated to service providers where required
- A brief explanation of how the opt-out may affect personalized content or advertising
- A reminder that the consumer can opt back in at any time
Opt-out requirements apply whether the consumer uses:
- A manual "Do Not Sell or Share My Personal Information" link
- Their account privacy settings
- A browser-based Global Privacy Control (GPC) signal
If the consumer is verified and their request is clear, you cannot deny an opt-out request.
5. Responding to Requests to Limit the Use of Sensitive Personal Information
Consumers may request that your business limit its use of their sensitive personal information (SPI) to specific permitted purposes under the CCPA. These permitted uses include security, fraud prevention, and short-term transient uses.
Therefore, your response template for limit-use requests should include:
- A statement confirming that your business will now use SPI only for permitted purposes
- A summary of what types of SPI your business holds (if relevant and appropriate to disclose)
- Confirmation that service providers handling SPI have been notified of the limitation
- A brief explanation of how limiting SPI use may affect personalized services
Businesses may deny limit-use requests only when:
- The request cannot be verified, or
- The business does not collect SPI in a way that triggers CCPA's limitation obligations.
The screenshot below from the Privacy Notice for US State Residents of 23andMe, a direct-to-consumer genetic testing company that handles large amounts of SPI, demonstrates how to clearly explain CCPA requirements to customers. This can help manage expectations around how SPI can be lawfully used.
Step 4: Track Your Responses
Under the CCPA, the 45-day deadline is non-negotiable. Within 45 days of receiving the request, you must have done one of the following:
- Fulfilled the request and responded to the user
- Written to explain why you are unable to fulfill the request
- Notified the customer that you need an extension of up to 45 days to fulfill the request
To meet the deadline and demonstrate a clear audit trail to regulators, you need a centralized tracking system. It should record:
- Request type
- Date received
- Date verification completed
- Data searched
- Date response sent
- Whether a deadline extension was used, and if so, why
- Whether the data was deleted, corrected, or exported
- Communications with service providers
For small businesses, a simple spreadsheet may suffice. But if you're a larger company managing multiple requests with differing deadlines, it makes sense to use a data rights management tool. You can configure it to meet your obligations under the CCPA and other data privacy laws and provide reminders.
Remember, even if you fulfill a data request, a late reply to the user counts as noncompliance, so it is not worth taking the risk.
Finally, as shown below in the CCPA, your company must securely retain these records for a minimum of 24 months.
For higher-risk or larger businesses, CPRA-era regulations increasingly expect data rights handling to be connected to broader governance measures such as privacy risk assessments, cybersecurity audits, and controls over automated decision-making tools.
Recent 2025 compliance guides note that organizations engaged in extensive profiling, targeted advertising, or large-scale processing of sensitive personal information may be required to document risk assessments and show how consumer requests feed into those reviews.
Conclusion
Handling California data requests doesn't have to be daunting. Your business needs to put in place operational systems to honor the five key CCPA rights.
Set up a user-friendly system for consumers to submit requests. Make identity and residency verification simple, then follow through on the request within 45 days, using a robust template that doesn't miss anything out.
Also, ensure that your business meets the new requirement to honor GPC signals, and do not forget to work with third-party service providers to ensure they also meet this obligation. With a clear request portal, strong verification processes, structured response templates, and a reliable tracking system, your business can comply with the CCPA, avoiding regulatory penalties and building consumer confidence.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.