DSAR Requirements in California (CCPA/CPRA)
California DSAR requirements: consumer rights, response deadlines, identity verification, and penalties under CCPA/CPRA.
Last updated: 2026-02-08
Consumer Rights That Trigger DSARs
California consumers can submit requests to:
- Access all personal information collected about them (at least 12 months; longer for data collected after January 1, 2022)
- Correct inaccurate personal information
- Delete personal information you collected
- Port their data in a machine-readable format
- Opt out of the sale or sharing of personal information
- Limit the use of sensitive personal information
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
45 calendar days from receipt. You can extend by an additional 45 days if reasonably necessary — but you must notify the consumer of the extension and the reason within the initial 45-day window.
Identity Verification
Required before fulfilling any request. CCPA requires you to verify the consumer's identity to a reasonable degree of certainty. For access and deletion requests involving sensitive data, verification must be to a reasonably high degree of certainty. The law does not prescribe a specific method.
Penalties
- $2,500 per unintentional violation
- $7,500 per intentional violation
- No cap on total penalties
- No cure period — the CPRA removed the 30-day cure period that existed under the original CCPA
- Private right of action for data breaches: $100–$750 per consumer per incident
Enforced by the California Privacy Protection Agency (CPPA) and the Attorney General.
DSAR-Specific Exemptions
You may decline or limit a request when the data is needed to:
- Complete a transaction the consumer requested
- Detect security incidents or protect against fraud
- Comply with a legal obligation
- Exercise or defend legal claims
Who This Applies To
For-profit businesses meeting any one of: $26.625M+ annual revenue, 100K+ California consumers' data processed, or 50%+ revenue from selling/sharing personal data.
For the full California privacy law guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- CCPA DSAR Process — California-specific process
- DSAR Identity Verification — verification methods