CCPA DSAR Checklist: Everything You Need Before You Respond
Actionable checklist for handling CCPA consumer requests. Covers intake, verification, search, exceptions, response, and documentation.
Last updated: 2026-02-08
Before Your First CCPA Request Arrives
Use this checklist to make sure your DSAR process is ready. Each item is actionable and specific to handling consumer requests under CCPA/CPRA.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Setup Checklist (Do Once)
- [ ] Designate a request handler. Assign a specific person or team responsible for receiving and processing consumer requests.
- [ ] Create intake channels. Provide at least two methods: a toll-free number and a web form or email address (e.g., privacy@yourcompany.com). Online-only businesses can use the web method alone.
- [ ] Map your data. Document every system that holds personal information: databases, CRM, email marketing, analytics, customer support, cloud storage, email inboxes, spreadsheets. You cannot fulfill a request if you do not know where the data is.
- [ ] Document your verification process. Write down how you will verify identity for account-based requests (authentication), non-account requests (two data points), and sensitive data requests (three data points + declaration). Include this in your privacy policy.
- [ ] List your exceptions. Review the nine CCPA deletion exceptions and identify which ones are relevant to your business. Common ones: legal obligation (tax records), completing a transaction, detecting fraud.
- [ ] Identify third parties. List every service provider, contractor, and third party you share personal information with. You will need to notify them when processing deletion requests.
- [ ] Create response templates. Draft template language for: acknowledgment, right-to-know response, deletion confirmation, partial deletion (exception cited), and refusal. See our DSAR response templates guide.
- [ ] Train your team. Anyone who might receive a consumer request (customer support, sales, reception) should know to escalate it immediately and never ignore it. See our DSAR training guide.
Per-Request Checklist
Use this for every request you receive.
Intake (Day 0)
- [ ] Log the request: date received, requester name, contact method, what they are asking for
- [ ] Determine request type: right to know, right to delete, right to correct, or opt-out
- [ ] Start the 45-day clock
Acknowledge (Within 10 Business Days)
- [ ] Send written acknowledgment confirming receipt
- [ ] Include expected timeline for fulfillment
- [ ] If additional information is needed for verification, request it now
Verify Identity (Days 1-10)
- [ ] Account-based: confirm through existing authentication
- [ ] Non-account, non-sensitive: match at least two data points
- [ ] Non-account, sensitive: match at least three data points + obtain signed declaration
- [ ] Authorized agent: verify agent authorization AND consumer identity
- [ ] Document the verification method used
Search and Assess (Days 10-20)
- [ ] Search all systems for the consumer's personal information
- [ ] For right-to-know: compile categories, specific pieces, sources, purposes, and third-party recipients
- [ ] For deletion: identify all data to be deleted
- [ ] Check whether any exceptions apply to any of the data
- [ ] Document your assessment
Execute (Days 20-35)
- [ ] For right-to-know: prepare the response in a portable, readily usable format
- [ ] For deletion: delete from all active systems
- [ ] For deletion: notify service providers and contractors to delete
- [ ] For deletion: notify third parties to delete
- [ ] For correction: make the correction or document why the data is accurate
- [ ] For opt-out: stop selling/sharing within 15 business days
- [ ] Verify execution in each system
Respond (By Day 45)
- [ ] Send written response to the consumer
- [ ] For right-to-know: include all required categories and data
- [ ] For deletion: confirm what was deleted, which parties were notified, and any data retained (with exception cited)
- [ ] For correction: confirm what was corrected
- [ ] For refusal: explain reason, cite specific exception
- [ ] Do NOT disclose SSNs, financial account numbers, or passwords
Document (Day 45+)
- [ ] File the complete request record: request, verification, assessment, actions, response
- [ ] Retain records for at least 24 months (CCPA requirement)
- [ ] If you need an extension, ensure you notified the consumer within the first 45 days
Red Flags to Watch For
- Request from someone who cannot be verified — do not fulfill unverified requests, but do not ignore them either. Ask for additional verification.
- Request covering data you do not have — respond confirming you do not hold personal information about the requester.
- Requests used to obtain someone else's data — this is why verification matters. Never disclose data to an unverified requester.
Related Guides
- CCPA DSARs: Right-to-Know and Right-to-Delete — the four request types explained
- CCPA DSAR Process — operational workflow
- DSAR Identity Verification — verification methods in detail
- Building a DSAR Workflow — workflow design for any framework