CCPA DSARs: How to Handle Right-to-Know and Right-to-Delete Requests
Step-by-step guide to processing CCPA consumer requests: right to know, right to delete, right to correct, and right to opt out. Deadlines, verification, and exceptions.
Last updated: 2026-02-08
CCPA Consumer Requests: The Four Types
Under the CCPA/CPRA (Cal. Civ. Code §§ 1798.100-1798.199.100), California consumers can make four types of data subject requests. Each has different processing requirements.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
1. Right to Know (Access)
The consumer asks: "What personal information do you have about me?"
You must disclose the categories of personal information collected, the specific pieces collected, the sources, business purposes, and third-party recipients. Scope covers the preceding 12 months.
2. Right to Delete
The consumer asks: "Delete my personal information."
Delete from your records and direct service providers, contractors, and third parties to delete. See our US deletion requests guide for the full process.
3. Right to Correct (CPRA)
The consumer asks: "This information about me is wrong. Fix it."
Use commercially reasonable efforts to correct inaccurate personal information.
4. Right to Opt Out of Sale/Sharing
Stop selling or sharing their data within 15 business days.
Processing Timeline
| Milestone | Deadline | Notes |
|---|---|---|
| Acknowledge receipt | 10 business days | Confirm you received the request |
| Fulfill request | 45 calendar days | From date of receipt |
| Extension (if needed) | +45 calendar days | Must notify consumer within first 45 days |
| Opt-out requests | 15 business days | To stop selling/sharing |
Verification Requirements
CCPA regulations (11 CCR § 7060-7064) prescribe specific standards:
- Account-based requests: Existing account authentication is sufficient
- Non-account, non-sensitive data: Match at least two data points ("reasonable degree of certainty")
- Non-account, sensitive data or specific pieces: Match at least three data points plus signed declaration under penalty of perjury ("reasonably high degree of certainty")
- Authorized agents: Verify both the agent's authorization and the consumer's identity
See our DSAR identity verification guide for detail.
Exceptions to Deletion
You can refuse deletion if the data is necessary to:
- Complete a transaction or provide a requested service
- Detect security incidents or protect against fraud
- Debug errors
- Exercise free speech or another legal right
- Comply with the California Electronic Communications Privacy Act
- Engage in public-interest research (with consumer opt-in)
- Enable internal uses aligned with consumer expectations
- Comply with a legal obligation
- Use internally in a manner compatible with the original context
Document which exception applies to which specific data.
Responding to Each Request Type
Right-to-Know: Provide categories and specific data in a portable, readily usable format. Do not disclose SSNs, financial account numbers, or passwords.
Deletion: Confirm what was deleted, which third parties were notified, and any data retained with the specific exception cited.
Correction: Confirm what was corrected, or explain why the data was determined to be accurate.
Opt-Out: Confirm that selling/sharing has stopped and when the change took effect.
Do Not Retaliate
CCPA § 1798.125 prohibits discriminating against consumers who exercise their rights — no denying service, charging different prices, or providing different quality.
Request Channels
Provide at least two methods: a toll-free number and a website address (form or email). Online-only businesses can use the website method alone.
Related Guides
- CCPA DSAR Process — operational workflow
- DSAR Response Deadlines — all deadlines
- DSAR Identity Verification — verification methods
- DSAR Response Templates — template language