CCPA DSAR Process: A Guide for California Compliance

A DSAR -- Data Subject Access Request -- is what happens when a California consumer exercises their rights under the CCPA. They ask you for information about their data, they ask you to delete it, or they ask you to stop selling it.

If you're covered by the CCPA, handling these requests isn't optional. And handling them poorly -- missing deadlines, failing to verify identity, providing incomplete responses -- can result in enforcement action and fines.

This guide walks through the entire CCPA DSAR process from the moment a request lands in your inbox to the moment you close it out. If you need a broader understanding of the law itself, start with our Complete Guide to CCPA Compliance.

What Is a DSAR Under CCPA?

Under the CCPA, California residents have the right to submit "verifiable consumer requests." In the privacy world, these are commonly called DSARs, borrowing the term from GDPR. The concept is the same: a person asking a business to do something with their personal data.

If you're not sure what a DSAR is more broadly, our What Is a DSAR? article covers the fundamentals.

Under CCPA, consumers can make the following types of requests:

• Right to Know (categories) (Cal. Civ. Code § 1798.100): "Tell me what types of data you've collected about me, where you got it, why you collected it, and who you've shared it with."
• Right to Know (specific pieces) (Cal. Civ. Code § 1798.100): "Give me the actual data you have on me."
• Right to Delete (Cal. Civ. Code § 1798.105): "Delete my personal information."
• Right to Correct: "Fix inaccurate personal information you have about me." (Added by CPRA)
• Right to Opt Out of Sale/Sharing (Cal. Civ. Code § 1798.120): "Stop selling or sharing my personal information."
• Right to Limit Use of Sensitive Personal Information: "Only use my sensitive data for purposes that are necessary to provide the service." (Added by CPRA)

Each type has different verification requirements, different response obligations, and different nuances. Let's walk through the process for handling all of them.

Step 1: Receiving Requests

Designated Request Channels

You must provide consumers with at least two ways to submit requests. The CCPA requires:

1. A toll-free phone number. Yes, a real phone number with a real human (or at least a real voicemail box that gets checked).
2. A web-based method. This can be a web form, an email address, or both.

If you operate exclusively online and don't have a physical location, you may substitute the phone number for another online method. But for most businesses, provide all three:

• Web form (your primary intake method -- structured data makes processing easier)
• Email address (e.g., privacy@yourbusiness.com)
• Toll-free phone number (for consumers who prefer it)

What to Capture at Intake

Your intake method should collect enough information to identify the consumer and process their request:

• Full name
• Email address associated with their account or transactions
• Type of request (know, delete, opt out, correct, limit use)
• Any additional identifying information you need to locate their data (order numbers, account IDs)
• Date the request was submitted

Keep the form simple. Every additional field you require increases friction and makes it harder for consumers to exercise their rights, which is something regulators look unfavorably on.

Logging the Request

The moment a request comes in, log it. Your tracking system should record:

• Date received (this starts the 45-day clock)
• Request type
• Consumer's identity information
• Request status (received, under verification, processing, completed, denied)
• All communications with the consumer
• Completion date
• Outcome

You're required to maintain these records for at least 24 months. If you process requests for 100,000 or more consumers annually, you must also publish DSAR metrics (number of requests received, completed, and denied, plus the average number of days to respond).

Step 2: Verifying Consumer Identity

Identity verification is where CCPA DSARs get tricky. You need to confirm the person making the request is who they claim to be, without being so burdensome that you discourage legitimate requests.

The verification standard depends on the type of request:

Verification for "Right to Know" (Categories)

Standard: Reasonable degree of certainty

You must match at least two data points provided by the consumer against information you already have in your records. Examples:

• Name + email address
• Name + purchase history
• Email address + account number

If you can match two points, you're generally good.

Verification for "Right to Know" (Specific Pieces)

Standard: Reasonably high degree of certainty

Because you're disclosing actual data (not just categories), the bar is higher. You must:

1. Match at least three data points against your records
2. Obtain a signed declaration under penalty of perjury that the requestor is the consumer whose data is being requested

The declaration doesn't need to be notarized. A statement like "I declare under penalty of perjury under the laws of the State of California that the information above is true and correct" with the consumer's signature (electronic is fine) is sufficient.

Verification for Deletion Requests

Standard: Reasonable degree of certainty

Same as "right to know (categories)" -- match at least two data points. However, for deletion of sensitive data, you may want to apply a higher standard as a risk management measure.

Verification for Opt-Out Requests

Standard: Minimal

You don't need to verify identity for opt-out requests beyond what's necessary to match the request to the consumer's data. If someone clicks your "Do Not Sell" link and provides their email address, that's generally sufficient.

Verification for Correction Requests

Standard: Reasonable degree of certainty

Same two-point matching as deletion requests, but you should also ask the consumer to provide documentation supporting the correction when it's relevant and available.

What If You Can't Verify?

If you can't verify the consumer's identity, you can deny the request -- but you must:

• Inform the consumer that you could not verify their identity
• Explain what information was missing or didn't match
• Give them the opportunity to provide additional verification information

You cannot simply ignore unverified requests. Respond, explain, and give the consumer a path forward.

Authorized Agents

Consumers can designate an authorized agent to submit requests on their behalf. When this happens, you can:

1. Require the consumer to verify their own identity directly with you
2. Require proof that the agent is authorized (a signed permission from the consumer, or evidence that the agent has power of attorney)

The one exception: if the agent provides proof of power of attorney under California Probate Code sections 4000-4465, you cannot require the consumer to verify separately.

Step 3: Processing the Request

Once you've verified identity, it's time to do the actual work. What that means depends on the request type.

Processing "Right to Know" Requests

For category-level requests, you must disclose:

1. Categories of personal information collected in the preceding 12 months
2. Categories of sources from which the personal information was collected
3. The business or commercial purpose for collecting or selling the personal information
4. Categories of third parties with whom you share the personal information
5. Categories of personal information sold (if applicable) and the categories of third parties to whom it was sold
6. Categories of personal information disclosed for a business purpose and the categories of recipients

For specific-pieces requests, you must provide all of the above plus the actual personal information you have about the consumer. Deliver this in a portable, readily usable format (commonly JSON or CSV, though a well-organized PDF works too).

Important limits:

• You only need to disclose information from the preceding 12 months (though CPRA allows consumers to request data going back further if you have it and it was collected after January 1, 2022)
• You should not disclose Social Security numbers, financial account numbers, health insurance or medical identification numbers, account passwords, or security questions/answers in specific-pieces responses. Provide enough information for the consumer to identify the data without creating a security risk.
• A consumer can make a "right to know" request only twice in a 12-month period

Processing Deletion Requests

When you receive a verified deletion request:

1. Delete the personal information from your active systems. This includes your databases, CRM, email marketing platform, and any other system where the data lives.
2. Direct your service providers and contractors to delete the data. You must notify them of the deletion request and ensure they comply.
3. Deidentify or aggregate the data as an alternative to deletion if appropriate. Deidentified data that cannot be linked back to the consumer is no longer "personal information" under the CCPA.

Exceptions to deletion (Cal. Civ. Code § 1798.105(d)): You are not required to delete personal information if you need it to:

• Complete the transaction for which it was collected
• Provide a good or service requested by the consumer
• Perform under a contract with the consumer
• Detect security incidents or protect against malicious, deceptive, or illegal activity
• Debug or repair functionality
• Exercise free speech or another legal right
• Comply with the California Electronic Communications Privacy Act
• Engage in research in the public interest (with safeguards)
• Comply with a legal obligation
• Use internally in a way that is reasonably aligned with consumer expectations

If you invoke an exception, you must tell the consumer which exception applies and why.

For practical implementation details, see How to Handle CCPA Right-to-Delete and Right-to-Know Requests.

Processing Opt-Out Requests

When a consumer opts out of sale or sharing:

1. Stop selling or sharing their personal information within 15 business days
2. Notify any third parties to whom you've sold or shared the consumer's data in the past 90 days
3. Those third parties must also stop selling the data (unless the consumer has a direct relationship with them)

Remember: you must also honor Global Privacy Control (GPC) signals as valid opt-out requests.

Processing Correction Requests

When a consumer asks you to correct inaccurate information:

1. Verify the request and review the documentation provided
2. Correct the information in your records if the consumer's claim is substantiated
3. Direct service providers and contractors to correct their records as well
4. If you determine the information is actually accurate, inform the consumer and explain why

You should use "commercially reasonable efforts" to correct the data. This doesn't mean you have to move mountains, but you do need to take the request seriously.

Processing "Limit Use of Sensitive Personal Information" Requests

Sensitive personal information includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, union membership, personal communications content, genetic data, biometric data, health information, and sex life or sexual orientation data.

When a consumer requests you limit the use of their sensitive personal information:

1. Restrict your use to what is "necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services"
2. Do not use it for profiling, advertising, or other secondary purposes
3. Direct service providers and contractors to implement the same limitations

Step 4: Responding to the Consumer

Response Timeline

• Acknowledge receipt within 10 business days of receiving the request. Your acknowledgment should confirm what type of request was received and provide an expected timeline.
• Provide a substantive response within 45 calendar days of receiving the request (Cal. Civ. Code § 1798.130(a)(2)).
• If you need more time, you can extend by 45 additional calendar days, but you must notify the consumer within the initial 45-day period and explain why the extension is necessary.
• For opt-out requests, comply within 15 business days.

Response Format

Your response should be:

• Clear and plain language. Don't send a wall of legal text.
• Delivered through the consumer's preferred channel when possible. If they submitted via email, respond via email. If they submitted via your web form, email is generally fine.
• In a portable and readily usable format for specific-pieces requests. Common formats include downloadable JSON, CSV, or a well-structured PDF.
• Free of charge. You cannot charge for processing CCPA requests (with rare exceptions for manifestly unfounded or excessive requests).

What to Include in Your Response

For "right to know" responses:

• All the required disclosures listed above
• A statement of the consumer's right to not be discriminated against (Cal. Civ. Code § 1798.125)
• Contact information for further questions

For deletion responses:

• Confirmation that the request has been processed
• A list of any exceptions you're invoking (and why)
• Confirmation that service providers have been directed to delete

For opt-out responses:

• Confirmation that the opt-out has been implemented
• A note about how long it may take to fully propagate (if relevant)

For denial responses (when you can't verify identity or an exception applies):

• A clear explanation of why the request was denied
• The specific exception or reason
• Information about how the consumer can appeal or provide additional verification

Step 5: Documentation and Record-Keeping

The CCPA requires you to maintain records of consumer requests and your responses for at least 24 months. Your records should include:

• The request itself (date received, type, consumer identity information)
• Your verification steps and outcome
• Actions taken to fulfill the request
• Your response (date sent, content, format)
• Any extensions requested and the reasons
• If denied: the reason for denial

This documentation serves two purposes: it demonstrates compliance if you're ever audited, and it helps you identify patterns and improve your process over time.

DSAR Metrics (for Large Businesses)

If your business handles requests from 100,000 or more consumers, you must compile and publish the following metrics annually:

• Number of requests to know received, complied with (whole or in part), and denied
• Number of requests to delete received, complied with (whole or in part), and denied
• Number of requests to opt out received, complied with (whole or in part), and denied
• Median number of days to substantively respond to each type of request

These metrics must be published in your privacy policy or on your website.

Common DSAR Processing Mistakes

Missing the 45-day deadline. This is the most common failure. The fix is simple: set calendar reminders on day 1, day 30, and day 40. If you need an extension, request it early -- not on day 44.

Over-verifying opt-out requests. Opt-out requests have a low verification bar by design. Don't ask for three forms of ID when someone just wants to stop the sale of their data.

Under-verifying specific-pieces requests. The flip side: if someone asks for their actual data, you need three-point matching plus a declaration under penalty of perjury. Sending personal information to the wrong person is worse than missing a deadline.

Forgetting about service providers. When you process a deletion request, you need to notify every service provider and contractor that holds the consumer's data. Build a checklist of all vendors that need to be notified for each deletion request.

Providing incomplete responses. A "right to know" response that only lists two of the five required categories of disclosure is a compliance failure. Use a template to make sure you hit every required element.

Not documenting the process. If you can't prove you handled a request properly, you effectively didn't. Document everything.

Building a Scalable DSAR Process

If you're handling a handful of requests per month, a spreadsheet and email templates will get you by. As volume grows, you'll want to invest in:

1. A dedicated intake form that captures all necessary information upfront
2. A tracking system with automated deadline reminders
3. Response templates for each request type that include all required elements
4. A vendor notification checklist for deletion requests
5. Regular process reviews to identify bottlenecks and improve efficiency

The goal isn't perfection on day one. It's having a process that works, that you actually follow, and that you improve over time.

For information about response deadlines across different privacy laws, see our DSAR Response Deadlines guide.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Want ready-to-use response templates for every CCPA request type? Our DSAR Response Templates include templates for right-to-know, deletion, opt-out, and denial responses -- all formatted with the required CCPA disclosures so you never miss a required element.