Data Subject Rights under California privacy laws CCPA and CPRA

Mar 2, 2021 5:49:48 PM / by PrivacyPerfect

The California Consumer Privacy Act (CCPA) grants California residents rights and control over their personal data. As consumers become increasingly aware of their granted rights, the number of data subject requests received by organisations under the CCPA have also been increasing. Responding to these requests is often a challenge, given the complexity of the process and the tight deadlines. In this blog post, our objective is to provide you with a clear overview of the key information for responding to Consumer Right Requests.

Who must comply?

Is the CCPA relevant for you? Do you have to be ready for Data Subject Requests coming in? Well, that depends. Are you a Business?


What rights does the CCPA grant California residents?


Right to disclosure 

The CCPA’s right to disclosure means that residents can obtain a written document of personal information collected in the 12 months prior to the request of (categories of) personal information collected/sold, categories of sources from which personal information is collected, business or commercial purpose for collecting or selling personal information, and categories of third parties with whom the personal information is shared.

Requests must be able via a toll-free phone or a webpage. Businesses are not required to provide access more than twice in 12 months. 


 Right to receive personal information in a readily usable format

A business must provide personal information in a readily usable format that allows the individual to transmit this information to another entity without hindrance. It falls under the right to disclosure and has the same requirements and exceptions as that right, and does not enable business-business transfer.


Right to opt in or out

Under CCPA, businesses must include a link titled “Do Not Sell My Personal Information”(DNS link) in a clear and conspicuous location on their website homepage. Following this link, individuals may request to opt-out of the sale of their personal information to third parties.A business shall comply with a request to opt-out as soon as feasibly possible, but no later than 15 business days from the date the business receives the request. After the individual opts-out, businesses must not request re-authorization to sell a individual’s personal information for at least 12 months


Right to deletion

individuals have the right to delete personal information a business has collected, or even sold/shared with its service providers. There are some exceptions, such as for freedom of expression, research, handling of legal claims and complying with legal obligations, for internal use and technical reasons.


The right not to be subject to discrimination for the exercise of rights

This right is there to protect the use of others. It forbids that businesses deny or provide a different quality of goods or services, (suggest to) charge different prices or rate, or impose penalties based on the exercise of rights. 


Private right of action for data breaches

If a business fails to maintain reasonable safeguards of information, and this results in unauthorized access and disclosure or theft of personal information, individuals can bring a private right of action with statutory damages between $100 and $750 per incident per resident or actual damages, whichever is higher. 


What will CPRA do?

The CPRA, or California Consumer Privacy Act, comes into effect on 1 Jan 2023. It has a “look-back” provision however, that applies to information collected on or after 1 Jan 2022. 


Changes to current rights

Right to opt-out

Businesses are required to provide a link labeled “Limit the Use of My Sensitive Personal Information” in addition to the “Do Not Sell or Share my Personal Information” link.
The CPRA allows the business to forgo providing these links separately and instead choose to provide a single link that enables the consumer to both limit the use and disclosure of sensitive personal information and opt out of the sale and sharing of personal information.

Important for businesses, CPRA also permits to forgo providing the links if they instead choose to allow consumers to opt out by sending an opt-out preference signal via ”platform, technology, or mechanism.”

Right to receive personal information in a readily usable format

CPRA requires that a business must provide the “specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format.” That information may then “be transmitted to another entity at the consumer’s request without hindrance.”


Additional rights

Right to correct

Under CPRA, individuals will get the right to correct inaccurate personal information. Businesses will be required to disclose to consumers information about their right to correct and provide consumers with a means to request a correction. The CPRA requires businesses to use “commercially reasonable efforts” to correct inaccurate personal information. 

Right to limit the use and disclosure of sensitive personal information

Under CPRA, every individual has the right to limit the use and disclosure of “sensitive personal information”. Importantly for businesses, this includes personal information that reveals “a consumer’s precise geolocation.” (a “circle with a radius of 1,850 feet”)


What happens if I don’t comply? 

First, what is noncompliance? This is important, because it implies not complying in time. Upon receiving a request to know or delete personal information, a business shall provide information about the request process within 10 business days. Businesses must comply with requests 45 days from the receipt of the request. It could be extended by 45 days, but the individual should then be informed within the first 45 days. Businesses have a 30-day period to cure any non-compliance.

Businesses are struggling with the intricate processes and tight deadlines. A whopping 92% of privacy pros at large companies expressed a level of anxiousness about honoring requests under the CCPA. 

All the while, statutory penalties include up to $2500 under the Unfair Competition Law, or up to $7.500 per intentional violation. With a new privacy supervisor being introduced besides the California Attorney General, this poses an increasingly serious risk for businesses.


Moving forward

Many organisations find responding to data subject requests under the CCPA one of the most difficult parts of CCPA compliance. If you feel overwhelmed, rest assured, that’s normal. Luckily, there is an abundance of solutions on the market already that can help make managing this process easier, quicker, and more efficient. If you are looking to see what such a solution could look like and how it can help make responding to data subject requests better, please reach out to us via


Topics: ccpa


Written by PrivacyPerfect

    Lists by Topic

    see all
    harmas_Rajztábla 1-1
    Keep informed!
    Sign up to the Weekly GDPR Digest now.