What is a CCPA/CPRA DSAR?
A Data Subject Access Request (DSAR) is a formal inquiry submitted by a consumer asking a business to take action regarding their personal data. Under CCPA/CPRA, consumers have the right to know what personal information is collected, request the deletion of that information, demand correction of inaccurate data, and opt out of the sale or sharing of their data.
There is no legal requirement for a consumer to use specific phrasing or a formal document. If a consumer makes a clear request regarding their data via designated channels (like a toll-free number or web form), the business is legally obligated to process it as a DSAR.
Who is Required to Respond?
These requirements apply to any for-profit business doing business in California that meets specific thresholds, such as gross annual revenues over $25 million, buying/selling the personal information of 100,000 or more residents, or deriving 50% or more of annual revenue from selling or sharing personal information.
If your business falls under these criteria, you are legally bound to provide multiple mechanisms for receiving requests and a structured internal process for logging and responding to them on time.
The 15-Day Confirmation Clock
Upon receiving a request to know, delete, or correct personal information, a business must confirm receipt of the request within 10 business days (often operationally targeted as 15 calendar days to ensure safety).
The confirmation must provide the consumer with information about how the business will process the request. This includes describing the verification process—the steps the business will take to confirm the consumer's identity—and an estimated timeframe for when the consumer can expect a final response.
The 45-Day Fulfillment Deadline and Extensions
A business must fulfill the actual consumer request—such as delivering the requested data or confirming deletion—within 45 calendar days of receiving the original request. The clock starts the day the request is received, regardless of how long identity verification takes.
If the business cannot complete the request within 45 days due to complexity or volume, it may claim a one-time extension of an additional 45 days (for a maximum total of 90 days). However, to legally use this extension, the business must notify the consumer within the initial 45-day window, explaining the specific reason for the delay.
- Acknowledge receipt within 10 business days.
- Provide the final data or action within 45 calendar days.
- Extend up to 90 days maximum, requiring a written notice to the consumer.
Special Opt-Out Clocks
It is crucial to differentiate between requests to know/delete and requests to 'opt out of the sale or sharing' of personal information. If a consumer submits an opt-out request, the 45-day clock does not apply.
Businesses must honor requests to opt-out of the sale or sharing of personal information as soon as feasibly possible, but no later than 15 business days from the date of receiving the request.
Frequently asked questions
Does the 45-day clock start when identity is verified, or when the request is submitted?
The 45-day deadline starts on the day the business receives the request, not when the consumer's identity is successfully verified.
What happens if we cannot verify the consumer's identity within 45 days?
If you cannot verify the identity, you must deny the request to know or delete, and inform the consumer of the reason for denial within the 45-day window.
Can we charge a fee to process a CCPA DSAR?
Generally, no. Information must be provided free of charge, unless the requests from a consumer are manifestly unfounded or excessive (e.g., highly repetitive).
Are B2B contacts and employee data subject to CCPA DSARs?
Yes. As of January 1, 2023, the CPRA amendments removed the exemptions for employee and B2B data, meaning these individuals have full DSAR rights.