How To Navigate CCPA’s DSAR Requirements in 6 Simple Steps

The California Consumer Privacy Act (CCPA) gives consumers rights they can request to follow through on at any time — this is sometimes called a data subject access request or DSAR.

Businesses under the CCPA should establish a formal process for receiving these requests so you can gather all data and respond in a compliant, timely manner.

In this guide, I teach you how to navigate the CCPA’s DSAR requirements and provide easy steps your business can follow to establish an efficient internal process.

Does The CCPA Require DSARs?

The California Consumer Privacy Act grants rights to consumers, and they’re permitted to submit requests to businesses to follow through on those rights.

In the text of the law, this is technically called a verifiable consumer request, but functionally, it’s the same process as a GDPR DSAR.

The CCPA uses different language than the GDPR, but provides similar consumer rights.

The term ‘DSAR’ originated with the General Data Protection Regulation (GDPR), an EU regulation. It refers to when a data subject (aka, the consumer) submits a request to exercise their privacy rights.

What Rights Does the CCPA Give Consumers?

The CCPA gives California consumers the following rights:

• Know what personal data is collected about them
• Request to access their data
• Request to correct/amend their data
• Request to delete their data
• Opt out of the sharing or selling of their data
• Opt out of targeted advertising
• Non-discrimination for following through on privacy rights

Your business must be ready to receive and respond to a DSAR for the rights the CCPA grants to consumers, which they can submit in any manner, including:

• Online forms
• Browser opt-out settings
• Email

Your business is responsible for verifying the consumer’s identity and promptly responding to the request.

How To Navigate the CCPA and DSARs: Step by Step

Below are six steps businesses can follow to simplify navigating the CCPA’s DSAR requirements.

Step 1: Identity Verification Requirements

Under the CCPA, your business must verify the identity of consumers that submit requests, so it is best to establish a formal DSAR process your team can follow to adequately achieve this.

Doing so ensures you do not accidentally release personal information to the wrong person, which would be a direct violation of the law.

You can verify consumers’ identity under the CCPA by comparing the information in their DSAR to data you have already collected about them.

If necessary, you may request additional details, but it must be deleted immediately afterwards.

Step 2: Information to Include in a Response

Next, make a formal process for locating all personal data your business collects. This way, your team can locate all information that must be included in the response.

Additionally, keep data security in mind to prevent data breaches or unauthorized access.

For example, this process might include:

• Performing a data audit to locate all personal data your business collects.
• Limiting who has access to this information on your team and for how long.
• Training the members of your team who are responsible for responding to DSARs.

Step 3: Timeline for Responding

Ensure your team can respond to data requests within the time frame outlined by the law.

The CCPA has a 45-day timeline for responding to the DSARs, which can be extended by an additional 45 days if the request is complex.

However, opt-out requests must be honored within 15 days of receipt of the request, and there is no option to extend this.

Step 4: Refusing to Respond

Outline when your business must refuse to respond to a DSAR, which is only permitted if:

• You cannot verify the identity of the requester
• The request is unfounded
• The request is excessive

Establishing a process is important because, under the CCPA, your business is responsible for proving whether a DSAR is unfounded or excessive.

You must do so to the satisfaction of the California Attorney General, or else you could receive a fine of up to $7,500 for violating the law.

Businesses must also respond to the consumer, explaining why their initial request was denied and informing them of their right to appeal your decision.

Step 5: Appeals Process for Consumers

You also need to provide your California consumers with an appeals process based on your decision regarding their DSAR.

The CCPA gives consumers the right to appeal your decision within a reasonable timeframe, which you must disclose.

Submitting an appeal should be as easy for the consumer as submitting the original DSAR.

Step 6: Keep a Log of Your Responses

Ensure you’re keeping a secure, legally compliant log of all requests your business receives and responds to.

Having this information can help your business if an investigation or audit occurs.

Using Termly for the CCPA’s DSAR Requirements

Termly’s Consent Management Platform (CMP) comes with a free embeddable DSAR form that you can add to your website to help meet some of the CCPA’s DSAR requirements.

The DSAR form asks your consumers essential questions to help streamline various aspects of the response process, including the following:

• What privacy law applies to the user
• What right(s) they’re requesting to follow through on
• Their name and the primary email they use to contact your website

It also features all relevant information about the appeals process as required by the CCPA, making compliance a breeze.

CCPA Link Requirements

The CCPA also requires covered entities with websites to add the following links to the footer of their site:

• “Do not sell or share my personal information“
• “Limit the use of my sensitive personal information”

These links must lead directly to a page that allows California users to easily follow through on their right to opt-out of data selling and sharing, and limit the use of their sensitive data.

You can also use a single link that leads to a page permitting users to act on both rights.

You site must follow these link requirements even if you publish a separate DSAR form. 

Summary

Establishing a DSAR response process is ideal for businesses to streamline responding to verifiable consumer requests under the CCPA.

But remember to check other avenues because consumers might submit requests through various channels, like email or social media platforms.

Some DSARs under the CCPA must be resolved within 45 days but opt-out requests must be honored within 15 days.

Adding resources like a DSAR form to your website makes the process more efficient for your business and California consumers.

More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author