If your company has received a consumer data request from a California resident, you need to understand what the law requires, how quickly you must respond, and what information must be redacted before you send the response. This guide covers the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) in practical terms — what it means for your business, not just what the statute says.
These requests are formally known as Data Subject Access Requests (DSARs) under European law, or consumer privacy requests under U.S. state law. Regardless of the terminology, the obligation is the same: locate the consumer's personal data, review it, redact third-party personal information, and respond within the statutory deadline.
For a comparison of all US state privacy laws, see our comprehensive comparison page. For state-specific guidance, see our guides for Virginia, Colorado, Connecticut.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (Cal. Civ. Code §§ 1798.100–1798.199.100) took effect on January 1, 2020 (CCPA); January 1, 2023 (CPRA amendments).
Applicability thresholds: Annual gross revenue exceeding $25 million; OR buys, sells, or shares personal information of 100,000 or more consumers or households; OR derives 50% or more of annual revenue from selling or sharing consumers' personal information. No physical California presence is required — the law applies to any business that does business in California and meets any one of these thresholds.
Exemptions: HIPAA-covered entities (for protected health information), Gramm-Leach-Bliley Act (GLBA) covered financial data, and data governed by the Fair Credit Reporting Act (FCRA). The employee and B2B data exemptions expired on January 1, 2023.
Physical presence: No physical presence required. Applies to any entity that does business in California and meets the thresholds, regardless of where the entity is located.
Practical note: If you are unsure whether your business meets the thresholds, consult with your legal team. The penalties for non-compliance are significant, and "we didn't know the law applied to us" is not a recognized defense.
Under the CCPA / CPRA, California consumers have the following rights regarding their personal data:
CPRA significantly expanded consumer rights beyond the original CCPA, adding correction, sensitive personal information limits, and automated decision-making opt-out. Authorized agents may submit requests on behalf of consumers with proper verification.
You have 45 calendar days from receipt of the request to provide a substantive response.
Extensions: One additional 45-day extension if reasonably necessary. The business must notify the consumer of the extension and the reason within the initial 45-day period.
When the clock starts: The clock starts when the request is received, regardless of whether identity verification is complete. Verification must happen during the response period — it does not pause the deadline.
Responses must be provided free of charge. A business may charge a reasonable fee or decline to act only if the request is manifestly unfounded or excessive.
Critical point: The deadline runs from when you receive the request, not from when you finish verifying the consumer's identity. Do not wait to begin processing until verification is complete — start locating and reviewing the data immediately.
When you compile documents for a consumer data request response, you will inevitably find personal information belonging to other people — colleagues, clients, family members, business contacts. This third-party data must be redacted before you send the response to the requesting consumer.
Some categories of information require case-by-case assessment:
The entire point of a consumer data request is to give the individual access to their own data. Do not redact the requester's personal information. This includes their name, email, phone number, address, employment records, transaction history, and any other data that relates to them specifically.
This is what makes data request redaction different from standard document redaction. You are performing selective redaction: keeping one person's data while removing everyone else's. Automated tools that simply blank out all PII will over-redact and produce an unusable response.
Penalties: Up to $2,500 per unintentional violation; up to $7,500 per intentional violation or violations involving minors' data.
Enforcement: California Privacy Protection Agency (CPPA) and the California Attorney General. Private right of action exists only for data breaches involving unencrypted or unredacted personal information (§1798.150), not for general access request violations
Cure period: The 30-day cure period that existed under the original CCPA was repealed by CPRA effective January 1, 2023. The CPPA now has discretion in enforcement.
Sephora agreed to a $1.2 million settlement in 2022 for failing to process opt-out requests and not disclosing the sale of consumer data. DoorDash received a $375,000 penalty in 2024. The CPPA has been actively issuing investigative inquiries since becoming fully operational.
Risk note: Even where a cure period exists, it typically applies only to the first violation. A pattern of non-compliance or a failure to cure within the allowed period can result in full penalties. The cost of responding correctly the first time is significantly lower than the cost of enforcement.
SafeRedact automates the most time-consuming part of responding to consumer data requests: identifying and redacting third-party personal information across thousands of documents.
Need to respond to a data privacy request?
SafeRedact detects and removes third-party PII from documents automatically. Files never leave your browser.