CCPA DSAR: Handling Data Access Requests Under California Privacy Law

Q: Does CCPA require responses to data access requests?

Yes. Under CCPA Section 1798.100, consumers have the right to request that a business disclose the categories and specific pieces of personal information it has collected about them. The business must respond within 45 calendar days.

Q: How does a CCPA access request differ from a GDPR DSAR?

Key differences: CCPA gives 45 days vs GDPR's 30 days, CCPA applies to California residents while GDPR applies to EU/EEA individuals, CCPA covers businesses meeting specific revenue or data volume thresholds, and CCPA requires disclosure of commercial purposes and categories of third parties data was shared with.

Q: Do I need to redact third-party data in a CCPA response?

Yes. While CCPA doesn't use the term 'redaction' explicitly, businesses must not disclose personal information of other consumers when responding to an access request. Third-party data must be removed before disclosure.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives consumers the right to know what personal information a business collects about them. Here's how to handle these requests — often called CCPA DSARs — correctly and efficiently.

The right to know under CCPA

CCPA Section 1798.100 establishes the consumer's right to know. A consumer can request that a business disclose the categories of personal information collected, the specific pieces of personal information collected, the sources from which it was collected, the business or commercial purpose for collecting or selling it, and the categories of third parties with whom it was shared.

The CPRA (effective January 2023) expanded these rights to include information about the use of sensitive personal information and introduced the right to correct inaccurate personal information.

Who is covered?

CCPA applies to for-profit businesses that meet any one of these thresholds: annual gross revenue exceeding $25 million, buying, receiving, selling, or sharing the personal information of 100,000 or more consumers, households, or devices, or deriving 50% or more of annual revenue from selling or sharing consumers' personal information.

The consumer must be a California resident. However, many companies apply CCPA standards nationwide to simplify compliance — and with similar laws now active in Virginia, Colorado, Connecticut, Texas, Oregon, and other states, this approach is becoming standard practice.

The 45-day response timeline

Businesses must respond to a verifiable consumer request within 45 calendar days of receipt. This can be extended by an additional 45 days (90 days total) if reasonably necessary, but the consumer must be notified of the extension and the reason within the first 45 days.

The California Privacy Protection Agency (CPPA) has signalled that extensions should not be routine — they should be reserved for genuinely complex requests. Systematic use of extensions may be treated as non-compliance.

Verification requirements

CCPA distinguishes between requests for categories of personal information and requests for specific pieces. Requests for specific data require a higher level of identity verification. The regulations suggest a tiered approach: for category-level requests, match at least two data points; for specific data requests, match at least three data points and obtain a signed declaration under penalty of perjury.

You cannot require the consumer to create an account to submit a request, and you must provide at least two methods for submitting requests (typically a web form and a toll-free number).

Redaction in CCPA responses

While CCPA doesn't use the word "redaction" as explicitly as GDPR, the principle is the same. When producing specific pieces of personal information, you must not disclose personal information belonging to other consumers. In practice, this means the same third-party PII redaction process required under GDPR — strip out names, contact information, and identifiers of anyone other than the requesting consumer.

For organisations handling both GDPR and CCPA requests, the redaction process is functionally identical. SafeRedact's DSAR mode works for both — preserve the subject's data, redact everyone else's. See our DSAR redaction guide for the detailed process.

CCPA vs GDPR: key differences for access requests

Deadline: CCPA gives 45 days; GDPR gives 30 days. Scope: CCPA applies to California residents; GDPR applies to individuals in the EU/EEA. Applicability: CCPA applies to businesses meeting revenue/data thresholds; GDPR applies to any entity processing personal data of covered individuals. Response content: CCPA specifically requires disclosure of commercial purposes and categories of third parties; GDPR requires information about rights, retention periods, and automated decision-making. Fees: CCPA responses must be free; GDPR allows fees for excessive requests.

For a comprehensive view of GDPR obligations, see our GDPR redaction guide and UK GDPR redaction guide.

Penalties for non-compliance

The CPPA can impose administrative fines of $2,500 per unintentional violation and $7,500 per intentional violation. There is no cap on total fines — violations are assessed per consumer, per instance. A systematic failure to respond to access requests affecting thousands of consumers can result in multi-million dollar penalties.

Consumers also have a private right of action for data breaches involving certain categories of personal information (though not for DSAR non-compliance directly). The reputational cost of being publicly cited by the CPPA often exceeds the financial penalty.

Efficient CCPA DSAR processing

The 45-day CCPA deadline is more generous than GDPR's 30 days, but the volume of data can be just as large. Employee access requests in particular can generate tens of thousands of documents across email, HR systems, Slack, and shared drives.

SafeRedact Enterprise processes bulk data exports with selective PII preservation — name the consumer, upload the data as a ZIP, and the system handles the redaction across PDFs, emails, spreadsheets, and chat transcripts. Zero data retention means the tool itself doesn't create a new compliance liability. See the full compliance checklist.

Need to process a DSAR?

SafeRedact Enterprise handles bulk document redaction with selective PII preservation and zero data retention.

Learn about Enterprise →

Frequently asked questions

Does CCPA require responses to data access requests?

Yes. CCPA Section 1798.100 gives consumers the right to know what personal information a business collects. Businesses must respond within 45 calendar days.

How does a CCPA access request differ from a GDPR DSAR?

CCPA gives 45 days vs GDPR's 30, applies to California residents vs EU/EEA individuals, and specifically requires disclosure of commercial purposes and third-party sharing categories.

Do I need to redact third-party data in a CCPA response?

Yes. You must not disclose other consumers' personal information when fulfilling an access request. The redaction process is functionally identical to GDPR — remove all third-party PII before disclosure.

DSAR & Privacy Compliance Guides

DSAR: The Complete Guide What Is a DSAR? DSAR Redaction Guide DSAR Compliance Checklist Automate DSAR Redaction DSAR Redaction Cost DSAR Software Comparison → CCPA DSAR Guide US State Privacy Laws Subject Rights Requests DSAR Cost Calculator