CCPA Data Access Requests: The 5 Key Do's and Dont's
The California Consumer Privacy Act (CCPA) is scheduled for enforcement as from January 1, 2020.
The California Consumer Privacy Act (CCPA) is scheduled for enforcement as from January 1, 2020. Since its enactment on June 28, 2018, CCPA has opened up discussions about the future of consumer data protection in the US.
Essentially, CCPA allows consumers to be in charge of their privacy by obliging businesses to reveal the categories of personal information they have collected about their clients. Additionally, consumers have a right to opt-out, assess, rectify, delete, or port their information.
This obligation applies to both consumers and non-consumers. Consequently, managing subject rights requests under CCPA is challenging, especially if your business happens to receive thousands of monthly requests. This article puts together five crucial Do's and Dont’s of managing Subject Rights Requests
Adopt a Customer-Focused Authentication Framework
Don’t; you should not compel a consumer to set up an account, surrender unwarranted personal information to validate their identity, or undergo a tedious verification procedure.
Additionally, you should not hold extra information about the consumer that is obtained during the validation procedure. Similarly, do not fail to offer vivid direction and communication during the authentication process
Do: Create a system that allows customers to send requests without needing to create an account with your company. Primarily, put in place practical authentication standards to help you determine whether a consumer is requesting good faith, and is the owner of the information in question.
Furthermore, explore ways through which you will authenticate the different categories of information you collect and introducing a signed affidavit to formalize the entire process. In this way, you can easily deny the request if you are unable to determine a suitable degree of confidence during the authentication procedure.
Obtain and Share Personal Information in a Compliant Way
Don’t; avoid sharing unencrypted personal information via electronic mail. According to CCPA, when your business is processing Subject Rights Requests, the personal data involved is potentially critical. Consequently, transmitting such data via unencrypted e-mail exposes to several safety risks.
Do; create a safe way of relaying information back to the requestor. In this case, you can establish a temporary account that a consumer can access or coming up with limited-use cryptographic keys.
Reduce the Volume of Personal Data your Business Collects
Don’t; avoid requesting unnecessary data, especially if you don't already have it in your database. For example, if you do not require a surname in your data collection procedures, do not compel a requestor to provide their full name to address a request.
Do; Request the data that can help you uniquely pinpoint the persons who are subjects of a rights request. This information could comprise multiple categories because a name alone is not sufficient to identify a person. This aspect calls for the use of other identifiers to differentiate two parties that have the same name.
It is also vital to ensure that the data you gather comprises an avenue for correspondence with the requestor such as an email address
Delete Important Information
Don’t; Refrain from going over the top to delete every backup where personal data is held. Instead, center your efforts on ensuring that you have mechanisms that can flag data from backups or cold storage when it reappears to avoid reusing it.
Do; remain vigilant of where your data is held, and when a deletion request arrives, respect it by making an effort to remove it from all the databases in which it is stored and processed.
Ensure that you have instituted mechanisms to stop re-emergence of information about a person who opts out of your service.
Automate Crucial Practices
Don’t; Avoid automating information pulls from all your systems at once unless you are confident that the effort is crucial and cost-effective. Although businesses are concerned about requests, automating everything is not always the solution.
Go step by step and establish extra automation as a component of a long-term plan to improve your program
Do; Embrace a risk-focused plan by carrying out data inventories to identify the kind of information that will be subject to a rights request.
Focus on automating data pulls from systems that have security, performance, or cost implications while also examining approaches through which you can deal with parts that cannot be automated.
Don’t Hurry to Reject Improperly Submitted Requests
Don’t; deny consumers’ data requests if submitted by a method that is not designated for such purpose. If you have an online form and an email address designated for submitting requests, but the consumer has submitted the request over the phone, you must not deny such request.
Do; treat every single request as if it has been submitted by the designated method or guide users how to submit the request properly.
Just don’t deny the request right away because it is a violation of the CCPA.
After Denying a Request to Delete, Ask Consumers If They Want to Opt-Out
Don’t; In some cases, you may deny consumers’ request for deletion of data. You have responded to the request, but your duties do not end there.
Do; After denying the request to delete, ask the consumers if they want to opt-out from the sale of their personal information, if you sell such data.
Build trust with your customers and avoid incurring costly penalties by using Secure Privacy’s solutions to comply with CCPA. These solutions are easy to use and integrate with any website seamlessly.
Our detailed guide about CCPA gives you valuable tips on how to make your company or website CCPA compliant. Alternatively, book a call to get your additional queries answered by our team of experts.

Google Consent Mode on Mobile: A Practical Guide for Marketers and Developers
Your mobile analytics are broken, and you might not even know it. Google consent mode mobile implementation has become mandatory for apps serving European users as of March 2024, yet most businesses are still using desktop-only solutions that fail catastrophically on mobile devices.
- Legal & News
- Data Protection
- Governance

Documents Module – Secure Repository for Privacy Governance
Privacy documents management has become the backbone of effective data protection programs as organizations face increasing regulatory scrutiny and complex compliance requirements. Without centralized document control, privacy teams struggle with scattered files, outdated versions, and inconsistent access permissions that create significant compliance risks.
- Legal & News
- Data Protection
- Governance

CCPA vs. GDPR: What Businesses Need to Know
Businesses operating across international markets face complex data privacy obligations as both the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) impose significant compliance requirements. Understanding the difference between CCPA and GDPR is essential for organizations handling consumer data across jurisdictions.
- USA
- EU GDPR