How to Handle CCPA Right-to-Delete and Right-to-Know Requests

A customer emails you: "I want to know what data you have on me. And then I want you to delete it."

Two sentences. Two completely different requests. Two different verification standards. Two different response requirements. And if you handle either one incorrectly, you could be looking at fines of up to $7,500 per violation.

This guide covers the practical mechanics of handling CCPA right-to-delete and right-to-know requests -- the two most common consumer requests you'll receive. We'll walk through how to receive them, verify them, process them, and respond correctly.

For the broader DSAR process under CCPA, including opt-out and correction requests, see our CCPA DSAR Process guide. For the full law overview, start with the Complete Guide to CCPA Compliance.

The Two Request Types at a Glance

Before we dig in, let's be clear about what each request actually is.

Right to Know (Cal. Civ. Code § 1798.100): A consumer asks you to tell them what personal information you've collected about them. This comes in two flavors:

• Categories: "What types of data do you have, where did you get it, why did you collect it, and who did you share it with?"
• Specific pieces: "Give me the actual data -- my name, my purchase history, my browsing records, all of it."

Right to Delete (Cal. Civ. Code § 1798.105): A consumer asks you to erase their personal information from your systems. This means your databases, your service providers' databases, and anywhere else their data lives.

These requests often come together ("tell me what you have, then delete it"), but they must be processed separately because the verification requirements are different.

How to Receive Requests

The CCPA requires you to provide at least two methods for consumers to submit requests:

1. A toll-free telephone number
2. A web-based method (an online form or email address)

If you operate exclusively online with no physical presence, you can substitute the toll-free number for an additional online method.

Our recommendation: Set up all three -- a web form, a dedicated email address (like privacy@yourbusiness.com), and a phone number. The web form should be your preferred method because it gives you structured data to work with.

What Your Intake Form Should Capture

Design your form to collect:

• Consumer's full name (as used in transactions with you)
• Email address (associated with their account or purchases)
• Request type (know categories, know specific pieces, delete, or both)
• Additional identifiers (account number, order number, phone number -- anything that helps you locate their records)
• How they'd like to receive the response (email, mail, download)

A few design principles:

• Keep it short. More fields means more friction, and regulators will frown on intake processes that discourage requests.
• Don't require the consumer to create an account to submit a request.
• Make it accessible. If your website is available in Spanish, your form should be too.
• Provide a confirmation that the request was received (an auto-reply email or a confirmation page).

Recognizing Requests "In the Wild"

Not every consumer will find your privacy form. Some will email your general support address. Some will call your main line. Some will send a DM on social media. A few will walk into your store and ask in person.

Train your customer-facing staff to recognize privacy requests even when they don't use the words "DSAR" or "CCPA." Common phrasings include:

• "What information do you have about me?"
• "I want to see my data."
• "Delete my account and all my data."
• "Remove me from your system."
• "I want to be forgotten."

Any of these should trigger your DSAR process. Route the request to whoever handles privacy requests, log it, and start the clock.

Verifying the Consumer's Identity

Identity verification is where right-to-know and right-to-delete requests diverge. The CCPA requires different verification standards depending on the sensitivity of what you're doing with the data.

Verification for Right-to-Know (Categories)

Standard: Reasonable degree of certainty

Match at least two pieces of information the consumer provides against data you already have in your records. For example:

• Name + email address on file
• Email address + order number from a past purchase
• Name + physical address associated with their account

If the information matches, you can proceed with confidence. If it doesn't match, ask the consumer for additional identifying information before denying the request.

Verification for Right-to-Know (Specific Pieces)

Standard: Reasonably high degree of certainty

This is a higher bar because you're handing over actual personal data. Getting this wrong -- sending someone else's data to the wrong person -- is both a privacy violation and potentially a data breach.

You must:

1. Match at least three data points against your records
2. Obtain a signed declaration under penalty of perjury confirming the requestor is the person whose data is being requested

The declaration can be electronic. A simple statement works: "I declare under penalty of perjury under the laws of the State of California that I am [name] and the information I have provided is true and correct." Add a signature line (typed name with date is acceptable for electronic submissions).

Verification for Deletion Requests

Standard: Reasonable degree of certainty

Same as right-to-know (categories) -- two data points. However, because deletion is irreversible, some businesses choose to apply a higher standard. That's a judgment call. The law requires two points; best practice may suggest three for high-sensitivity data.

One additional wrinkle: for deletion requests, the CCPA allows you to use a two-step verification process. You can ask the consumer to submit the deletion request, then follow up with a separate confirmation ("Are you sure you want us to delete your data?"). This protects against accidental or fraudulent deletion requests.

What If the Consumer Has an Account?

If the consumer has a password-protected account with you, you can verify identity through that account's authentication process. This is the simplest path: if they can log into their account, they've verified their identity.

But you still need the additional safeguards for specific-pieces requests (three data points + perjury declaration), even for account holders.

What If You Can't Verify?

If verification fails, you must:

1. Inform the consumer that you couldn't verify their identity
2. Explain what was missing or didn't match
3. Give them the opportunity to try again with additional information

You cannot simply ignore the request. The CCPA requires a response even if that response is a denial.

For account-based requests where verification fails, consider offering a middle ground: provide the category-level information (which has a lower verification bar) even if you can't verify to the standard needed for specific pieces.

Processing Right-to-Know Requests

Once identity is verified, it's time to gather the information. What you must disclose depends on whether the consumer asked for categories or specific pieces.

Category-Level Disclosure

You must provide:

1. Categories of personal information collected about the consumer in the past 12 months
2. Categories of sources from which you collected it
3. The business or commercial purpose for collecting it
4. Categories of third parties with whom you shared it
5. Categories sold or shared (if applicable) and the categories of third parties who received it
6. Categories disclosed for a business purpose and the categories of recipients

Use the CCPA's standard categories when possible: identifiers, customer records, protected classification characteristics, commercial information, biometric information, internet or network activity, geolocation data, sensory data, professional or employment information, education information, and inferences.

Specific-Pieces Disclosure

Provide everything above, plus the actual personal information you hold about the consumer.

Critical safety rules for specific-pieces responses:

• Never disclose Social Security numbers, driver's license numbers, or other government IDs in full. You can confirm you have them (and provide the last four digits) but don't send the full number.
• Never disclose financial account numbers, health insurance IDs, or account passwords.
• Never disclose security questions and answers.
• Deliver the response securely. Use encrypted email, a secure download link, or another method that protects the data in transit. Don't send a CSV of someone's personal data in a plain-text email attachment.
• Use a portable, readily usable format. JSON, CSV, and well-structured PDFs are all acceptable. The point is that the consumer should be able to read and use the data without specialized software.

The 12-Month Lookback

You're only required to disclose information collected in the preceding 12 months from the date of the request. However, CPRA amended this: if you collected data after January 1, 2022, consumers may request information going further back. In practice, most businesses provide the 12-month window unless the consumer specifically asks for more and you have it.

Frequency Limits

A consumer can only make a right-to-know request twice in any 12-month period. If you receive a third request within 12 months from the same consumer, you can deny it -- but you must still acknowledge the request and explain the denial.

Processing Deletion Requests

Deletion requests are conceptually simple (delete the data) but operationally complex (data lives in a lot of places).

What "Delete" Actually Means

When you receive a verified deletion request, you must:

1. Delete the personal information from your active systems. This means your primary databases, CRM, email lists, analytics platforms, and anywhere else you store it.
2. Direct your service providers and contractors to delete. Send written notification to every vendor that holds the consumer's data. They're contractually obligated to comply.
3. Alternatively, deidentify or aggregate the data. If you have a legitimate reason to retain the data in a non-personal form (like aggregate analytics), you can deidentify it instead of deleting it. But true deidentification means the data cannot be re-linked to the consumer.

What About Backups?

This is a common question and a reasonable one. The CCPA regulations acknowledge that deleting from backups may be technically infeasible. If that's the case, you can:

• Maintain the personal information in your backup systems
• Not use the backed-up data for any purpose other than disaster recovery
• Delete the data when the backup is next accessed or used (or when the backup naturally expires/rotates)

Document this approach. If a regulator asks, you want to show that you had a plan for backup data, not that you just ignored the issue.

Exceptions to Deletion (Cal. Civ. Code § 1798.105(d); see also § 1798.145)

You are not required to delete personal information if you need it to:

• Complete a transaction that the consumer initiated
• Provide a good or service the consumer requested, or that's reasonably anticipated within an ongoing business relationship
• Detect security incidents, protect against malicious activity, or prosecute the responsible parties
• Debug to identify and repair functionality errors
• Exercise free speech or ensure another consumer's right to exercise free speech
• Comply with the California Electronic Communications Privacy Act (CalECPA)
• Conduct research in the public interest, with appropriate safeguards
• Enable solely internal uses that are reasonably aligned with consumer expectations
• Comply with a legal obligation

If you invoke an exception, you must tell the consumer which one applies and why. Be specific. "We need your data for legal reasons" is too vague. "We are required to retain transaction records for seven years under California tax law" is appropriate.

Partial Deletion

Sometimes an exception applies to some of the consumer's data but not all of it. In that case, delete what you can and explain what you're retaining and why.

For example: A consumer asks you to delete their data. You need to retain their order history for tax compliance, but you can delete their browsing history, marketing preferences, and account profile. Delete what's deletable, retain what's exempt, and explain both in your response.

Responding to the Consumer

Timeline

• Acknowledge receipt within 10 business days
• Provide a substantive response within 45 calendar days (Cal. Civ. Code § 1798.130(a)(2))
• Extension: Up to 45 additional calendar days if needed, but you must notify the consumer within the initial 45 days and explain why

The clock starts when you receive the request, not when you verify identity. Don't let verification delays eat into your response window.

Response Content for Right-to-Know

Your response should include:

• The required disclosures (categories, sources, purposes, third parties, and/or specific pieces)
• A statement that the consumer has the right to not be discriminated against for exercising their rights (Cal. Civ. Code § 1798.125)
• Information about how to submit additional requests or contact you with questions
• If you're invoking any limitations (like the 12-month lookback or frequency limit), explain them

Response Content for Deletion

Your response should include:

• Confirmation that the deletion has been processed
• A list of any data you retained under an exception, and which exception applies
• Confirmation that your service providers have been directed to delete
• A note about any impact on the consumer's account or services (e.g., "Your account has been closed as a result of this request")

Response Content for Denials

If you deny a request (because verification failed, an exception applies to all the data, or the consumer exceeded the frequency limit), your response should include:

• A clear explanation of why the request was denied
• The specific basis for the denial
• Instructions for how the consumer can appeal or provide additional information
• Contact information for further questions

Delivery Method

Respond through the same channel the consumer used to submit the request, unless they specified a preference. For specific-pieces responses, use a secure delivery method:

• Encrypted email
• Secure download portal with time-limited access
• Secure file transfer

Do not send personal information via unencrypted email attachments. This is both a privacy risk and potentially a separate compliance violation.

Building Efficient Workflows

If you're handling more than a handful of requests per month, you need systems, not heroics.

Templates

Create response templates for each scenario:

• Right-to-know (categories) response
• Right-to-know (specific pieces) response
• Deletion confirmation
• Partial deletion (with exceptions)
• Denial (verification failure)
• Denial (frequency limit)
• Extension notification

Each template should include all required elements so you never miss a disclosure requirement. Fill in the consumer-specific details and send.

Checklists

For deletion requests, maintain a checklist of every system and service provider that needs to be addressed:

• [ ] Primary database
• [ ] CRM system
• [ ] Email marketing platform
• [ ] Analytics system
• [ ] Cloud storage / file shares
• [ ] Customer support platform
• [ ] Payment processor (check retention requirements)
• [ ] Service Provider A (send deletion notice)
• [ ] Service Provider B (send deletion notice)
• [ ] Backup systems (flag for deletion on next rotation)

Customize this for your tech stack. Run through it for every deletion request.

Tracking

Track every request from receipt to completion. At minimum, record:

• Date received
• Request type
• Consumer name/identifier
• Verification status and date
• Processing status
• Response date
• Outcome (fulfilled, partially fulfilled, denied)
• Notes

Review your metrics monthly. If your average response time is creeping toward 40 days, that's a red flag -- one unexpected spike in volume and you'll miss deadlines.

Frequently Asked Questions

Can I charge for processing requests? No. CCPA requests are free to the consumer (Cal. Civ. Code § 1798.130). The only exception is if a request is "manifestly unfounded or excessive" -- but the bar for that is very high, and you need to be prepared to justify it.

What if the same person makes both a right-to-know and a deletion request? Process the right-to-know request first (so you have the data to disclose), then process the deletion. If they came as separate requests, each gets its own 45-day timeline.

What if I can't find any data for the consumer? Tell them. Your response should confirm that you searched your records and did not find personal information associated with their identity. This is still a valid response -- you just need to actually search first.

Do I have to delete data from third parties I've shared it with? If they're your service providers or contractors, yes -- you must direct them to delete. If they're third parties who received the data through a "sale," you must notify them of the deletion request. Whether the third party must comply depends on their own CCPA obligations.

What about employee requests? Employees, job applicants, and independent contractors who are California residents also have CCPA rights, including the right to know and the right to delete. However, exemptions exist for certain data necessary for employment-related purposes (Cal. Civ. Code § 1798.145).

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Need templates for every type of CCPA consumer request? Our DSAR Response Templates include ready-to-use templates for right-to-know responses, deletion confirmations, denials, and extension notices -- all built with the required CCPA disclosures so you can respond quickly and completely.