Consumer Rights Under the CCPA and CPRA: How Businesses Must Respond

Rights under CCPA and CPRA: what changed

The CPRA did not replace the CCPA. It amended and expanded it. Key changes relevant to consumer rights include:

• Introduction of the right to correct
• Introduction of limits on sensitive personal information
• Expanded disclosure expectations in responses
• Greater emphasis on proportional data use and retention
• Increased enforcement authority for the California Privacy Protection Agency

These amendments are codified in the official statutory text of the California Consumer Privacy Act and the California Privacy Rights Act amendments.

For businesses, these changes mean that rights-handling workflows must be more precise and better documented than under the original CCPA.

How consumers exercise their rights under the CCPA and CPRA

Understanding consumer rights under the CCPA also requires understanding how those rights are exercised in practice. Not all rights follow the same path, and businesses are expected to support multiple mechanisms depending on the right involved.

Broadly, CCPA and CPRA rights fall into two categories:

• Request‑based rights, which are exercised through consumer requests
• Preference‑ and link‑based rights, which must be available directly on a business’s website or interface

This distinction affects verification, response timing, and how businesses design their compliance workflows.

Request‑based rights and DSR workflows

Several consumer rights are exercised by submitting a data subject request to a business. These requests typically require intake, verification, and a documented response.

Request‑based rights include:

• The right to know (access)
• The right to delete
• The right to correct

These are commonly referred to as CCPA requests or data subject requests (DSRs).

For these rights, businesses are expected to:

• Provide clear request submission channels
• Verify the identity of the requester where required
• Respond within statutory timelines
• Explain any applicable legal exceptions
• Keep records of how the request was handled

Link‑based and preference‑based consumer rights

Other consumer rights must be available without requiring a traditional request workflow. These rights are typically exercised through clearly labeled website links or recognized preference signals.

Do Not Sell or Share My Personal Information

Businesses that sell or share personal information must provide a clearly labeled “Do Not Sell or Share My Personal Information” link. This right allows consumers to opt out of certain disclosures of their personal information.

Key characteristics of this right include:

• It must be available directly on the website or interface
• It may be exercised without identity verification in many cases
• It may be triggered through recognized opt‑out preference signals
• It requires businesses to stop applicable sale or sharing activities once exercised

Limit the Use of My Sensitive Personal Information

When a business uses sensitive personal information beyond limited, permitted purposes, consumers must be able to restrict those uses through a “Limit the Use of My Sensitive Personal Information” link or an equivalent combined mechanism.

This right:

• Applies only when sensitive personal information is used beyond allowed purposes
• Often overlaps with notice, purpose limitation, and data minimization obligations
• Requires businesses to adjust downstream processing once the limitation is exercised

Opt‑out preference signals

Under the CPRA framework, certain consumer choices may be expressed through browser or device‑based opt‑out preference signals. When recognized, these signals may require businesses to honor opt‑out rights automatically, without requiring the consumer to submit a separate request.

Businesses must account for these signals when designing their consumer rights handling processes and ensure they are applied consistently across applicable data uses.

Business obligations when consumer rights are exercised

When a consumer submits a request, the CCPA and CPRA shift focus from policy language to execution. Across all consumer rights, businesses are expected to address several common operational requirements.

Intake and request channels

Businesses must provide designated methods for submitting requests, such as web forms, toll‑free numbers, or other appropriate channels depending on how the business interacts with consumers.

Identity verification

Before fulfilling certain requests, businesses must verify the identity of the requester using methods appropriate to the sensitivity of the data involved. Verification requirements vary by request type.

Acknowledgment and response timelines

Businesses are expected to confirm receipt of a consumer request within a reasonable timeframe, typically within 10 business days.

In most cases, businesses have 45 days to respond to a verified request, with a possible extension when reasonably necessary. Silence or delayed responses can increase enforcement risk.

Response content

Responses must be complete, understandable, and consistent with disclosures made elsewhere, such as privacy policies and notices at collection.

Recordkeeping

Businesses are expected to document how requests are handled, including verification steps, response timing, decisions, and outcomes. Records should be retained for a defined period consistent with regulatory guidance and enforcement expectations.

Handling consumer rights in practice

Although each consumer right is distinct, most organizations manage them through a shared request workflow. That workflow typically includes:

• Request receipt and categorization
• Identity verification
• Internal data mapping and retrieval
• Evaluation of legal exceptions
• Consumer response and confirmation
• Internal documentation

Each step introduces practical challenges, especially for organizations with multiple systems, vendors, or data flows.

Use case: handling a CCPA access request

To illustrate how these obligations come together, consider the following common scenario.

A California resident submits a request to know through a company’s online privacy request form, asking for access to the personal information the business holds about them. The business reviews the submission within a few days, categorizes it as a CCPA access request, and sends an acknowledgment of receipt to the requester, typically within 10 business days.

Because the request involves disclosure of personal information, the business initiates identity verification. In practice, this often involves sending a verification link to the email address associated with the request or the consumer’s existing account. The requester must click the link or provide additional confirming information before the request is treated as verified.

Once identity verification is completed, the 45-day response period begins. During this time, the business identifies relevant personal information across customer account systems, marketing platforms, and customer support tools. Certain data elements are excluded from disclosure where statutory exceptions apply, such as information needed for security or legal obligations.

Before the response deadline, the business provides the required disclosures to the consumer in a readable format and explains any limitations or exclusions in clear, plain language. Finally, the business documents the request, verification method, response timing, and outcome as part of its internal recordkeeping, supporting accountability and potential regulatory review.

How this fits into overall CCPA obligations

Consumer rights are one part of the CCPA and CPRA framework. They interact with notice obligations, data minimization principles, vendor contracts, and enforcement expectations.

For a broader view of how consumer rights connect with other legal duties, see our CCPA compliance guide for businesses, which explains applicability thresholds, notice requirements, enforcement risks, and operational obligations in one place.

How Clym helps businesses manage CCPA consumer rights obligations

Managing CCPA and CPRA consumer rights requires coordination across websites, internal systems, vendors, and documentation processes. Clym provides tools that help businesses organize and manage these obligations in a structured, scalable way.

With Clym, businesses can:

• Publish consumer-facing controls, including privacy preference links and information panels, through Clym’s Control Center, making opt-out and limitation rights accessible from the website interface.
• Support intake and management of consumer rights requests through data subject request management workflows that track request status, response timelines, and outcomes.
• Monitor and organize access, deletion, correction, and opt-out requests in one place, helping teams coordinate responses across systems and vendors.
• Maintain records that support internal reviews, audits, and regulatory inquiries, aligned with evolving enforcement expectations.
• Align consumer rights handling with related obligations such as notices, policies, and data mapping by displaying consumer-facing information through a centralized governance portal.

Key takeaway

CCPA and CPRA consumer rights require more than disclosures. Businesses must support different ways for consumers to exercise their rights, distinguish between request-based and link-based obligations, and operate repeatable workflows for intake, verification, response timing, opt-out and limitation controls, and documentation. Understanding the rights is only the starting point. How those rights are handled in practice is where compliance risk and enforcement attention concentrate.