A CCPA data subject request (DSR) is a formal request submitted by a California resident, including consumers, employees, and B2B contacts, asking a business to exercise their data privacy rights. These rights include accessing, deleting, correcting, or opting out of the sale and sharing of their personal information. Managing these requests requires a structured workflow: from verifying identity and discovering data, to delivering a secure "CCPA document" with the requested information within a strict 45-day deadline.
What Is a CCPA Data Subject Request (DSR)? Examples and Workflows
When most businesses consider the requirements for managing their compliance with the California Consumer Privacy Act (CCPA), the initial focus is usually on legal obligations, updating privacy notices, cookie banners, and so on, all of which we discuss at length in our CCPA compliance guide 2026 for businesses.
But the most visible and operationally complex aspect of the law is what happens when a user actually exercises their rights. These are commonly referred to as Data Subject Requests (DSRs) or Verifiable Consumer Requests.
Whether a California resident is asking to see the data you hold on them, delete their account history, or stop you from selling their behavioral data to third parties, understanding what these requests look like in practice is essential.
In this guide, we break down the meaning of DSRs, look at real-world examples (including the newly required employee DSARs), answer common consumer questions, and provide a step-by-step checklist for building a compliant CCPA data subject request workflow.
What is a DSR data subject request (and DSAR)?
A data subject request (DSR) is a formal request submitted by an individual asking an organization to take action regarding their personal data. Under the CCPA, this is legally referred to as a "verifiable consumer request."
You will often hear the terms DSR and DSAR used interchangeably, though they have slightly different meanings:
- DSR (Data Subject Request): The umbrella term for any privacy request, including the right to delete, correct, limit sensitive data, or opt-out.
- DSAR (Data Subject Access Request): A specific type of DSR where the individual is strictly exercising their Right to Access (asking for a copy of the specific pieces of personal information the business has collected about them).
While the term originated under the GDPR, "DSR requirements" are now a fundamental pillar of US state privacy laws, including the CCPA.
CCPA Privacy Rights & DSR Requirements
Not all privacy rights require the same type of workflow. Below is a breakdown of which CCPA rights require a formal Data Subject Request and identity verification:
Consumer privacy right | Requires formal DSR? | Requires identity verification? | Primary action required |
|---|---|---|---|
Right to Access | Yes | Yes (Reasonable/High degree) | Provide a secure CCPA document with data |
Right to Delete | Yes | Yes | Erase data from internal systems & vendors |
Right to Correct | Yes | Yes | Update inaccurate personal information |
Right to Opt-Out of Sale/Sharing | No (Frictionless Link) | No | Stop transmitting data to third parties |
Right to Limit Sensitive Data | No (Frictionless Link) | No | Restrict sensitive data to strictly necessary uses |
What does a CCPA data subject request look like? (Real-World Examples)
In most cases, consumer requests aren't filled with legal jargon. They are simple messages submitted through a website portal, a privacy email address, or an account dashboard.
Here is what different types of CCPA data subject requests look like in practice:
1. The Right to Access (DSAR) Example
The Request: "I would like to know what personal information your company has collected about me over the past year, where you got it, and who you have shared it with. Please send a copy of my data."
The Workflow: Access requests require businesses to disclose the categories of data collected, the sources, the business purpose, and the specific pieces of data. For a detailed explanation of disclosure scope, see our article on handling access requests under the CCPA.
2. The Right to Delete Example
The Request: "Please delete all the personal information associated with my account and remove me from your marketing databases."
The Workflow: Deletion requests ask a business to remove personal data from internal systems and pass that deletion request down to third-party service providers. However, there are statutory exceptions (e.g., keeping data necessary for billing or legal compliance). More detail is available in our guide on handling deletion requests under the CCPA.
3. The Right to Correct Example
The Request: "The physical address and phone number tied to my account profile are outdated and incorrect. Please update them to reflect my current residence."
The Workflow: New under the CPRA amendments, businesses must use "commercially reasonable efforts" to correct inaccurate personal data when requested. See our guide on handling correction requests under the CCPA.
4. The Employee DSAR Example (Crucial 2026 Focus)
The Request: "I am a former employee. I am requesting a copy of my employment file, including my performance reviews, HR records, and any internal communications referencing my termination."
The Workflow: When the CPRA took full effect, the exemption for HR and B2B data expired. Employees, job applicants, and contractors are now "consumers" under the CCPA. Employee DSARs are notoriously complex because businesses must extract the employee's personal data from emails, Slack messages, and HR platforms while redacting the personal information of other employees mentioned in those same documents.
How to submit a CCPA request?
Consumers typically submit CCPA requests through designated channels that a business explicitly outlines in its Privacy Policy and Notice at Collection.
To submit a CCPA request, consumers can look for:
- Privacy Web Forms: Interactive forms linked in the footer of a website (often near the "Do Not Sell or Share My Personal Information" link).
- Privacy Email Addresses: Dedicated inboxes (e.g., privacy@company.com) listed in the company's privacy notice.
- Website Privacy Portals / Preference Centers: Dashboards where logged-in users can download their data or click "delete account."
- Toll-Free Numbers: A mandated phone line where users can verbally request their data rights.
What actions are required for CCPA compliance regarding DSRs?
To facilitate CCPA compliance when handling data subject requests, businesses are required to adhere to strict statutory timelines. Missing these deadlines can trigger regulatory investigations and fines.
The CCPA DSR Response Timeline
Deadline | Required business action |
|---|---|
Day 0 | Consumer submits the verifiable privacy request. |
Day 10 | Business must confirm receipt of the request and provide information on how it will be processed (e.g., verification steps). |
Day 15 | Deadline to fully honor "Opt-Out of Sale/Sharing" or "Limit Sensitive Data" requests. |
Day 45 | Deadline to fulfill or deny Access, Deletion, and Correction requests. |
Day 90 | Maximum extended deadline to fulfill requests (only valid if the consumer was notified of the delay within the initial 45 days). |
The CCPA DSR Workflow: Step-by-Step Checklist
Managing DSRs manually via spreadsheets and email inboxes quickly becomes unscalable. To facilitate compliance, businesses should adopt a structured CCPA DSR checklist:
- Step 1: Request Intake: The request enters the system through a secure web form or portal.
- Step 2: Classification: The team identifies the type of request (Access, Deletion, Correction, Opt-Out) and notes the 45-day deadline.
- Step 3: Identity Verification: The requester’s identity is verified to prevent fraud (e.g., matching email addresses, sending a confirmation link, or requiring a secure login). For more on these safeguards, read our guide on verifying identity under the CCPA.
- Step 4: Data Discovery: The business locates the relevant personal information across its CRMs, marketing platforms, and third-party service providers.
- Step 5: Review & Redaction: Legal or privacy teams review the data to check that no proprietary business data (or data belonging to someone else) is accidentally included.
- Step 6: Response Preparation: The action is performed (data is deleted, corrected, or packaged for delivery).
- Step 7: Documentation: The outcome is recorded in a secure log for audit purposes.
What is a CCPA document?
When a consumer submits a Data Subject Access Request (DSAR), the business must provide the requested personal information in a portable, easily understandable format. The file returned to the consumer is often referred to as a CCPA document.
According to the law, this document must be delivered securely, free of charge, and in a "readily usable format that allows the consumer to transmit this information from one entity to another without hindrance" (such as a structured CSV, JSON, or secure PDF file).
Operational Challenges Businesses Face
Organizations managing consumer requests often encounter massive operational bottlenecks if they lack the right software. Common challenges include:
- Fragmented Data: Locating personal information across dozens of disjointed internal systems and SaaS tools.
- Vendor Coordination: Ensuring that when you delete a user's data, your third-party marketing and analytics vendors delete it too.
- Strict Timelines: Tracking the 45-day response deadlines across multiple requests simultaneously.
- Audit Readiness: Regulators don't just care if you answered a request; they want to see your documentation proving how and when you handled it.
How Clym Helps Businesses Manage CCPA Data Subject Requests
Handling consumer rights requests requires seamless coordination between intake, verification, data discovery, and documentation. Attempting to do this manually exposes your business to regulatory fines and human error.
By installing Clym on your website, visitors can easily submit privacy requests through a compliant, user-friendly widget or Governance Portal. Once a DSR is submitted, requests automatically route to the Clym Control Center, where your team can:
- View all incoming requests in a single, centralized dashboard.
- Automatically track request status and 45-day response deadlines.
- Communicate directly and securely with requesters.
- Automate identity verification steps.
- Maintain an immutable documentation log for audits or CPPA regulatory inquiries.
By centralizing request intake, communication, and documentation, Clym transforms CCPA compliance from a legal headache into an automated, seamless workflow.
Frequently Asked Questions (FAQs)
A data subject request is a formal submission by a California resident asking a business to exercise their privacy rights, such as the right to access, delete, or correct their personal information.
Consumers typically submit requests through a company's designated channels, which usually must include at least two methods. Common methods include a toll-free phone number, a privacy web form, a website preference center, or a dedicated privacy email address.
A basic request requires identifying information like a name, email address, and a description of the specific right being exercised. However, businesses may ask for additional data points to verify the consumer's identity to a "reasonable" or "reasonably high" degree of certainty before fulfilling the request.
No. While rights like Access, Deletion, and Correction require a formal, verifiable request, the right to "Opt-Out of Sale/Sharing" or "Limit the Use of Sensitive Personal Information" must be frictionless. These are typically exercised via a website link, a cookie banner, or a browser-based opt-out preference signal, such as Global Privacy Control.
The CCPA requires businesses to maintain records of all consumer privacy requests, and how they were handled, for at least 24 months. This documentation is required to demonstrate compliance during audits or investigations by the California Privacy Protection Agency (CPPA).
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex