The California Consumer Privacy Act (CCPA) is the first privacy law of its kind to pass in the United States – transforming the way organizations must think about and structure their privacy program. The CCPA outlines certain rights for California residents, including:

  • The right to be informed with regards to personal data collection
  • The right to request information
  • The right to opt-out of consumer’s personal information sale by a business to third parties
  • The right of deletion of personal data
  • The right not to be discriminated against by a business for exercise of consumer rights
  • Direct right of action in case of breach involving non-encrypted or non-redacted personal information that is not cured by business within 30-day period

One of the primary challenges for organizations gearing up for the CCPA is how to handle consumer requests. Here is a quick list of the most common Dos and Don’ts relating to consumer rights management under the CCPA.


CCPA Consumer Rights Management Dos:

Take a Practical Approach

Map workflows that are documented and repeatable. Scale to automation over time, or as needed and ensure your process is flexible and iterative. Edge cases will happen, so it’s important to be able to adapt accordingly.

Standardize and Structure the Intake Process

You will need multiple methods to comply with the CCPA’s requirements for intaking consumer requests, which is why it’s important to define a standardized and structured process to streamline things. To maintain compliance, you will need a phone number to intake requests, as well as a link on your website and ability to intake via mail.

  • Ex. Web intake: Don’t just have people send emails to a privacy inbox, use a webform
  • Ex. Call center: Don’t just have people call in and say, “Delete my data”, have your reps gather specific data points and put those into a process

Validate Consumer Identity Based on Persona of Consumer

Identity validation depends on how you interact with the consumer making the request. In most cases, you can validate with existing authentication or a combination of known data such as account number, address, and date of birth. In certain cases, you can escalate validation with security question, document uploads, and integrations with validation systems like Experian, etc. But keep in mind that this is not a one-size-fits-all process. Depending on the complexity of the request or the type of data being requested, you may need more advanced methods of gathering more data, as necessary.


Think clearly about who on your team will intake and fulfill consumer requests—whether it’s IT, Privacy, Customer Care, etc.—and train them accordingly.


CCPA Consumer Rights Management Don’ts:

Do Not Force Account Creation

Under the CCPA, you cannot force a consumer to create an account in order to fulfill a consumer request. Ensure that your consumer request methods comply with the CCPA.

Do Not Forget About the Consumer

You can have the most well-oiled system, but you still need to be able to intake the request and send data to the consumer in a secure manner, all while maintaining consumer satisfaction from a business perspective.

Do Not Gather Too Much Information

You need to consider what information is absolutely necessarily in order to verify the request. Asking too many questions for unnecessary information can be an unpleasant user experience and can violate collection limitation and data minimization principles. It is important to have a flexible workflow so that you can ask for more information only when needed.

Regardless of the maturity of your privacy program, it’s never too soon to start planning for your CCPA readiness. OneTrust for CCPA is a full set of scalable solutions and services specifically designed to implement CCPA requirements and workflows to support a global privacy program.

For additional information, or to request a live OneTrust Privacy Management Software demo, visit or email [email protected]


Check out our CCPA blog series: