Consumer Rights Workflow decisions under the US CCPA should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.
This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
This page maps US CCPA obligations for Consumer Rights Workflow to trigger conditions, accountable owners, required deadlines, evidence records, and review paths that product, legal, privacy, security, and compliance teams can apply.
Run the workflow as California privacy operations: intake the request or signal, identify the right involved, verify identity only when required, route the request to the right owner, meet the response deadline, and document the outcome for review. For delete, correct, know, and ADMT access requests, businesses must confirm receipt within 10 business days and generally respond within 45 calendar days, with one 45-day extension if they notify the consumer. For opt-out of sale/sharing and limit requests, the business should comply as soon as feasibly possible, and no later than 15 business days. If the request cannot be verified or another CCPA exception applies, the business may deny the request and should explain why.
A useful template captures the source, who or what the request applies to, the right involved, the decision, the deadline, and the evidence trail needed to show the business acted correctly.
Review the workflow after CPPA updates, ad-tech changes, new collection points, vendor changes, consumer complaints, enforcement advisories, or material product changes.
This US CCPA guide turns Consumer Rights Workflow into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn Consumer Rights Workflow into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with Sorena.
"No later than 10 business days after receiving a request to delete, request to correct, request to know, request to access ADMT, or request to appeal ADMT, a business shall confirm receipt of the request."
"On March 29, 2023, the Office of Administrative Law approved the California Privacy Protection Agency's regulations and filed"
"You cannot sue businesses for most CCPA violations"
"2024-01 Applying Data Minimization to Consumer Requests Short Title Enforcement Advisory No"
"Sites that detect GPC may interpret the signal in a variety of ways depending on their interpretation of the privacy laws applicable to the site."