---
title: "CPRA Consumer Rights Workflow"
canonical_url: "https://www.sorena.io/artifacts/us/cpra/consumer-rights-workflow"
source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/consumer-rights-workflow"
author: "Sorena AI"
description: "Run California rights operations across delete, correct, know, opt out, and limit."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "CPRA consumer rights workflow"
  - "CPRA correction right"
  - "CPRA limit use workflow"
  - "California GPC workflow"
  - "CPRA"
  - "Consumer Rights Workflow"
  - "California privacy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CPRA Consumer Rights Workflow

Run California rights operations across delete, correct, know, opt out, and limit.

*Consumer Rights* *CPRA*

## California CPRA Consumer Rights Workflow

Grounded in the California statute, CPPA regulations, and the 2026 California rule changes.

The CPRA rights workflow is broader than the original California set. It must now handle correction and limitation requests as well as the older know, delete, and opt out flows.

## Intake and routing by right type

Do not run all California rights through the same decision tree. Each right has a different verification need, evidence burden, and downstream action set.

- Separate requests to know, delete, correct, limit, and opt out on intake
- Start the 45 day response clock and manage extensions centrally
- Allow authorised agents where the regulations require it
- Explain the current status of each request clearly to the consumer

## Verification and fulfilment

The regulations require proportionate verification for delete, correct, and know requests and do not allow businesses to make opt out or limit requests burdensome.

- Use reasonable or reasonably high assurance based on data sensitivity and harm
- Do not require identity verification for opt out or limit requests
- Delete extra verification data as soon as practical after use
- Search internal systems and key downstream parties where needed

## Downstream propagation and records

Deletion, correction, opt out, and limit outcomes often require action by service providers, contractors, or third parties.

- Push deletion, correction, opt out, and limit instructions downstream where required
- Keep 24 month records of the request, response, and downstream instructions
- Track mean or median response time by request type
- Use error logs and repeat contacts to improve the workflow

*Recommended next step*

*Placement: after the scope or definition section*

## Use California CPRA Consumer Rights Workflow as a cited research workflow

Research Copilot can take California CPRA Consumer Rights Workflow from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on California CPRA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for California CPRA Consumer Rights Workflow](/solutions/research-copilot.md): Start from California CPRA Consumer Rights Workflow and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through California CPRA](/contact.md): Review your current process, evidence gaps, and next steps for California CPRA Consumer Rights Workflow.

## Primary sources

- [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub.
- [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials.
- [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ.
- [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates.

## Related Topic Guides

- [CPPA Regulations Tracker | California Rulemaking Tracker](/artifacts/us/california-privacy-rights-act/cppa-regulations-tracker.md): Track the California rules that changed the operating baseline in 2026 and the related regulator outputs.
- [CPRA Applicability Test | California Scope and Trigger Guide](/artifacts/us/california-privacy-rights-act/applicability-test.md): Confirm California scope and then identify which CPRA specific obligations activate.
- [CPRA Checklist | California Privacy Rights Act Checklist](/artifacts/us/california-privacy-rights-act/checklist.md): Track the California privacy workstreams that changed under CPRA and the 2026 rules.
- [CPRA Compliance Program | California Operating Model](/artifacts/us/california-privacy-rights-act/compliance.md): Run a California programme that can absorb ongoing CPPA rules without constant redesign.
- [CPRA Contracts, Contractors, and Service Providers](/artifacts/us/california-privacy-rights-act/contracts-contractors-and-service-providers.md): Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations.
- [CPRA Deadlines and Compliance Calendar | California Privacy Calendar](/artifacts/us/california-privacy-rights-act/deadlines-and-compliance-calendar.md): Use the dates that matter for the current California privacy regime.
- [CPRA FAQ | Practical California Privacy Rights Answers](/artifacts/us/california-privacy-rights-act/faq.md): Answer the California questions that stall CPRA implementation decisions.
- [CPRA Penalties and Fines | California Enforcement Exposure](/artifacts/us/california-privacy-rights-act/penalties-and-fines.md): Understand what makes California exposure larger, faster, and harder to defend.
- [CPRA Requirements | California Control Requirements](/artifacts/us/california-privacy-rights-act/requirements.md): Translate the current California regime into control statements that teams can build and test.
- [CPRA Risk Assessment Template | California Risk Assessment Guide](/artifacts/us/california-privacy-rights-act/cpra-risk-assessment-template.md): Use a California specific template that matches the current rule structure instead of a generic DPIA form.
- [CPRA Risk Assessments and Cybersecurity Audits | California Assurance Guide](/artifacts/us/california-privacy-rights-act/risk-assessments-and-cybersecurity-audits.md): Prepare for the California assurance duties that now have real structure, timing, and evidence requirements.
- [CPRA Sensitive Personal Information | California SPI Guide](/artifacts/us/california-privacy-rights-act/sensitive-personal-information.md): Handle SPI with the level of design and evidence the California rules now expect.
- [CPRA vs CCPA | What Actually Changed in California Privacy](/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra.md): A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance.
- [CPRA vs Colorado Privacy Act | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-colorado-privacy-act.md): Compare the California and Colorado models before reusing a state privacy template across both.
- [CPRA vs Virginia VCDPA | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-virginia-vcdpa.md): Compare California and Virginia privacy models before reusing contracts or request flows across both.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/consumer-rights-workflow