Codigo Alpha

Entenda a lei com clareza

Codigo Alpha

Entenda a lei com clareza

Digital & Privacy Law

CPRA rights for access deletion and correction requests

Código Alpha

California’s CPRA transforms privacy from a passive policy into an active toolkit, empowering residents to force businesses to reveal, correct, or destroy their accumulated digital profiles.

For decades, the data relationship between consumers and corporations was a one-way street: companies collected whatever they could, and individuals had little visibility into the “digital dossier” being built around them. The California Privacy Rights Act (CPRA), which amends and expands the CCPA, fundamentally alters this dynamic. It shifts the burden of transparency onto the business, creating a legal mechanism where silence is no longer an option. If you ask a company what they know about you, they are legally compelled to answer—down to the specific pieces of data, not just vague categories.

However, exercising these rights—Access (Right to Know), Deletion, and the newly added Right to Correction—is rarely as simple as clicking a button. The process is a bureaucratic handshake that requires verification, precise terminology, and patience. Many requests are rejected not because the company is malicious, but because the consumer failed to verify their identity or requested the deletion of legally retained financial records. Understanding the mechanics of these requests is the difference between reclaiming your privacy and receiving a form letter rejection.

This article provides a comprehensive operational guide to the “Big Three” CPRA rights. We will deconstruct the specific steps to file a request that cannot be ignored, explain the “sensitive personal information” distinction that gives you extra leverage, and clarify the timelines businesses must follow. We will also address the new frontier of employee data rights, which has opened the door for California workers to access their own HR files under the same privacy laws that protect consumers.

The CPRA “Actionable Rights” Framework:

  • Right to Know (Access): You can demand the specific pieces of data a company holds, not just categories, covering a period beyond the previous 12-month limit (if data is retained).
  • Right to Delete: You can force the erasure of data, but this is not absolute; transaction history, warranty data, and security logs are exempt.
  • Right to Correct: The newest power allows you to force a business to fix inaccurate data (e.g., wrong address, incorrect inferences), preventing the spread of bad info.
  • Right to Limit SPI: You can restrict the use of “Sensitive Personal Information” (geolocation, genetics, SSN) to only what is necessary for the service.

See more in this category: Digital & Privacy Law

In this article:

Last updated: October 27, 2023.

Quick definition: The statutory rights granted to California residents to control their personal data held by qualifying businesses, enforceable through “Verifiable Consumer Requests.”

Who it applies to: California residents (consumers, employees, B2B contacts) and for-profit businesses with >$25M revenue or those buying/selling data of >100k consumers.

Time, cost, and documents:

  • Response Deadline: 45 calendar days (extendable by another 45 days).
  • Cost: Free for the consumer (unless requests are manifestly unfounded/excessive).
  • Documents: Verification proof (ID, utility bill, email confirmation).

Key takeaways that usually decide disputes:

  • Whether the request was “verifiable” (identity matching).
  • Whether the data falls under an exemption (e.g., FCRA, HIPAA, GLBA).
  • The “disproportionate effort” defense used by businesses.

Quick guide to CPRA Rights

  • It’s Not Automatic: Rights are only activated upon request. If you don’t ask, the data stays. Silence is consent to retention.
  • The “Lookback” Expanded: Under the original CCPA, you could only see data from the past 12 months. CPRA allows you to access data collected beyond that window (starting from Jan 1, 2022) if the business still holds it.
  • Two-Step Verification: To protect your data from impostors, businesses must verify you. Expect to click a confirmation email or, for sensitive data, provide a copy of an ID or sign a declaration under penalty of perjury.
  • Correction is New: If a data broker has the wrong income level for you, or a retailer has the wrong shipping address, you now have the legal right to force a correction.
  • Non-Retaliation: A business cannot deny you goods or charge you higher prices simply because you exercised your privacy rights. This is the non-discrimination clause.

Understanding CPRA Rights in practice

The California Privacy Rights Act (CPRA) is often called “CCPA 2.0,” but in practice, it is a significant hardening of the original framework. While CCPA gave us the “Do Not Sell” button, CPRA gave us the tools to actually manage the data lifecycle. The core concept is “Consumer Sovereignty”—the idea that you own your data, and the business is merely borrowing it. When you submit a request, you are recalling that loan.

The Right to Know (Access) is the foundational right. Without knowing what a company has, you cannot effectively delete or correct it. CPRA divides this into two buckets: “Categories” (a high-level overview, e.g., “we collect contact info”) and “Specific Pieces” (the raw data, e.g., “John Doe, 123 Main St, bought shoes on 10/12”). The “Specific Pieces” request is the most powerful auditing tool available to consumers, but it triggers the highest security friction. Businesses are terrified of handing a data packet to an identity thief, so the verification bar is high.

The Right to Delete is the most popular but the most misunderstood. It is not a “Men in Black” memory wipe. It is a request to delete data that is no longer necessary. If you buy a toaster and ask the store to delete your data the next day, they will likely delete your marketing profile but keep your transaction record for tax, warranty, and fraud prevention purposes. Understanding this “partial deletion” helps manage expectations.

The “Sensitive Data” Hierarchy:

  • Standard PI: Name, Email, Cookie ID. (Subject to standard Access/Delete).
  • Sensitive PI (SPI): SSN, Passport, Geolocation, Racial Origin, Biometrics, Health, Sex Life.
  • The “Limit Use” Right: For SPI, you have a special right to say “Stop using this for anything other than delivering the product.” You can stop them from using your geolocation for ads while still letting them use it for delivery.

Legal and practical angles that change the outcome

The Service Provider Loophole is a common point of friction. When you ask a company to delete your data, they must also instruct their service providers (vendors) to delete it. However, in practice, this “downstream deletion” is difficult to verify. The law requires it, but the technical execution relies on the business’s data governance. If a business fails to notify its vendors, your data may live on in a third-party analytics server.

A new practical angle involves “Disproportionate Effort.” Businesses can deny a request if the effort to locate the data outweighs the value to the consumer. For example, finding a specific IP address log in 10 years of backup tapes might be deemed “disproportionate.” However, with modern indexed databases, this defense is becoming harder for companies to use for active data.

Workable paths parties actually use to resolve disputes

If a business denies your request or claims they “cannot verify” you, the workable path is not immediately suing. The first step is to provide additional context. If you used a nickname or an old email address, providing that linkage can unlock the file. If the denial persists, the next step is filing a complaint with the California Privacy Protection Agency (CPPA). While individual consumers don’t have a private right of action (the ability to sue) for non-security violations, a pattern of CPPA complaints often triggers an enforcement action.

Practical application: How to Exercise Your Rights

Submitting a privacy request is a formal process. Do not send a tweet or a casual email to the CEO. Follow the designated channels to trigger the 45-day statutory clock.

  1. Locate the Intake Channel: Scroll to the footer of the company’s homepage. Look for “Privacy Policy,” “Your Privacy Choices,” or “Do Not Sell My Info.” There must be a toll-free number or a web form.
  2. Select the Right Request:
    • “I want to see what you have” -> Request to Know (Specific Pieces).
    • “I want to disappear” -> Request to Delete.
    • “This info is wrong” -> Request to Correct.
  3. Submit Verification Details: You will likely need to provide 2-3 data points that match their records (e.g., email, phone number, order number). Do not send your SSN unless they specifically ask for it securely.
  4. Check Your Email (Crucial): Most systems send a “Confirm your email” link immediately. If you don’t click this within 24-48 hours, the request is auto-cancelled. This is the #1 reason requests fail.
  5. Wait 45 Days: The business has 45 days to respond. They can extend it by another 45 days (total 90) if they notify you.
  6. Receive and Review: For Access requests, you will receive a secure link or a PDF. Review it. For Deletion, you will receive a confirmation of what was deleted and what was exempted.

Technical details and relevant updates

The Right to Correct (Cal. Civ. Code § 1798.106) is the most technically complex addition. It requires businesses to accept input from the consumer to fix inaccuracies. The business must consider the “totality of the circumstances.” For example, if you claim a transaction on your history is fraudulent and ask to “correct” it by removing it, the business may require proof (like a police report) rather than just taking your word, as deleting a transaction record impacts financial auditing.

Regarding Data Portability, the CPRA mandates that specific pieces of personal information be provided in a format that is “easily understandable and to the extent technically feasible, in a structured, commonly used, machine-readable format.” This means they shouldn’t send you a screenshot of a database; they should send a CSV, JSON, or PDF file that allows you to transmit the data to another entity without hindrance.

  • Verification Standards: For “Specific Pieces” requests, the standard is “High Degree of Certainty.” This usually means matching at least three data points and a signed declaration. For “Categories” requests, the standard is “Reasonable Degree of Certainty” (two data points).
  • Employee Data: As of Jan 1, 2023, the exemption for HR data expired. Current and former employees can now use CPRA to access their personnel files, performance reviews, and internal notes, subject to attorney-client privilege and other exemptions.

Statistics and scenario reads

Understanding the volume and rejection rate of requests helps set realistic expectations. Data suggests that while deletion requests are popular, access requests provide the most actionable intelligence for consumers.

Rejection rates remain high, largely due to verification failures (consumers abandoning the process) or “unfounded” requests (spamming companies where the consumer has no account).

Request to Delete

55%

Request to Know (Access)

25%

Do Not Sell/Share

20%

Monitorable points for Consumers:

  • Response Time: Legal limit is 45 days. Average response is ~35 days.
  • Verification Friction: Expect 2-step verification (email + SMS or ID).
  • Data Retention: Businesses often delete “inactive” data after 2-3 years, meaning an access request might return nothing if you haven’t shopped recently.

Practical examples of CPRA Requests

Scenario A: The “Clean Slate” Deletion

Sarah requests a “Right to Delete” from a clothing retailer. She confirms her email. 40 days later, the retailer confirms deletion.

Outcome: Her marketing profile, browsing history, and cookies are wiped. She stops getting emails. However, her invoice for the coat she bought last year is retained in the finance system because the retailer must keep tax records for 7 years. This is a compliant, partial deletion.

Scenario B: The Failed Correction

Mark sees his credit score is low on a banking app. He submits a CPRA “Right to Correct” to the bank to change the score.

Outcome: The request is denied. Credit reporting is governed by the FCRA (Federal Fair Credit Reporting Act), which preempts CPRA. Mark must dispute the error through the credit bureaus (Equifax, Experian), not through a CPRA privacy request to the bank.

Common mistakes in exercising rights

Ignoring the Verification Email: This is the silent killer of requests. If you don’t click the link in your inbox within the window (often 24h), the request is voided automatically.

Assuming “Delete” means “Refund”: Deleting your account does not cancel a subscription charge or trigger a refund. It just removes your profile. You must cancel services separately.

Confusing “Opt-Out” with “Delete”: “Do Not Sell/Share” stops the transfer of data to ad networks. “Delete” erases the data held by the company. They are two separate levers; use both for maximum privacy.

Using the Wrong Email: If you signed up with `jane.doe@gmail` but submit the request with `jane.work@corp.com`, the business cannot verify you and will reject the request.

FAQ about CPRA Rights

How much does it cost to submit a request?

It is free. Businesses cannot charge you for processing a standard verifiable consumer request.

However, if your requests are “manifestly unfounded or excessive” (e.g., you submit the same request every day for a month), the business may either charge a reasonable fee or refuse to act on the request.

Can I make a request for my child?

Yes. A parent or legal guardian can make a request on behalf of their child under 13. For teenagers between 13 and 16, the child can typically exercise their own rights, or authorize a parent.

You may be asked to provide proof of parental authority, such as a birth certificate or court order, to protect the child’s data.

What if the business says they can’t find my data?

This often happens if you engaged with them as a “Guest” (no account) or if they aggregate data. If they cannot verify your identity to a sufficient degree of certainty, they are legally prohibited from disclosing specific pieces of data.

They may still be able to honor a “Do Not Sell” request even if they can’t fulfill an “Access” request.

Do these rights apply to my employer?

Yes. As of January 1, 2023, the B2B and Employee exemptions expired. California employees, job applicants, and independent contractors have the right to request access to, correction of, or deletion of their HR data.

However, employers can retain data necessary for employment, tax, and legal reasons (e.g., payroll records, harassment investigation files).

Can I use an “Authorized Agent”?

Yes. You can designate a person or a business (like a privacy service such as DeleteMe or Privacy Bee) to submit requests on your behalf.

The business may still require you to directly verify your identity with them or confirm that you provided the agent with signed permission.

Does a deletion request delete my backup data?

Not immediately. Businesses are not required to delete data from archived or backup systems in real-time. However, the data must be deleted when those backups are restored or during the next scheduled overwrite cycle.

The data in backups cannot be used for any active purpose while it awaits deletion.

What is the penalty if they ignore me?

You cannot sue for a failure to respond (no private right of action for non-security breaches). You must report them to the California Privacy Protection Agency (CPPA).

The CPPA can fine businesses $2,500 per unintentional violation and $7,500 per intentional violation.

Can I correct an opinion or review?

Generally, no. The Right to Correct applies to objective factual inaccuracies (e.g., wrong address, wrong debt amount). Subjective opinions (e.g., “This driver was rude” or internal interview notes) are usually not subject to correction.

You cannot force a business to change their assessment of you, only the facts underlying it.

How often can I make a request?

Under the law, a business is only required to respond to a consumer’s request for access twice within a 12-month period.

However, deletion and correction requests can theoretically be made whenever the need arises, provided they are not excessive.

Does deleting data stop spam emails?

Effectively, yes, because they delete your email address. However, the specific right to stop spam is “Unsubscribe.” Deletion is a nuclear option.

If you just want to stop emails, use the “Unsubscribe” link. Use “Right to Delete” if you want the company to forget you existed.

References and next steps

  • Start a Request Log: Keep a spreadsheet of every request you submit, the date, and the Case ID provided by the business. This is essential if you need to file a complaint later.
  • Check Your “Sensitive” Settings: Look for the “Limit the Use of My Sensitive Personal Information” link on websites you trust less.
  • Authorized Agents: Consider using a reputable privacy service if you have dozens of accounts to clean up; manual requests can be time-consuming.

Related reading:

  • California Privacy Protection Agency (CPPA) Official Guide
  • The difference between CCPA and CPRA
  • How to file a consumer complaint in California
  • Understanding “Dark Patterns” in privacy choices

Normative and case-law basis

The rights discussed here are grounded in the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). The primary statutory citations are California Civil Code § 1798.100 (General Duties), § 1798.105 (Right to Delete), § 1798.106 (Right to Correct), and § 1798.110/115 (Right to Know).

The implementing regulations are drafted and enforced by the California Privacy Protection Agency (CPPA) and the California Attorney General. These regulations define the technical standards for “Verifiable Consumer Requests” and “Authorized Agents.”

Final considerations

The CPRA has given Californians some of the strongest privacy rights in the world, effectively ending the era of unchecked data hoarding. However, these rights are not self-executing. They require active participation. By knowing the difference between a “Right to Know” and a “Right to Delete,” and by understanding the necessary verification steps, you convert abstract legal text into a concrete shield for your digital identity.

Remember that while deletion is powerful, it is irreversible. Access is often the smarter first step—see what they have, correct what is wrong, and delete only what puts you at risk. In the digital age, your data is your currency; CPRA is simply the bank statement that lets you finally audit the account.

Key point 1: You must verify your identity (email confirmation) for any request to proceed.

Key point 2: Businesses have 45 days to respond; patience is required.

Key point 3: Exemptions exist (taxes, warranties, security), so “deletion” is rarely 100% total.

  • Look for “Your Privacy Choices” in the website footer.
  • Check your spam folder for the verification email immediately after submitting.
  • Save your Case ID number.

This content is for informational purposes only and does not replace individualized legal analysis by a licensed attorney or qualified professional.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *