Data Privacy & CCPA — Compliance Scenario

A California Customer Emails Demanding a Copy of All Their Data and Requesting Deletion. We’ve Never Handled This Before. What Are We Required to Do — and How Fast?

A real workplace compliance scenario — with three decision options and the right answer.

The Situation

You manage customer operations at a software company subject to CCPA. On Monday morning an email arrives from a California-based customer. They state that they are submitting a formal request under the California Consumer Privacy Act. They want to know: what personal information the company has collected about them, who it has been shared with, and whether it has been sold. They also request deletion of all personal information the company holds about them.

Your company has never received a request like this before. There is no formal process. Legal is aware of CCPA but hasn’t built out a data subject request workflow. Marketing, IT, and customer success all hold some version of this customer’s data across different systems. You’re not sure where to start.

Choice AForward the email to Legal and wait for direction. This is a legal matter that requires legal judgment. Until Legal provides guidance, no action should be taken that could create further liability.

Choice BAcknowledge receipt to the customer immediately, escalate to Legal and Compliance on the same day, and begin the verification and data-gathering process. The 45-day clock started when the request arrived — not when Legal finishes reviewing it.

Choice CReply to the customer asking them to resubmit through an official channel once the company establishes a formal process. The request wasn’t submitted through a proper intake mechanism, so the clock hasn’t officially started.

The Right Call

Choice B — Acknowledge immediately, escalate same day, start the clock.

Choice A delays the response while the 45-day window runs down — Legal reviewing the situation doesn’t pause the compliance obligation. Choice C is not valid: CCPA does not require consumers to use a specific intake channel. A consumer can submit a request by email, phone, or any other reasonable means of contacting the business. Asking the customer to resubmit while building a process is itself a violation. The 45-day clock runs from the date of receipt of the request by any channel.

Step 1 — Acknowledge receipt immediately. Send a confirmation to the consumer that their request has been received and is being processed. This is both good practice and a signal of good faith to regulators.

Step 2 — Verify the requester’s identity. CCPA requires that requests come from the consumer themselves or an authorized agent. The verification process must be reasonably designed — it cannot be so burdensome as to function as a barrier to exercising rights.

Step 3 — Map where the data lives. Coordinate across marketing, IT, customer success, and any other function that holds data on this individual. CCPA’s right to know covers all personal information the business has collected — not just what’s in the CRM.

Step 4 — Respond within 45 days. The response must address the right to know (what was collected, the categories of sources, the business purpose, and any third parties it was shared with) and the right to delete (confirmation of deletion or explanation of any applicable exception). A 45-day extension is available with notice to the consumer.

Step 5 — Document the request and response. Maintain records of data subject requests and responses for at least 24 months. This documentation is required under the CCPA and is critical evidence of compliance in the event of a regulatory inquiry or audit.

The 45-day clock doesn’t wait for your process to be ready.

The most common CCPA response failure is not malicious — it’s organizational. Legal reviews the request. IT needs to be involved. Marketing has its own data. Nobody owns the process. By the time the internal discussion is resolved, significant time has passed. The 45-day window is not a deadline to start the process. It is the deadline to complete the response. The acknowledgment, verification, data mapping, and response all have to happen within that window.

Data is scattered across more systems than most companies realize.

A right-to-know request requires disclosure of all personal information collected — not just what’s in the primary customer database. Marketing automation, analytics platforms, advertising tools, customer support tickets, email archives, and data held by vendors may all contain personal information about the requester. Identifying and consolidating this data across systems in 45 days is operationally challenging even for companies with mature data governance. For companies without a data inventory, the first request is a crisis.

How long does a business have to respond to a CCPA data subject request?

45 days from the date of receipt of the request. The business may extend this by an additional 45 days when reasonably necessary, provided it notifies the consumer of the extension and the reason within the initial 45-day period. The clock runs from receipt — not from verification or from when the business begins processing.

Does CCPA require consumers to submit requests through a specific channel?

No. Businesses are required to provide at least two methods for submitting requests — typically a toll-free number and a web form — but consumers are not limited to these channels. A request submitted by email, social media, or any other means of contacting the business is a valid request that triggers the response obligation.

Are there any exceptions to the right to delete under CCPA?

Yes. Businesses are not required to delete personal information that is necessary to complete a transaction with the consumer, detect security incidents, comply with a legal obligation, exercise free speech or another legal right, or several other specified purposes. When an exception applies, the business must notify the consumer that the deletion request has been denied and explain why.

What records must a business keep regarding data subject requests?

Businesses subject to CCPA must maintain records of consumer requests and their responses for at least 24 months. These records must be made available to the California Privacy Protection Agency upon request. The documentation requirement applies regardless of whether the request was fulfilled or denied.

What is the most important thing a company can do before receiving its first CCPA request?

Build a data inventory and a response workflow before the first request arrives. A data inventory identifies what personal information the company collects, where it is stored, who has access to it, and how long it is retained. A response workflow defines who owns the process, how requests are routed, how verification is conducted, and how cross-functional data gathering is coordinated. Both take time to build — time that disappears when the 45-day clock is running.

How to Use This Scenario in Training

Data privacy policy training or Code of Conduct training establishes the law. This scenario makes it stick.

Xcelus recommends this scenario for customer operations, marketing, IT, legal, and compliance teams — anyone who might receive or process a consumer data request. The recognition skill is understanding that the 45-day clock starts on receipt and that the absence of a process is not a reason to delay — it is itself the compliance gap that needs to be addressed.

More Compliance Scenarios

Want the Full Data Privacy & CCPA Training?

Xcelus builds scenario-based data privacy training covering CCPA consumer rights, data subject request workflows, the sale vs. sharing distinction, and threshold analysis for companies navigating California privacy obligations.

View Compliance Programs →
Contact Xcelus