Privacy regulations like GDPR and the emerging CCPA grant individuals, various rights over their own personal information. When individuals exercise these rights, organizations (in GDPR: data controllers), have an obligation to respond to the request within a predefined time frame.
Request Types
Individual rights requests fall under several categories outlined in GDPR and CCPA.
| Right | Detail | GDPR | CCPA |
|---|---|---|---|
| Know | A privacy disclosure detailing the type of data collected, processed, and transferred as well as the reasons why. | X | X |
| Access |
See the specific personal data provided in a digital format. |
X | Xi |
| Forget / Delete | Delete personal data | X | X |
| Restrict | Limit the use of personal data when data cannot be deleted | X | |
| Object | Prevent the use of personal information | X | Xii |
| Data Transfer | Send personal information to a third party | X | |
| Review Automated Decisions | Opt out from automated decisions or profiling | X |
Notes
- i: CCPA only requires organizations to disclose the categories of data the organization holds on the data subject / consumer
- ii: CCPA only covers the right to object to the sale of data ("Do Not Sell"). The upcoming CPRA law adds the ability to object to the transfer of data.
Request Process
Upon receiving a request, an organization must validate the identity of the individual and respond in a timely fashion. When an organization cannot comply within the mandated timeframe, they must issue an extension.
| Item | Due Date | Extension Date |
|---|---|---|
| GDPR | 30 days after receiving | 60 days after the due date |
| CCPA | 45 days after receiving | 45 days after the due date |