Privacy regulations like GDPR and the emerging CCPA grant individuals various rights over their own personal information. When individuals exercise these rights, organizations (in GDPR: data controllers), have an obligation to respond to the request within a predefined time frame.
Request Types
Individual rights requests fall under several categories outlined in GDPR and CCPA.
| Right | Detail | GDPR | CCPA |
|---|---|---|---|
| Know | A privacy disclosure detailing the type of data collected, processed, and transferred as well as the reasons why. | X | X |
| Access |
See the specific personal data provided in a digital format. |
X | Xi |
| Data Transfer | Send personal information to a third party | X | |
| Forget / Delete | Delete personal data | X | X |
| Restrict | Limit the use of personal data when data cannot be deleted | X | |
| Rectify | Correct information | X | |
| Object | Prevent the use of personal information | X | Xii |
| Review Automated Decisions | Opt out from automated decisions or profiling | X |
Notes
- i: CCPA only requires organizations to disclose the categories of data the organization holds on the data subject / consumer
- ii: CCPA only covers the right to object to the sale of data ("Do Not Sell"). The upcoming CPRA law adds the ability to object to the transfer of data.
Request Process
Upon receiving a request, an organization must validate the identity of the individual and respond in a timely fashion. When an organization cannot comply within the mandated timeframe, they must issue an extension.
| Item | Due Date | Extension Date |
|---|---|---|
| GDPR | 30 days after receiving | 60 days after the due date |
| CCPA | 45 days after receiving | 45 days after the due date |
Upcoming Regulations
| Regulations | Effective Date | Comments | Deadlines |
|---|---|---|---|
| Virginia CDPA | January 1, 2023 | Covers the rights to know, access, data portability, delete, rectify, and object to the use of data for profiling, sale, and advertising | 45 days + 45 day extension |
| California CPRA | January 1, 2023 | The upcoming CPRA law extends Do Not Sell objections to most data transfers, adds data transfer, rectification, and review automated decisions rights. | 45 days + 45 day extension |
| Colorado Privacy Act | July 1, 2023 | Covers the rights to know, access, data portability, delete, rectify, and object to the use of data for profiling, sale, and advertising | 45 days + 45 day extension |