Individual Rights Management Overview

  • Updated

Privacy regulations like GDPR and the emerging CCPA grant individuals various rights over their own personal information. When individuals exercise these rights, organizations (in GDPR: data controllers), have an obligation to respond to the request within a predefined time frame.

Request Types

Individual rights requests fall under several categories outlined in GDPR and CCPA.

Right Detail GDPR CCPA
Know A privacy disclosure detailing the type of data collected, processed, and transferred as well as the reasons why. X X
Access

See the specific personal data provided in a digital format.

X Xi
Data Transfer Send personal information to a third party X  
Forget / Delete Delete personal data X X 
Restrict Limit the use of personal data when data cannot be deleted X  
Rectify Correct information  X  
Object Prevent the use of personal information X Xii
Review Automated Decisions Opt out from automated decisions or profiling X  

Notes

  • i: CCPA only requires organizations to disclose the categories of data the organization holds on the data subject / consumer
  • ii: CCPA only covers the right to object to the sale of data ("Do Not Sell"). The upcoming CPRA law adds the ability to object to the transfer of data.

Request Process

Upon receiving a request, an organization must validate the identity of the individual and respond in a timely fashion. When an organization cannot comply within the mandated timeframe, they must issue an extension. 

Item Due Date Extension Date
GDPR 30 days after receiving 60 days after the due date
CCPA 45 days after receiving 45 days after the due date

Upcoming Regulations

Regulations Effective Date Comments Deadlines
Virginia CDPA January 1, 2023 Covers the rights to know, access, data portability, delete, rectify, and object to the use of data for profiling, sale, and advertising 45 days + 45 day extension
California CPRA January 1, 2023 The upcoming CPRA law extends Do Not Sell objections to most data transfers, adds data transfer, rectification, and review automated decisions rights. 45 days + 45 day extension
Colorado Privacy Act July 1, 2023 Covers the rights to know, access, data portability, delete, rectify, and object to the use of data for profiling, sale, and advertising 45 days + 45 day extension