Privacy regulations like GDPR and the emerging CCPA grant individuals, various rights over their own personal information. When individuals exercise these rights, organizations (in GDPR: data controllers), have an obligation to respond to the request within a predefined time frame.
Request Types
Individual rights requests fall under several categories outlined in GDPR and CCPA.
| Right | Detail | GDPR | CCPA |
|---|---|---|---|
| Know* | A report detailing what data is collected, processed, and transferred. | X | X |
| Access | Digital machine-readable copy of specific personal data | X | X |
| Forget / Delete | Delete personal data | X | X |
| Restrict | Limit the use of personal data when data cannot be deleted | X | |
| Object** | Prevent the use of personal information | X | X |
| Data Transfer | Send personal information to a third party | X | |
| Review Automated Decisions | Opt out from automated decisions or profiling | X |
*Only activities involving sale or disclosure, **Only activities involving the sale of personal information
Request Process
Upon receiving a request, an organization must validate the identity of the individual and respond in a timely fashion. When an organization cannot comply within the mandated timeframe, they must issue an extension.
| Item | Due Date | Extension Date |
|---|---|---|
| GDPR | 30 days after receiving | 60 days after the due date |
| CCPA | 45 days after receiving | 45 days after the due date |