CCPA § 1798.100 and § 1798.110 grant California consumers the right to know exactly what personal information a business holds about them, where it came from, why it is processed, and who receives it. Without an accessible disclosure mechanism — a web form, email address, or toll-free number — you are in statutory violation the moment a California resident asks. The California Privacy Protection Agency (CPPA) can impose fines of up to $7,500 per intentional violation, and class-action exposure under § 1798.150 covers statutory damages of $100–$750 per consumer per incident. Beyond the monetary risk, the absence of a rights mechanism signals to regulators that the rest of your privacy program is equally unprepared.
Critical because absence of any disclosure mechanism is a statutory violation under CCPA § 1798.100 the moment a California consumer makes a request, with direct civil penalty exposure.
Create a consumer privacy rights request page at app/privacy/request/page.tsx that covers all five request types — know-categories, know-specific, delete, correct, and opt-out — and POST to a backend route that generates a verification token, stores the pending request, and sends a confirmation email within the required 45-day window.
// app/privacy/request/page.tsx — cover all five CCPA request types
'use client'
import { useState } from 'react'
type RequestType = 'know_categories' | 'know_specific' | 'delete' | 'correct' | 'opt_out'
export default function PrivacyRequestPage() {
const [requestType, setRequestType] = useState<RequestType>('know_categories')
const [email, setEmail] = useState('')
const [submitted, setSubmitted] = useState(false)
async function handleSubmit(e: React.FormEvent) {
e.preventDefault()
await fetch('/api/privacy/request', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ requestType, email }),
})
setSubmitted(true)
}
if (submitted) return (
<p>Request received. We will respond within 45 days as required by California law.</p>
)
return (
<form onSubmit={handleSubmit}>
<h1>California Privacy Rights Request</h1>
<input type="email" value={email} onChange={e => setEmail(e.target.value)}
placeholder="Your email address" required />
{/* Render radio buttons for all five request types */}
<button type="submit">Submit Request</button>
</form>
)
}
Link this page from your privacy policy under a "California Privacy Rights" heading and ensure the 45-day response SLA is documented in PRIVACY_OPERATIONS.md.
ID: ccpa-readiness.consumer-rights.right-to-know
Severity: critical
What to look for: Look for a consumer privacy rights request mechanism — typically a web form linked from the privacy policy under "Your Rights" or "California Privacy Rights," or a dedicated page at /privacy/request, /do-not-sell, /privacy-rights, or /ccpa. Check whether the form or mechanism allows a consumer to request: (1) the categories of personal information collected about them, (2) the specific pieces of personal information collected, (3) the categories of sources, (4) the business purpose for collecting, and (5) the categories of third parties the PI is disclosed to. Verify there is a process for responding within 45 days (CCPA/CPRA statutory deadline, extendable by an additional 45 days with notice). Also look for an API endpoint or admin tool that allows staff to retrieve and deliver the requested data in response to verified requests. Count every consumer rights request type supported by the mechanism (know-categories, know-specific, delete, correct, opt-out) and report the ratio: X of 5 required request types are present. Before evaluating, extract and quote the exact text of the consumer rights request mechanism — the form labels, radio options, or descriptive text that specifies what types of requests consumers can submit.
Pass criteria: A mechanism exists (web form, email address, or toll-free number) allowing California consumers to submit a "Right to Know" request. The mechanism covers both categories of PI and specific pieces of PI. The privacy policy describes the request process and the 45-day response window. An internal process or tooling exists to fulfill these requests. Report even on pass: "Consumer rights request form supports X of 5 request types. Response timeline documented as Y days." Threshold: at least 4 of the 5 required request types.
Fail criteria: No consumer rights request mechanism exists. The privacy policy does not describe how to submit a request. No process for fulfilling and responding to disclosure requests within 45 days.
Skip (N/A) when: The application is not subject to CCPA — it does not meet any of the three CCPA thresholds: (1) annual gross revenues over $25M, (2) annual buying/selling/receiving/sharing of personal information of 100,000+ consumers or households, (3) deriving 50%+ of annual revenues from selling or sharing consumer personal information. Document the specific threshold analysis if skipping.
Cross-reference: The privacy-policy-categories check in Privacy Disclosures verifies the policy describes the request process that this mechanism fulfills.
Detail on fail: Specify what is missing. Example: "No consumer rights request form or mechanism found. Privacy policy does not include a California rights section or contact method for submitting requests." or "Privacy policy mentions rights but provides no mechanism (form, email, or phone number) for submitting a request.".
Remediation: Implement a consumer privacy rights request form and document the fulfillment process:
// app/privacy/request/page.tsx — consumer rights request form
'use client'
import { useState } from 'react'
type RequestType = 'know_categories' | 'know_specific' | 'delete' | 'correct' | 'opt_out'
export default function PrivacyRequestPage() {
const [requestType, setRequestType] = useState<RequestType>('know_categories')
const [email, setEmail] = useState('')
const [submitted, setSubmitted] = useState(false)
async function handleSubmit(e: React.FormEvent) {
e.preventDefault()
await fetch('/api/privacy/request', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ requestType, email }),
})
setSubmitted(true)
}
if (submitted) return (
<div>
<h1>Request Submitted</h1>
<p>We will respond within 45 days. Check your email for a verification link.</p>
</div>
)
return (
<form onSubmit={handleSubmit}>
<h1>California Privacy Rights Request</h1>
<fieldset>
<legend>Type of request</legend>
<label>
<input type="radio" value="know_categories"
checked={requestType === 'know_categories'}
onChange={() => setRequestType('know_categories')} />
Know — categories of personal information collected
</label>
<label>
<input type="radio" value="know_specific"
checked={requestType === 'know_specific'}
onChange={() => setRequestType('know_specific')} />
Know — specific pieces of personal information about me
</label>
<label>
<input type="radio" value="delete"
checked={requestType === 'delete'}
onChange={() => setRequestType('delete')} />
Delete my personal information
</label>
<label>
<input type="radio" value="correct"
checked={requestType === 'correct'}
onChange={() => setRequestType('correct')} />
Correct inaccurate personal information
</label>
</fieldset>
<label>
Email address (for identity verification)
<input type="email" required value={email} onChange={e => setEmail(e.target.value)} />
</label>
<button type="submit">Submit Request</button>
</form>
)
}
Document your internal fulfillment process: who receives the request, how identity is verified (email confirmation link is the minimum), and how the response is prepared and sent within 45 days.