CPRA (effective January 2023) added the right to correction alongside the original CCPA rights, codified at § 1798.106. A profile page where all fields are read-only — a common AI-built default — violates this right for authenticated users. For non-account-holders who have had their PI collected via a lead form or checkout, the violation is even starker: they have no path at all to correct inaccurate data. Inaccurate PI also degrades your own product — wrong email addresses bounce, wrong billing names cause payment disputes, and wrong phone numbers generate SMS failures. Correction serves both compliance and data quality.
Medium because the CPRA correction right (§ 1798.106) is a statutory requirement, but violations typically surface only when a consumer makes a specific correction request rather than triggering immediate enforcement.
Add editable fields to app/settings/profile/page.tsx so authenticated users can self-service correct their name, phone, and any other PI fields. Add a "Correct inaccurate personal information" radio option to the privacy rights request form for non-account-holders.
// app/settings/profile/page.tsx
'use client'
import { useState } from 'react'
export default function ProfilePage({ user }: { user: User }) {
const [name, setName] = useState(user.name ?? '')
const [phone, setPhone] = useState(user.phone ?? '')
async function save(e: React.FormEvent) {
e.preventDefault()
await fetch('/api/user/profile', {
method: 'PATCH',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name, phone }),
})
}
return (
<form onSubmit={save}>
<label>Name <input value={name} onChange={e => setName(e.target.value)} /></label>
<label>Phone <input value={phone} onChange={e => setPhone(e.target.value)} /></label>
<button type="submit">Save Changes</button>
</form>
)
}
For non-account-holders, route correction requests to a staff inbox tracked in PRIVACY_OPERATIONS.md; the 45-day response window applies here too.
ID: ccpa-readiness.consumer-rights.right-to-correct
Severity: medium
What to look for: Check for a correction mechanism — either as a self-service profile editing feature (consumers can correct their own data in account settings) or as a formal correction request form for non-account-holders. The CPRA (effective January 2023) added correction as an explicit right alongside the existing CCPA rights. Verify that authenticated users can edit their profile fields (name, email, phone, address, and any other PI collected). For non-account-holders who have had their PI collected (e.g., via a lead form), check whether the privacy rights request form includes a "correct" option. Verify corrections are actually persisted to the database and reflected throughout the application. Count all instances found and enumerate each.
Pass criteria: Authenticated users can self-service correct their personal information via a profile settings page. A correction request option exists on the privacy rights form for non-account-holders. Corrections are persisted immediately upon submission. At least 1 implementation must be confirmed.
Fail criteria: No profile editing feature exists. Authenticated users can view their data but cannot edit it. The privacy rights form does not include a correction option.
Skip (N/A) when: Same CCPA threshold analysis — document if skipping.
Cross-reference: The right-to-know check in Consumer Rights verifies the broader request mechanism that should include a correction option.
Detail on fail: Example: "Profile page exists but all fields are read-only. No edit functionality found in settings." or "Privacy rights request form only covers know and delete; no correction option included.".
Remediation: Add self-service editing and a correction request option:
// app/settings/profile/page.tsx — self-service correction
'use client'
import { useState } from 'react'
export default function ProfilePage({ user }: { user: User }) {
const [name, setName] = useState(user.name ?? '')
const [phone, setPhone] = useState(user.phone ?? '')
async function save(e: React.FormEvent) {
e.preventDefault()
await fetch('/api/user/profile', {
method: 'PATCH',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name, phone }),
})
}
return (
<form onSubmit={save}>
<label>Name <input value={name} onChange={e => setName(e.target.value)} /></label>
<label>Phone <input value={phone} onChange={e => setPhone(e.target.value)} /></label>
<button type="submit">Save Changes</button>
</form>
)
}
On the privacy rights request page, add "Correct inaccurate personal information" as a radio option (see the right-to-know remediation for the full form structure). When a correction request is received, staff should reach out to the consumer within 45 days to gather the corrected information and update the records.