Response Letter to Consumer Request to Correct Personal Information
(CCPA/CPRA Compliant)

Summary

This sample letter responds to a consumer's request to correct personal information, a new right added by the California Privacy Rights Act of 2020 (CPRA) amendments to the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code § 1798.100 et seq. This template includes practical guidance, drafting notes, and alternate clauses. The three default paragraphs of this letter apply when you grant the request in part and deny the request in part. The first alternate paragraphs 1 and 2 apply when you grant the request in full. Second alternate paragraph 1 and paragraph 3 apply when you deny the request. The denial provisions have been designed to offer you choices of available responses. You can customize this template to choose one or more of the options. Under the CPRA, on receipt of a verifiable request from the consumer, a business must use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer. Cal. Civ. Code § 1798.106(c). Cal. Code Regs. tit. 11, § 7023 and related sections, which became effective March 1, 2023, further expand on the right to correct. Timing. Timing provisions require a business to confirm receipt of a consumer request within 10 business days and provide information about how the business will process the request. Cal. Code Regs. tit. 11, § 7021(a). The information must describe the business' verification process and when the consumer should expect a response (except in instances where the business has already granted or denied the request). Cal. Code Regs. tit. 11, § 7021(a). You may give the confirmation in the same manner that you received the request, including orally if the consumer made the request over the phone. Cal. Code Regs. tit. 11, § 7021(a). You have 45 days after receipt of the consumer request to respond. Cal. Code Regs. tit. 11, § 7021(b); Cal. Civ. Code § 1798.130(a)(2)(A). The 45-day period begins on the date of receipt. Cal. Code Regs. tit. 11, § 7021(b). You can deny the request if you cannot verify the consumer within the 45-day period. Cal. Code Regs. tit. 11, §§ 7021(b), 7023(a). You have an extra 45 days to respond if you provide the consumer with notice and the reason you need an additional 45 days to respond. Cal. Code Regs. tit. 11, § 7021(b); Cal. Civ. Code § 1798.130(a)(2)(A). Determining Accuracy. You must determine whether the contested personal information is more likely than not accurate considering the totality of the circumstances, including: • The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive) • How the business obtained the contested information • Documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source Cal. Code Regs. tit. 11, § 7023(b)(1)(A)-(C). If the business is not the source of the personal information and has no documentation in support of its accuracy, the consumer's claim of inaccuracy may be sufficient to establish inaccuracy. Cal. Code Regs. tit. 11, § 7023(b). For more on permitted documentation, see Cal. Code Regs. tit. 11, § 7023(d). Service Providers/Contractors. A business that complies with a consumer's request to correct must correct the personal information at issue on its existing systems and instruct all service providers and contractors to also make the necessary corrections. Cal. Code Regs. tit. 11, § 7023(c). Language. Note that communications with consumers must be easy to read and understandable to consumers, using plain, straightforward language and avoiding technical or legal jargon. Cal. Code Regs. tit. 11, § 7003(a). For more practical guidance on responding to data correction requests, see CCPA/CPRA Compliance: Responding to Consumer Data Correction Requests Checklist. For a California-compliant privacy policy and clauses, see Privacy Policy (CCPA and CPRA Compliant); Privacy Policy Clause: How to Exercise Your Rights (CCPA and CPRA Compliant), and Privacy Policy Clause: Description of Consumer Rights (CCPA and CPRA Compliant). For more guidance on CCPA/CPRA obligations, see California Consumer Privacy Resource Kit (CCPA and CPRA).