CCPA/GDPR Data Request Response Explained
If you submitted a data access, deletion, or portability request under CCPA, GDPR, or a similar privacy law, the company's response can be surprisingly hard to decipher. Understanding whether they actually complied with your request is essential.
This guide is general educational information, not professional advice. If the document involves a serious deadline, lawsuit, tax issue, health decision, or major financial consequence, get qualified help.
What this document usually means
A CCPA or GDPR data request response is the company's formal reply to your exercise of privacy rights. Under these laws, you can request to know what personal data a company holds about you, ask them to delete it, or ask them to provide it in a portable format. The company is required to respond within specific timeframes, typically thirty to forty-five days under CCPA or one month under GDPR.
The response should confirm what action was taken: whether they provided your data, deleted it, or partially complied with an explanation for any portions they could not fulfill. Some responses include the actual data, while others provide instructions for downloading it from a portal.
The first things to check
Check whether the response addresses your actual request. If you asked for deletion, confirm they say the data has been deleted rather than just acknowledging your request. If you asked for access, check whether the data provided is comprehensive or appears incomplete. Companies sometimes provide only a narrow subset of what they actually hold.
Look for exceptions and exemptions. Companies can deny certain requests under specific circumstances, such as legal obligations to retain data, fraud prevention, or the exercise of free speech. The response should cite the specific legal basis for any denial. Also check whether the response covers all their systems or only some.
Common reasons this letter feels confusing
These responses often use the technical language of the applicable privacy law without explaining what it means in practice. References to "categories of personal information" under CCPA or "legitimate interests" under GDPR can be opaque. The response may also distinguish between data the company collected directly and data obtained from third parties, which adds complexity.
Partial compliance is particularly confusing. The company might say they deleted some data but retained other data under an exemption. Without understanding the legal basis for the exemption, it is hard to know whether the response is legitimate or whether the company is simply avoiding full compliance.
What to do before you pay or respond
Compare what you received to what you requested. If the response seems incomplete or does not address your request, you have the right to follow up. Under both CCPA and GDPR, you can escalate to the relevant enforcement authority, the California Attorney General for CCPA or a Data Protection Authority for GDPR, if you believe the company did not comply.
Keep records of your original request, the company's response, and any follow-up communications. If you received your data, review it to understand what the company has collected about you and consider whether you want to submit a deletion request. If your deletion request was partially denied, evaluate whether the cited exemptions seem reasonable.
How Letter Lens can help
Letter Lens can analyze the company's response to your data request and explain whether they fully complied, partially complied, or denied your request, and what legal basis they cited. Upload the response and get a clear assessment of where things stand.
Letter Lens cannot file complaints with regulatory authorities on your behalf, but it can help you understand the response well enough to decide whether to accept it or escalate.
Key Terms Decoded
Have a data request response you need decoded?
Upload it now and get a plain-English explanation in seconds.
Decode It Free