Educational Information Only - Not Legal Advice. Consult an attorney for your situation.
Back to Privacy Hub

Responding to Business Defenses

Counter-arguments when businesses deny your CCPA/CPRA rights requests

Understanding Your Rights

Businesses often deny CCPA requests citing various exemptions or technicalities. Many of these denials are improper. This guide helps you understand when a business's refusal is legitimate and when you should push back or file a complaint.

1
"We Can't Verify Your Identity" Very Common

The Defense Explained

Business claims they cannot verify that you are who you say you are, and therefore cannot process your request. They may ask for excessive information or simply refuse to engage.

Legal Standard: Verification must be "reasonable" and proportional to the sensitivity of the request. Businesses cannot require you to create an account or provide government ID for most requests. (Cal. Code Regs. tit. 11, § 7062)

Your Counter-Arguments

  • I've provided the same information I used to create my account with you
  • Verification requirements must be proportional to the risk - not a barrier
  • You cannot require me to provide a government ID for standard requests
  • If you can't verify me, you must treat my request as if from an unknown person (delete/opt-out still apply)
  • Regulations require you to use reasonable methods available to you
Sample Response Language

"Your verification requirements are unreasonable under CCPA regulations. I have provided [name, email, account number, etc.] - the same information I used to do business with you. California Code of Regulations section 7062 requires verification to be proportional to the sensitivity of the request. If you truly cannot verify my identity, you must still process opt-out requests and treat deletion requests appropriately. Please specify exactly what additional information you need or process my request."

What to Provide
  • Match information to what you originally provided (email, address, phone)
  • Account numbers or customer IDs
  • Transaction history or order numbers
  • Signed declaration under penalty of perjury (for high-risk requests)
2
"We're Not Covered by the CCPA" Legal Standard

The Defense Explained

Business claims they don't meet the CCPA thresholds (annual revenue, data volume, or revenue from selling data) and therefore don't have to comply.

CCPA Thresholds: A business is covered if it: (1) has gross annual revenue over $25 million; OR (2) buys/sells/shares data of 100,000+ consumers/households; OR (3) derives 50%+ of annual revenue from selling/sharing personal information.

Your Counter-Arguments

  • Demand proof they don't meet any threshold (they bear burden of proving exemption)
  • Consider parent company and affiliate revenues
  • Data brokers are covered regardless of size
  • Check if they have a "Do Not Sell" link (indicates they're covered)
  • Even if not covered by CCPA, they may be covered by other laws
Sample Response Language

"Please provide documentation supporting your claim that you are not subject to the CCPA. The burden is on the business to prove an exemption applies. If your gross annual revenue (including parent companies and affiliates) exceeds $25 million, or if you process data from 100,000+ California consumers, you are covered. I note that your website includes a 'Do Not Sell My Personal Information' link, which suggests you have determined you are covered."

Evidence to Gather
  • Screenshot of their "Do Not Sell" link if present
  • Research on company's revenue (SEC filings, news reports)
  • Information on parent company or affiliates
  • Whether they're registered as a data broker (CA DOJ registry)
3
"Your Data Falls Under an Exemption" Legal Standard

The Defense Explained

Business claims your data is exempt from CCPA (e.g., HIPAA-covered health data, GLBA-covered financial data, employee data, B2B contact data).

Common Exemptions: HIPAA-covered health info, GLBA-covered financial data, FCRA-covered info, DPPA-covered driver info, employee/job applicant data (partial), B2B contact data (partial). But exemptions are narrow and often don't apply.

Your Counter-Arguments

  • Exemptions are narrow - they likely don't cover ALL your data
  • Even if some data is exempt, non-exempt data must still be processed
  • Marketing data is almost never exempt
  • Data used outside the exempt purpose isn't protected
  • Employee/B2B exemptions expired or are limited
Partial Exemptions:

Many exemptions are partial. Even if health data is HIPAA-exempt, marketing data, website tracking, and other consumer data is still covered by CCPA. Demand they process your request for non-exempt data.

Sample Response Language

"While certain data may be subject to exemptions, the CCPA still applies to personal information not covered by those exemptions. Please identify specifically: (1) what data you hold about me, (2) which data you claim is exempt and under what specific exemption, and (3) process my request for all non-exempt data. Marketing data, website cookies, and behavioral data are not covered by HIPAA/GLBA exemptions."

Questions to Ask
  • What specific exemption applies to my data?
  • Which specific data elements are covered by that exemption?
  • What non-exempt data do you hold about me?
  • Will you process my request for non-exempt data?
4
"We Need to Keep Your Data for Legal Reasons" Very Common

The Defense Explained

In response to a deletion request, business claims they need to retain your data for legal compliance, tax records, fraud prevention, or other legal obligations.

Retention Exceptions: Businesses can retain data to: complete transactions, detect security incidents, comply with legal obligations, exercise legal claims, and for internal uses aligned with consumer expectations. But they must still delete data not covered by an exception.

Your Counter-Arguments

  • Exceptions are narrow - most marketing/behavioral data isn't needed for legal compliance
  • They must still delete data not covered by the exception
  • Request they specify exactly what they're retaining and why
  • Data retained under exception must still be limited in use
  • They cannot use "legal reasons" as a blanket excuse to keep everything
Sample Response Language

"I understand certain data may be subject to retention requirements, but this exception is narrow. Please: (1) specify exactly what categories of my data you are retaining, (2) identify the specific legal basis for each category, (3) confirm that retained data will only be used for the stated purpose, and (4) delete all personal information not covered by a specific exception. Marketing preferences, browsing history, and behavioral data are not typically required for legal compliance."

Data That MUST Be Deleted
  • Marketing and advertising preferences
  • Browsing history and cookies
  • Behavioral profiles
  • Social media data
  • Third-party enrichment data
5
"We Don't Sell Your Data" Very Common

The Defense Explained

In response to opt-out request, business claims they don't "sell" data and therefore don't need to honor the opt-out.

"Sale" is Broadly Defined: Under CCPA, "sale" includes sharing data for "monetary OR OTHER VALUABLE CONSIDERATION." This includes ad tech exchanges, data enrichment, and many "free" data sharing arrangements. CPRA adds "sharing" for behavioral advertising.

Your Counter-Arguments

  • "Sale" under CCPA includes non-monetary consideration
  • Sharing with ad networks for targeted advertising is often a "sale"
  • Data sharing for enrichment services is often a "sale"
  • CPRA covers "sharing" for advertising even if not technically a "sale"
  • Ask them to confirm what third-party tracking is on their site
Sample Response Language

"The CCPA defines 'sale' broadly to include sharing data for 'monetary or other valuable consideration.' Please confirm whether you: (1) use third-party cookies or tracking pixels, (2) participate in ad exchanges or real-time bidding, (3) share data with data brokers or enrichment services, or (4) receive any benefit for data sharing. If so, this likely constitutes a 'sale' or 'sharing' under CCPA/CPRA. Please process my opt-out accordingly."

Evidence to Look For
  • Third-party cookies on their website (check browser dev tools)
  • Privacy policy mentions of "partners" or "third parties"
  • Use of Google Analytics, Facebook Pixel, or similar tools
  • Participation in data co-ops or DMPs
6
"You're Not a California Resident" Procedural
The Defense Explained

Business claims you're not entitled to CCPA rights because you don't live in California.

Residency Standard: CCPA protects "consumers" - defined as California residents. You qualify if California is your domicile (true, permanent home) even if temporarily elsewhere. Businesses cannot require excessive proof.

Your Counter-Arguments

  • Provide your California address and state you are a resident
  • Residency is about domicile, not current location
  • Business cannot require you to prove residency with official documents
  • A declaration under penalty of perjury should suffice
  • If they collected data while you were in California, that data is covered
Sample Response Language

"I am a California resident. My California address is [address]. Under the CCPA, I am entitled to exercise my rights as a California consumer. You may not require me to provide government identification or other excessive documentation to prove residency. I declare under penalty of perjury that I am a resident of California. Please process my request accordingly."

7
"We've Already Responded / Need More Time" Procedural

The Defense Explained

Business claims they need additional time to respond, or claims to have already responded to your request.

Deadlines: 10 days to acknowledge, 45 days to respond (can extend once by 45 more days with notice). Extensions require written notice explaining the reason. Total maximum: 90 days.

Your Counter-Arguments

  • Extensions require written notice with reason - did you receive this?
  • Maximum total time is 90 days - have they exceeded this?
  • If they claim to have responded, request proof (email, date, content)
  • Their response may be inadequate even if timely
  • Repeated delays suggest intentional non-compliance
Sample Response Language

"I submitted my request on [DATE]. More than [X] days have passed. I have not received: (1) proper acknowledgment within 10 days, (2) written notice of extension with explanation, or (3) a complete response to my request. Please provide an immediate update on the status of my request and a firm date for completion. If I do not receive a response within [timeframe], I will file a complaint with the California Attorney General."

8
"Your Request is Excessive/Unfounded" Legal Standard

The Defense Explained

Business claims your request is "manifestly unfounded or excessive" and they can therefore deny it or charge a fee.

High Bar: Businesses can only deny "manifestly unfounded or excessive" requests. This is a very high bar - simple requests for your own data are not excessive. Burden is on business to prove the request is excessive.

Your Counter-Arguments

  • This exception is very narrow - routine requests don't qualify
  • Burden is on business to prove the request is excessive
  • Making multiple requests within 12 months is not automatically excessive
  • Requesting all your data is not excessive - it's your right
  • If they claim it's excessive, demand written explanation
Sample Response Language

"My request is not manifestly unfounded or excessive. I am simply exercising my statutory rights under the CCPA. The burden is on you to demonstrate that my request is excessive, and you have not done so. A routine request for access to or deletion of my own data cannot be considered 'excessive.' Please process my request or provide a detailed written explanation of why you believe it qualifies for this narrow exception."

9
"We Had Reasonable Security" (Breach Claims) Legal Standard

The Defense Explained

In a data breach lawsuit, business claims they implemented reasonable security and therefore aren't liable.

Private Right of Action: CCPA § 1798.150 allows lawsuits for breaches resulting from failure to implement "reasonable security." The AG has issued guidance on reasonable security based on CIS Controls. Burden is on business to show they met the standard.

Your Counter-Arguments

  • The breach itself suggests security was inadequate
  • Request discovery on their security practices
  • Compare to AG guidance on reasonable security
  • Look for known vulnerabilities they failed to patch
  • Lack of encryption is particularly damning
Sample Response Language

"The fact that unauthorized access occurred demonstrates that your security was not 'reasonable' as required by Civil Code section 1798.150 and the Attorney General's guidance. Please provide: (1) documentation of your security measures at the time of the breach, (2) when you last conducted a security assessment, (3) whether data was encrypted, (4) whether you followed CIS Controls or equivalent framework. Your claim of 'reasonable security' is contradicted by the breach itself."

10
"You Must Arbitrate This Claim" Procedural

The Defense Explained

Business claims any CCPA dispute must go through arbitration per their terms of service.

Key Points: While arbitration clauses may apply to private lawsuits, you can always file a complaint with the AG regardless of any arbitration agreement. Additionally, some arbitration clauses may be unconscionable under California law.

Your Counter-Arguments

  • Right to file AG complaint cannot be waived by arbitration clause
  • Arbitration clause may be unconscionable (procedural + substantive)
  • You may not have actually agreed to the terms
  • Review the arbitration clause for unenforceable provisions
  • Class action waiver may not apply to California AG enforcement
Sample Response Language

"While I am reviewing my options regarding private claims, I note that: (1) my right to file a complaint with the California Attorney General is not subject to any arbitration agreement, (2) the arbitration clause may be unconscionable under California law due to [procedural issues - e.g., hidden terms, no negotiation] and [substantive issues - e.g., one-sided provisions, fee-splitting], and (3) I reserve all rights to challenge the enforceability of any arbitration provision."

← Back to Privacy Hub Consumer Protection All Hubs

📝 Create Your Demand Letter

Generate a professional demand letter, CA court complaint, or arbitration demand