Does the CCPA require businesses to redact documents proactively?

Not as an explicit mandate, but Section 1798.150 creates a strong financial incentive. Businesses whose breached data was properly redacted beforehand are shielded from consumer class-action lawsuits worth $100 to $750 per person per incident. This effectively makes proactive redaction a risk management requirement.

How long does a business have to respond to a CCPA access request?

45 calendar days, extendable by another 45 days if the business notifies the consumer of the delay. During that window, the business must locate responsive documents, redact third-party personal information, and deliver the response.

What does the CCPA not require to be redacted?

The CCPA does not require redaction of the requesting consumer's own personal information, properly de-identified or aggregated data, publicly available information the consumer made available, or business contact information used in a commercial context between businesses.

What Does the CCPA Require You to Redact?

The CCPA requires businesses to redact third-party personal information from documents before disclosing them in response to consumer access requests, and to treat stored documents as candidates for proactive redaction to qualify for the Section 1798.150 safe harbor. The law does not use the word "redaction" throughout, but the obligation is built into how its consumer rights work.

The three situations that create a redaction obligation

Consumer access requests (DSARs). Under Section 1798.100, consumers can request the personal information a business holds about them. When you respond, you must disclose the requester's data but redact any personal information belonging to other people in the same documents. Handing over a contract that includes another person's Social Security number alongside the requester's name is a violation. Businesses have 45 calendar days to respond, extendable to 90.

Right to opt-out. When a consumer opts out of the sale or sharing of their data under Section 1798.120, any documents containing their personal information must be redacted before further sharing continues.

Breach safe harbor. Section 1798.150 gives consumers the right to sue after a breach involving "nonencrypted and nonredacted personal information." Businesses that redact stored documents proactively can block that lawsuit even if a breach occurs.

What the CCPA does not require you to redact

Over-redaction is a compliance risk too. The CCPA does not require redaction of the requesting consumer's own data (that is what they asked for), aggregated or properly de-identified information, publicly available information the consumer made public themselves, or business contact information used in a purely commercial context.

HIPAA specifies exactly 18 Safe Harbor identifiers to remove from patient records. GDPR requires redaction under the data minimization principle but has no equivalent to the CCPA's class-action safe harbor. The CCPA covers 11 broad categories of personal information and applies to consumer data across any industry, not just healthcare or organizations with EU operations. For a side-by-side comparison, see our CCPA vs GDPR redaction guide.

What Does the CCPA Require You to Redact?

The three situations that create a redaction obligation

What the CCPA does not require you to redact

More answers

What Is the CCPA Redaction Safe Harbor?

What Personal Information Must Be Redacted Under the CCPA?

Can You Redact in Word?

Do Law Firms Need Redaction Software?

The three situations that create a redaction obligation

What the CCPA does not require you to redact

How this differs from HIPAA and GDPR

More answers

What Is the CCPA Redaction Safe Harbor?

What Personal Information Must Be Redacted Under the CCPA?

Can You Redact in Word?

Do Law Firms Need Redaction Software?