CCPA Automation: How to Automate Processing Requests

CCPA Toll Free Software uses webhooks to connect to services when receiving a new CCPA request.

Automating the fulfillment of CCPA requests provides both consistency and efficiency to businesses. A number of software companies in big tech Google, Yahoo, Microsoft, or marketing tech Amplitude, Braze, and many more are building APIs so you can programmatically fulfill requests as they come in. APIs useful for CCPA are “Delete Personal Information” or “Retrieve a copy of Personal Information” for a customer. I won’t touch on how our tool verify requests nor how we offer a toll-free number and webform connected to a dashboard on this post. Please checkout our pricing here for that.

At CCPA Toll Free, we want to make it simple to receive, verify and process requests. It is only natural we would look at the APIs from popular software companies to help automate your workflow – maybe making those APIs available at a click from your CCPA Toll Free dashboard. For instance, a lot of our customers use Shopify. We could automate deleting the records from Shopify directly from your CCPA Toll Free dashboard when a request comes in and has been verified. This is a guide which we will update often that explains the different APIs available from companies to automate the fulfillment of CCPA requests. If that’s something of interest to you, contact me at


When you verify a request on your CCPA Toll Free dashboard, we send a webhook event: privacy_request.updated to your webhook URL. In the JSON describing the privacy request, you have the customer information, and the verification status. If verified, you may start calling the retrieve or delete personal information from the services you are currently using, e.g Shopify, or others. Here is a list of services and their API description. & CCPA Toll Free provides a single API to delete the customer information. They provide a manual process to get a copy of your customer information. That means, when processing a retrieve CCPA request, you have to manually compile a folder containing the data from For delete requests however, you may use the API.

Step 1 of the API is to get your API secret key, and site ID available in the dashboard. They currently use Basic Auth for authenticating, so here is an example of an API to delete a user from this documentation. From CCPA Toll Free, you will not have the customer id from You will have to retrieve that from your backend. And then POST to the API as follows:

curl -i \

Shopify & CCPA Toll Free

Shopify has both APIs and webhooks just like we do. The webhooks are useful if you use Shopify as your privacy request manager, and then want to receive HTTP requests when CCPA requests come in. Of course, they are less sophisticated than CCPA Toll Free in managing privacy requests.

Shopify uses GraphQL mutations OR HTTP Requests to process your CCPA requests. If you need to delete a user, you can call the delete API. However, make sure to delete all orders associated with this user first, or you will get an error.

DELETE /admin/api/2020-10/customers/{user_id}.json

To retrieve customer data, you will need to retrieve the customer information, and all the orders associated with the customer. Then compile them into a file, and send to your customer.

Amplitude & CCPA Toll Free

Amplitude is a leader in automating CCPA requests. They are part of the founders of OpenGDPR. In order to delete user data, you can authenticate your request with Basic Auth:

amplitude_ids: Amplitude IDs to be deleted.
user_ids: User IDs to be deleted.
requester: The person who requested the Amplitude ID to be

Amplitude currently does not have an API to retrieve all customer information. Of course, this data is big and probably needs to be asynchronous and send you a file for you to forward to your customer.

Slack & CCPA Toll Free

Customers have opted in using webhooks to send a message to a slack channel when a CCPA privacy request is received. In order to achieve this, follow this tutorial to enable webhooks for your Slack channel. Keep note of the webhook URL. Now go to the CCPA Toll Free dashboard, go to the developers section. At the very top, enter the Slack webhook URL into the text input “Webhook Url”. Select events “privacy_requests.received” only. Every time you receive a new CCPA request, you will receive a message in your Slack channel.


Overall, there are lots of different APIs, authentication methods, and API architectures to learn from to successfully automate CCPA requests. OpenGDPR is a protocol to help standardizing creation and discovery of the status of a CCPA request. Some companies skipped to building a delete/retrieve API as opposed to creating a CCPA request manager following the OpenGDPR protocol, which could make sense if we believe they are not request managers. We are also monitoring the use of a platform like Zapier to connect the different services but it’s still very EARLY!

If you need help with your CCPA compliance, start by signing up. Our services start at $25 / month billed annually, and provide you with a webform, toll-free number, verification methods, webhooks and much more.

CCPA data illustration