The Request

Nine days ago Maya Holloway opened the Cresta privacy portal and submitted a single intake with three stacked requests: right to know, right to delete, right to correct.

The intake was not template form-filler. Maya's lawyer attached a three-paragraph cover letter. The letter cites Honda by name. The letter asks Cresta to describe its verification methodology in writing.

Today. Day nine. Thirty-six days remain. Three internal pings land in the next five minutes.

Sofia's cover letter asks Cresta to describe its verification methodology in writing. The methodology is real (phone callback to subscriber-of-record number, two-factor knowledge check, recorded for QA), and it works.

The question is whether to put it in writing now, before verification has even been attempted, or to acknowledge receipt and defer the methodology question to the formal response. Daniela is in her office. She wants your draft reply in the next 18 minutes.

The 45-day clock requires substantive response, not a methodology preview, under section 1798.130(a)(2). Pre-disclosing process documents to opposing counsel creates an evidentiary record before verification has even run.

Sofia is not your enemy. She is a competent advocate doing her job. But she is also building a file. Whatever you put in writing today is in her file by sundown.

Why This Was Suboptimal

• § 1798.130(a)(2) requires a substantive response within 45 days. It does not require a methodology preview.
• 11 CCR § 7060 expects the verification process to be applied, then documented in the response. Pre-disclosure inverts the order.

Honda found that pre-verification silence on a stacked request constitutes friction under § 1798.130(a)(7). The CPPA reads delay as a process choice, not a logistical accident.

An acknowledgment costs nothing operationally. Silence costs the statutory presumption of good faith.

Why This Was Indefensible

• § 1798.130(a)(7) prohibits friction in DSAR handling. Pre-verification silence reads as friction.
• Honda CPPA Decision (March 2025) cited the silence pattern as a stand-alone violation.

A substantive response within 45 days is the statutory baseline under section 1798.130(a)(2). An acknowledgment that names the clock and the response path signals statutory engagement.

Declining the meet-and-confer offer is not adversarial. It is a procedural choice that preserves Cresta's ability to compose the response without an evidentiary record running in parallel. Sofia will recognise the move.

Why This Was Defensible

• § 1798.130(a)(2) sets the clock from receipt. An acknowledgment that names the clock signals statutory engagement.
• 11 CCR § 7060 expects verification methodology to live inside the formal response, applied and documented, not previewed.

Daniela's office, briefly. The plan: at 10:00 you call Maya's verified phone number on file with the August 2024 account-closure record. You verify two factors against the closed account: the email on file and the last four of the payment method.

Verification complete. Maya's three requests are formally in scope. The data team is pulling the Cresta Move database row, the billing system, the marketing CDP, and the Meta lookalike seed.

Jordan Hayes Slacks: "Got 5 min? Re Holloway. Important."

Jordan owns the $14M paid-acquisition budget. The MOVE_CORE_LAL_2024 lookalike audience seeded from Cresta Move app users generated $1.4M in attributable Q1 revenue. Maya's deletion request, executed properly, requires Cresta to delete the seed row AND request Meta delete the propagated lookalike. Jordan wants to argue against the lookalike-deletion duty.

Face-to-face is a relationship-building play. The legal answer is correct, but the audit trail is your notes-to-self, not a Slack thread.

The deletion duty under section 1798.105(a) applies, and lookalike-audience seeding counts as "sharing" under the CPRA addition at section 1798.140(ah). Both are real, in-scope, and not negotiable in a war-room conversation.

Why This Was Acceptable

• Face-to-face conversation is operationally fine. The law is the law in any room.
• The missing piece is the documentation. Honda's evidentiary findings turned on documented vs undocumented internal reasoning.

Pushing internal privacy questions up the chain reads as abdication of operational authority. The Privacy Operations Lead is the person who answers Jordan's question.

Honda cited internal-process signals as part of the friction analysis. Internal unwillingness to engage on rights-handling reads as friction even when the eventual response is correct.

Why This Was Indefensible

• Privacy Operations Lead is the operator role. Statutory questions about deletion duties are in your job description.
• § 1798.105(a) and § 1798.140(ah) are not questions Daniela needs to answer. They are questions Daniela needs to know you can answer.

The Slack thread is now Cresta's evidence. Honda's evidentiary findings turned on internal-record documentation. A Slack thread citing the section numbers at 11:14 AM is the kind of contemporaneous record the Agency credits.

Privacy work lives or dies on the documentation trail. Going to talk in person is a relationship play. Replying in writing is a compliance play. Both are defensible; the writing-first version is harder to misremember six months later.

Why This Was Defensible

• § 1798.105(a) deletion duty is documented in the thread.
• § 1798.140(ah) sharing definition is documented in the thread.
• Honda's record-keeping standard is met.

The Cresta data team has surfaced the source recording of Maya's premium-upgrade call from April 14, 2024. Julian Reeves was the agent. Julian left Cresta in November 2024.

Per Maya's right-to-know, the recording is potentially disclosable. Per her right-to-delete, the recording must be deleted after the response window unless Cresta has a § 1798.105(d) exemption. It does not.

Before disclosure, you have to redact. Four segments are at issue. The transcript is on screen. Tag each: REDACT or KEEP.

Eight days later. The verification is documented. The recording is redacted. The data team has pulled the four data sources Maya is owed: Cresta Move app database, billing system, marketing CDP, Meta lookalike seed row.

You are on a meet-and-confer call with Sofia Vargas. The call is mid-sentence. The video freezes. The connection drops.

You do not redial. You close the call window. You open the response composer. Twenty-eight days remain.

The CLEAN response landed. Sofia closed the matter without filing. Maya's separate thank-you is the rare case where a stacked DSAR ends on a relationship-positive note.

Why This Was Defensible

• Every § 1798.130 obligation met. Every § 1798.110 categorisation present. Every redaction grounded in § 1798.130(c).
• The deletion of the Meta lookalike seed row plus the documented deletion request to Meta is the § 1798.140(ah) sharing-control answer.

The TECHNICALLY DEFECTIVE response triggered Sofia's professional-courtesy cure offer. The cure window saves Cresta from a CPPA filing but signals to opposing counsel that Cresta's first draft missed the bar.

Sofia's cure offer is not a regulator's offer; the CPPA does not run cure windows post-CPRA. The fact that you got one is because Sofia is a pragmatic litigator, not because the regulator owed it to you.

Why This Was Mixed

• Defective on a single row, but the row matters. § 1798.105(d) exemptions are narrow; "legitimate business interest" is not on the list.
• Honda was the precedent. A defect of the kind that earned Honda its $632k fine should not be a first-draft answer in 2026.

The HONDA-GRADE response triggered the exact failure mode the CPPA published a precedent against two weeks before. The Agency reads the response as evidence of pattern, not accident.

The bad path is recoverable. You are not fired. Cresta survives. M2 will open against the backdrop of an open CPPA investigation.

Why This Was Indefensible

• § 1798.105(d) exemption mis-cite is the exact pattern the DoorDash AG Settlement (February 2024) cited.
• Honda CPPA Decision (March 2025) found a near-identical row-set defective. Cresta repeating that pattern in March 2026 reads as a process failure, not a one-off.

Consumer (Maya)

Maya receives the package on March 19. Her thank-you email arrives Saturday morning, three sentences. She tells her therapist in May that the response was the first time a company had treated her like a person rather than a complaint. She buys a Cresta supplement her therapist recommends.

Company (Cresta)

Daniela archives Priya's draft as the Cresta v1 DSAR template and emails it to her counterpart at three other LA wellness brands. The Audit Committee adds a privacy-program staffing line for FY27. The CPPA's Q2 enforcement summary names Cresta as a category model. Total internal cost: about $3,400. Legal spend: zero.

Career (Priya)

Priya gets the v1 playbook authorship credit. The October hire that becomes Sarah Ellis is approved at the November board meeting.

Next DSARs

Median response time on subsequent stacked requests falls from 24 days to 11. Marketing's lookalike-deletion process becomes a fifteen-minute step rather than a week-long argument.

Consumer (Maya)

Maya receives the cured package on April 3, two weeks later than she should have. She doesn't file with the CPPA but writes a privacy-tech blog post in October that reads "they got there. It took longer than it should have." Her therapist no longer recommends Cresta supplements.

Company (Cresta)

Daniela approves the cure inside Sofia's 14-day window and notifies the Audit Committee. The internal post-mortem identifies the defective row by name. Total cost: about $8,400 internal time and $2,200 outside-counsel.

Career (Priya)

Priya keeps her job. The October hire that becomes Sarah Ellis still happens but with a broader audit scope.

Next DSARs

Median response time stays at about 22 days through Q2. Two other plaintiff-side firms send template DSARs in June; both close cleanly but require outside-counsel review.

Consumer (Maya)

Maya goes on a privacy-tech podcast in June. Her segment is eleven minutes long. The Wired article runs the same week and reaches two hundred thousand readers. Maya tells her therapist she does not want Cresta supplements anymore.

Company (Cresta)

Cresta is under an open CPPA investigation by May 1. The Audit Committee orders the privacy-program review that hires Sarah Ellis in October, this time under regulatory pressure. Through Q3, outside-counsel time on the Maya matter alone runs to about $480,000. The proposed CPPA penalty range is $1.2M to $4.6M depending on remediation.

Career (Priya)

Priya keeps her job. Adam says one sentence in his next 1:1 with Daniela: "we needed Sarah six months ago." Daniela does not disagree.

Next DSARs

Every stacked DSAR for the rest of the year goes to outside counsel for review. Median response time rises to 42 days. Cresta's 2027 privacy budget triples.

• The 45-day clock under § 1798.130(a)(2) starts at receipt. Cure periods are gone post-CPRA. Documentation is the only defense.
• Verification under 11 CCR § 7060 has a centre line: under-verification is a separate violation, over-verification is friction. The collaborative-with-process-defensive moment is the centre.
• Third-party redaction under § 1798.130(c) is asymmetric: third-party data tagged KEEP is the load-bearing failure mode.
• § 1798.105(d) exemptions are narrow. "Legitimate business interest" is not on the list. The DoorDash AG Settlement and Honda Decision are the precedents.
• Internal documentation is regulatory evidence. A Slack thread citing the section numbers is a contemporaneous record. Honda's evidentiary findings turned on this.

Four months from now, on Tuesday July 14 at 11:42 AM, a privacy researcher named Elena Park will post an X thread tagging the CPPA. The Cresta Move app's Meta Pixel will be in the screenshots. Marcus Wei will have seventeen minutes to walk into the all-hands.