top of page
Writer's pictureVishal Lakhani

Map, Identify, & Automate Data Subject Access Request with DSAR Process

Updated: May 8, 2023


Table of Contents

  1. Introduction

  2. GDPR DSAR Requirements

  3. CCPA/CPRA DSAR Requirements

  4. VCPDA DSAR Requirements

  5. CPA DSAR Requirements

  6. CTDPA DSAR Requirements

  7. UCPA DSAR Requirements

  8. Conclusion


The fact that consumer data privacy laws exist isn't news to many business owners – but the fact that there are new, emerging, and amended consumer data privacy laws might be.


Recently, 5 states in the USA have passed data privacy laws that are all set to be enacted by the end of 2023, and other states are preparing now as you read.


Like the EU's General Data Privacy Rights Act (GDPR), all the recent data privacy laws in the United States focus heavily on the DSAR process.


Let's look at what that means and how you can be prepared to get your business in compliance.


Consumer Data Access Requests by Law

Each law has similar but slightly different interpretations and regulations regarding what steps to follow when fulfilling a DSAR.


Let’s start with where it all started: Europe's GDPR.


EU GDPR (General Data Protection Act)

The GDPR went into effect on May 25, 2018. Its goal was to unify European countries under a single, expansive set of rules regarding data privacy.

Even if your company isn't based in Europe, but you have a website or App that getting their users from Europe, it doesn’t matter if you’re a SaaS, E-Commerce, or an agency or other online business; you will fall under the GDPR, and your business must comply with the GDPR regarding DSAR requests.


Under Article 15 of the Europe GDPR, EU citizens have the right to know:

  • The purpose for which their data was processed

  • The categories of personal data concerned

  • Who will be receiving their data

  • How long will that data be stored

  • If automated decision-making was involved

  • That complaint can be lodged with the authorities

  • What source was their data collected from

  • The existence of rights to request corrections, deletions, and objections to sharing of personal data

In short, if an EU citizen requests any of the above information from your business, you must respond and take swift action to give them the information they desire.

The GDPR does not take the handling of personal information lightly. If you do not have immaculate records, your company could face fines, penalties, and loss of a good reputation.


California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The California CCPA was signed into law on June 28, 2018. It was heavily influenced by the GDPR and followed many of the same rules and regulations.


The CPRA is set to be enacted on July 1, 2023. It is an extension of the CCPA and has its enforcement agency. The CCPA and the CPRA go hand-in-hand, so we'll explore their DSAR requirements in tandem.


Combined, under the CCPA and CPRA, California residents have the right to:

  • Know what personal information a business collects about them

  • Delete personal information

  • Opt out of the sale of their personal information

  • Provide consent to the sale of personal information for residents under 16

  • Non-discrimination for exercising their rights

  • Correct inaccurate information

  • Limit the use and/or disclosure of personal information

  • Share personal information


Just like the GDPR: CCPA and CPRA take personal privacy rights very seriously. Since the laws are still relatively new, the CCPA and CPRA give businesses a rectification period of 45 days if they are found violating the law.


However, that rectification period will be sunset by 2024. Your business should be in full compliance now instead of relying on rectifications – they won't last.


Virginia Consumer Data Privacy Act (VCDPA)

The VCDPA was enacted on January 1, 2023. It narrows DSAR requirements succinctly and somewhat, giving businesses and consumers mutual respect regarding data privacy. Under VCPDA, Virginia residents have the right to:

  • Access their personal data

  • Make corrections to data that's already out there

  • Delete any personal data they no longer want to be shared

  • Get a copy of their personal data

  • Opt out of having their personal data processed

  • Opt-out of targeted advertising

  • Non-discrimination for exercising their rights

  • Complain if their rights are being violated


Businesses must respond to these requests within 45 days, but there is a rectification period of an additional 45 days if need be.

All requests and complaints must be submitted through the Attorney General; under the VCDPA, citizens do not have the right to private action against a business for violating their rights.


Colorado Privacy Act (CPA)

The CPA has been passed, but it will go into effect on July 1, 2023. Much like the others, it, too, has specific rights and actions that Colorado citizens can take when it comes to DSARs. These include the rights to:


  • Opt-out of data processing, targeted advertising, personal data sales, and profiling

  • Know if a controller is processing their information

  • Access, correct, or delete personal data

  • Get a copy of their personal data in an easy-to-read format up to 2 times per calendar year

The CPA explicitly states that the data consumers request must be readable and in plain language. Businesses cannot try to mask what they're doing by using overly complicated terms.

Even if a business does give consumers the information they request, a company is still subject to violations if that information is not accessible or understandable.


Connecticut Data Privacy Act (CTDPA)

The CTDPA has passed – and it's going into effect on July 1, 2023. Under the CTDPA, Connecticut residents have the right to:

  • Know what types of personal information a business is processing

  • Understand the purpose behind processing each piece of personal information

  • See which third parties that personal information is being shared with

  • A way of electronically contacting a business for more details regarding personal information


The CTDPA does allow a 45-day grace period for rectification on DSARs – but only when necessary. That means if your business doesn't have a valid need for the 45-day grace period, your appeal could be rejected, and you could still be subject to fines.


Utah Consumer Privacy Act (UCPA)

The UCPA is set to be enforced on December 31, 2023. It is the fifth state in the USA with data privacy laws that can be enforced in 2023. Much like the others, there are specific provisions under UCPA concerning DSARs. Utah residents have the right to:

  • Know and access their personal data

  • Delete personal data they no longer want to be shared

  • Get copies of their personal data records in a portable format

  • Non-discrimination for exercising their rights

It is predicted that further amendments will be made to this law regarding DSARs, so stay tuned in and ensure that you're taking all the proper precautions.


Summary of DSAR Process by Law

Data privacy laws in and outside the US focus heavily on DSARs. Keeping your business one step ahead is wise by getting in compliance now before it's too late. "Not knowing" is not a valid excuse any longer. All the laws we just discussed cover these basics:


Consumers have the right to:

  • Easily access how, when, where, and why their personal information is being shared

  • Delete or correct their personal information

  • Non-discrimination for exercising their personal

  • Be spoken to in plain language

  • Get a timely response from businesses upon making a request


Final Take:

A Consent Management Platform (CMP) can help you manage the DSAR process no matter your business size, where it's located, or which customers you're targeting.

A good CMP will keep you in compliance across the globe and provide you with the automated tools you need to respond to data requests in minutes – not days or weeks – putting you well ahead of any grace periods.


It will also ensure your end users have quick and easy means to contact your business and make their requests. You'll also have immaculate records of these requests, their preferences, and where their data is going.


Adzapier has just the tool for you when managing DSARs. Schedule a free demo with one of our privacy experts today to see how easy it is to comply!

bottom of page