Table of Contents
Introduction
GDPR DSAR Requirements
CCPA/CPRA DSAR Requirements
VCPDA DSAR Requirements
CPA DSAR Requirements
CTDPA DSAR Requirements
UCPA DSAR Requirements
Conclusion
The fact that consumer data privacy laws exist isn't news to many business owners – but the fact that there are new, emerging, and amended consumer data privacy laws might be.
Recently, 5 states in the USA have passed data privacy laws that are all set to be enacted by the end of 2023, and other states are preparing now as you read.
Like the EU's General Data Privacy Rights Act (GDPR), all the recent data privacy laws in the United States focus heavily on the DSAR process.
Let's look at what that means and how you can be prepared to get your business in compliance.
Consumer Data Access Requests by Law
Each law has similar but slightly different interpretations and regulations regarding what steps to follow when fulfilling a DSAR.
Let’s start with where it all started: Europe's GDPR.
EU GDPR (General Data Protection Act)
The GDPR went into effect on May 25, 2018. Its goal was to unify European countries under a single, expansive set of rules regarding data privacy.
Even if your company isn't based in Europe, but you have a website or App that getting their users from Europe, it doesn’t matter if you’re a SaaS, E-Commerce, or an agency or other online business; you will fall under the GDPR, and your business must comply with the GDPR regarding DSAR requests.
Under Article 15 of the Europe GDPR, EU citizens have the right to know:
The purpose for which their data was processed
The categories of personal data concerned
Who will be receiving their data
How long will that data be stored
If automated decision-making was involved
That complaint can be lodged with the authorities
What source was their data collected from
The existence of rights to request corrections, deletions, and objections to sharing of personal data
In short, if an EU citizen requests any of the above information from your business, you must respond and take swift action to give them the information they desire.
The GDPR does not take the handling of personal information lightly. If you do not have immaculate records, your company could face fines, penalties, and loss of a good reputation.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The California CCPA was signed into law on June 28, 2018. It was heavily influenced by the GDPR and followed many of the same rules and regulations.
The CPRA is set to be enacted on July 1, 2023. It is an extension of the CCPA and has its enforcement agency. The CCPA and the CPRA go hand-in-hand, so we'll explore their DSAR requirements in tandem.
Combined, under the CCPA and CPRA, California residents have the right to:
Know what personal information a business collects about them
Delete personal information
Opt out of the sale of their personal information
Provide consent to the sale of personal information for residents under 16
Non-discrimination for exercising their rights
Correct inaccurate information
Limit the use and/or disclosure of personal information
Share personal information
Just like the GDPR: CCPA and CPRA take personal privacy rights very seriously. Since the laws are still relatively new, the CCPA and CPRA give businesses a rectification period of 45 days if they are found violating the law.
However, that rectification period will be sunset by 2024. Your business should be in full compliance now instead of relying on rectifications – they won't last.
Virginia Consumer Data Privacy Act (VCDPA)
The VCDPA was enacted on January 1, 2023. It narrows DSAR requirements succinctly and somewhat, giving businesses and consumers mutual respect regarding data privacy. Under VCPDA, Virginia residents have the right to:
Access their personal data
Make corrections to data that's already out there
Delete any personal data they no longer want to be shared
Get a copy of their personal data
Opt out of having their personal data processed
Opt-out of targeted advertising
Non-discrimination for exercising their rights
Complain if their rights are being violated
Businesses must respond to these requests within 45 days, but there is a rectification period of an additional 45 days if need be.
All requests and complaints must be submitted through the Attorney General; under the VCDPA, citizens do not have the right to private action against a business for violating their rights.
Colorado Privacy Act (CPA)
The CPA has been passed, but it will go into effect on July 1, 2023. Much like the others, it, too, has specific rights and actions that Colorado citizens can take when it comes to DSARs. These include the rights to:
Opt-out of data processing, targeted advertising, personal data sales, and profiling
Know if a controller is processing their information
Access, correct, or delete personal data
Get a copy of their personal data in an easy-to-read format up to 2 times per calendar year
The CPA explicitly states that the data consumers request must be readable and in plain language. Businesses cannot try to mask what they're doing by using overly complicated terms.
Even if a business does give consumers the information they request, a company is still subject to violations if that information is not accessible or understandable.
Connecticut Data Privacy Act (CTDPA)
The CTDPA has passed – and it's going into effect on July 1, 2023. Under the CTDPA, Connecticut residents have the right to:
Know what types of personal information a business is processing
Understand the purpose behind processing each piece of personal information
See which third parties that personal information is being shared with
A way of electronically contacting a business for more details regarding personal information
The CTDPA does allow a 45-day grace period for rectification on DSARs – but only when necessary. That means if your business doesn't have a valid need for the 45-day grace period, your appeal could be rejected, and you could still be subject to fines.
Utah Consumer Privacy Act (UCPA)
The UCPA is set to be enforced on December 31, 2023. It is the fifth state in the USA with data privacy laws that can be enforced in 2023. Much like the others, there are specific provisions under UCPA concerning DSARs. Utah residents have the right to:
Know and access their personal data
Delete personal data they no longer want to be shared
Get copies of their personal data records in a portable format
Non-discrimination for exercising their rights
It is predicted that further amendments will be made to this law regarding DSARs, so stay tuned in and ensure that you're taking all the proper precautions.
Summary of DSAR Process by Law
Data privacy laws in and outside the US focus heavily on DSARs. Keeping your business one step ahead is wise by getting in compliance now before it's too late. "Not knowing" is not a valid excuse any longer. All the laws we just discussed cover these basics:
Consumers have the right to:
Easily access how, when, where, and why their personal information is being shared
Delete or correct their personal information
Non-discrimination for exercising their personal
Be spoken to in plain language
Get a timely response from businesses upon making a request
Final Take:
A Consent Management Platform (CMP) can help you manage the DSAR process no matter your business size, where it's located, or which customers you're targeting.
A good CMP will keep you in compliance across the globe and provide you with the automated tools you need to respond to data requests in minutes – not days or weeks – putting you well ahead of any grace periods.
It will also ensure your end users have quick and easy means to contact your business and make their requests. You'll also have immaculate records of these requests, their preferences, and where their data is going.
Adzapier has just the tool for you when managing DSARs. Schedule a free demo with one of our privacy experts today to see how easy it is to comply!