United States 
Canada (EN) 
México 
France 
Deutschland 
United Kingdom 
Quick Hits
- Data subject rights requests run on short clocks, so having a response strategy is critical for timely and complete compliance.
- Mistakes commonly occur when businesses contract with vendors, receive and triage data subject rights requests, and engage in recordkeeping exercises during and after responding to the data subject.
- An increase in regulatory power and inquiry is increasing the risks associated with improper handling of data subject rights requests.
Understanding the U.S. Data Subject Rights Landscape
A DSAR, sometimes called a consumer rights request under U.S. law, is any request by an individual to exercise statutory rights relating to personal information. Commonly recognized rights include:
| Data Subject Right | What It (Generally) Means |
| Right to Access | Individuals can request confirmation of processing and access to their personal data. |
| Right to Know | Individuals can request information describing things like what personal data the business collects about them, the purposes for processing, categories of data disclosed, and categories of recipients. |
| Right to Delete | Individuals can request deletion of personal data collected from or about them. |
| Right to Correct | Individuals can request correction of inaccuracies in their personal data. |
| Right to Portability | Individuals can receive a copy of their data in a portable, technically feasible format. |
| Right to Opt-Out of Sale | Individuals can direct businesses not to “sell” their personal data. The term “sale” is broader than the traditional meaning and often includes disclosures to a third party (i.e., a data recipient other than a service provider or contractor bound by appropriate measures) for any valuable consideration (including a nonmonetary benefit). |
| Right to Opt-Out of Targeted Advertising / Sharing | Individuals can direct businesses not to process their data for cross-context behavioral advertising. |
| Right to Opt-Out of Profiling | Individuals can opt out of profiling used to make decisions that materially affect them, such as eligibility or pricing outcomes. |
| Right to Limit the use of Sensitive Personal Information | Individuals can direct limits on the use and disclosure of sensitive personal information beyond baseline requirements in some states. |
| Right to Appeal | If a business denies a request, individuals can appeal the decision and receive a written explanation, with regulator referral information if an appeal is denied. |
In some jurisdictions, such as California, additional rights are available in some situations to individuals whose personal information is processed using artificial intelligence or “automated decisionmaking technologies.” In addition, while most state laws limit data subject rights to just those individuals who interact with in-scope businesses in their individual capacities, excluding employee and business-to-business data, these data types are in-scope for data subject rights for businesses that are subject to the California Consumer Privacy Act (CCPA). In other words, employees and job applicants can leverage data subject rights pursuant to the CCPA.
This divergence creates practical complexity for organizations that maintain common HR systems and shared governance. Other challenges arise from the overlapping—but not identical—response timelines, scopes, and exemptions applicable to data subject rights requests under applicable laws. Many of the most common pitfalls experienced by businesses handling DSARs involving U.S. residents arise from these challenges.
Common Pitfalls and Options to Address Them
Pitfall 1: Not Taking Internal Action for DSAR Success
While handling a DSAR may appear to be a largely responsive process, one of the biggest pitfalls is failing to plan before a DSAR is ever received. For example, businesses are often required to verify the identity of the individual making the DSAR before responding and frequently need information about the scope and timeframe of the individual’s request to ensure they respond fully. A well-designed DSAR intake form that requests the data subject’s full name, address, email address, and detailed information about the data subject’s request can materially improve timeliness and completeness.
Likewise, businesses subject to U.S. privacy laws may wish to implement a comprehensive DSAR handling procedure to ensure the business—and the individual fielding such requests—understands the business’s rights and obligations when responding to a DSAR. For example, a thorough, written procedure that explains the business’s intake and verification processes (for employees and others), the exceptions the business may be able to rely upon when responding to a DSAR, the business’s process for responding to each type of DSAR, and templated responses can help even the most mature organization meet statutory deadlines, adhere to verification and security requirements, and avoid over- or under-production of records. This document can also serve as the basis of statutorily required training for employees who will be tasked with responding to DSARs, further supporting broad organizational compliance. In certain jurisdictions, businesses may also be required to maintain request logs for a defined period and document the basis for denials and extensions.
Pitfall 2: Failure to Include Appropriate DSAR Requirements in Vendor Contracts
Because vendors typically hold large amounts of a business’s data, vendors are critical to timely DSAR responses. Accordingly, businesses may want to consider how they will oblige their vendors to participate in the DSAR response process in the contracting stage. Even where not strictly required by law, contract terms that oblige vendors to assist with rights requests within reasonable timeframes and flow down data subject rights, such as deletion and correction obligations, can help businesses meet their obligations. Key provisions can include response timelines aligned to statutory clocks, cooperation and cost provisions, deletion and correction support, and requirements to pass through obligations to sub-processors.
Pitfall 3: Letting the Clock Start Without Triage
Each state privacy law requires businesses to respond within a certain timeframe, often within forty-five days, with a one-time extension typically available when reasonably necessary and with notice to the requester, although some states allow for a longer response period. Notably, California requires businesses to confirm receipt of the DSAR and provide certain information relating to the process within ten business days.
Given the varying response timelines, inbox chaos is the enemy. To bring order to this chaos, businesses can route all DSARs through approved intake mechanisms, such as a web-form or email, that are regularly monitored by trained personnel to ensure DSARs are cataloged in a centralized DSAR tracker, assigned to appropriate personnel for handling, and responded to in a timely manner.
A Shifting Landscape and Escalating Regulatory Interest
In addition to the above pitfalls, tracking developments that may affect DSAR obligations is crucial. For example, California’s recently approved CCPA regulations include quiet updates to the sections that address DSAR responses, including a new obligation to ensure data corrected in response to a request to correct remains corrected. Moreover, regulatory interest in data subject rights violations is escalating, with state attorneys general banding together in recent months to support cross-state regulatory enforcement activities. Accordingly, businesses may wish to periodically assess and document their alignment to data subject rights obligations under applicable state privacy law.
Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and provide updates on the Cybersecurity and Privacy blog as additional information becomes available.
Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts
