DSAR Response Guide for Businesses 2026: What Is a DSAR & How to Handle It Correctly

A Data Subject Access Request (DSAR) is a formal consumer request for their personal data — and getting the response wrong costs companies millions. This guide covers what a DSAR is, which laws require response, the exact deadlines, and a 10-step process that keeps you compliant under GDPR, CCPA, VCDPA, CTDPA, CPA, and TDPSA.

What Is a DSAR — and Why Businesses Get It Wrong

A Data Subject Access Request (DSAR) — also called a Consumer Rights Request (CRR) under US state laws — is a formal legal mechanism that allows individuals to exercise their rights over their personal data. When a consumer submits a DSAR, they are invoking statutory rights that your business is legally obligated to fulfill.

The most common DSAR types are:

• Right to Know / Access: "What personal data do you have on me?" The consumer wants a copy of all data you've collected.
• Right to Delete: "Delete my personal data." Requires erasure from your systems and any third-party processors you've shared data with.
• Right to Correct: "Fix inaccurate data." Businesses must update incorrect personal information upon request.
• Right to Opt Out: "Stop selling or sharing my data." Requires halting data sales or sharing for targeted advertising.
• Right to Data Portability: "Give me my data in a machine-readable format." Typically applies to data the consumer provided actively.
• Right to Limit: "Only use my sensitive data for core service delivery." Restricts use of sensitive personal information.

The reason businesses get DSARs wrong comes down to three failure modes:

Each of these failure modes has resulted in regulatory enforcement action. We cover the cases below.

Which Privacy Laws Require DSAR Response — and What Are the Deadlines?

Six major regulations require businesses to respond to consumer data requests. Each has different thresholds, deadlines, and penalties. Understanding your applicable law(s) is the first step.

Which Laws Apply to Your Business?

Applicability thresholds vary significantly:

• CCPA/CPRA: Businesses with ≥$25M annual gross revenue, OR that buy/sell/receive data of ≥100,000 California consumers annually, OR that derive ≥50% of annual revenues from selling personal information.
• VCDPA: Businesses that control/process personal data of ≥100,000 Virginia residents annually, OR ≥25,000 residents while deriving >50% of gross revenue from personal data sales.
• CTDPA: Businesses that control/process personal data of ≥100,000 Connecticut consumers annually, OR ≥25,000 while deriving >25% of gross revenue from personal data sales.
• CPA: Businesses that control/process personal data of ≥100,000 Colorado consumers annually, OR ≥25,000 while deriving revenue from selling personal data.
• TDPSA: Businesses that process personal data of Texas residents in the course of commercial activity AND do not qualify as a small business under SBA standards. Broadest net of all US state laws.
• GDPR: Any organization processing personal data of EU residents, regardless of where the business is located.

The 10-Step DSAR Response Process

Following a consistent process is what separates companies that handle DSARs smoothly from those that get caught with missed deadlines and incomplete responses. Here is the complete workflow:

1. Designate a Centralized Intake Channel Every DSAR must enter through a single, monitored channel — typically a dedicated email address (privacy@yourcompany.com), a web form, or a toll-free phone number. The CCPA requires that you offer at least two methods; one must be a web form if you operate a website. All incoming requests must timestamp the moment of receipt, since your response clock starts immediately.
2. Confirm Receipt Within 10 Business Days (CCPA) or Promptly (GDPR) Acknowledge every request — even if you need time to verify identity or gather data. Under CCPA, you must send a confirmation of receipt within 10 business days. This confirmation should: acknowledge the request, state when the consumer can expect a response, and explain your verification process if applicable.
3. Verify the Requestor's Identity Identity verification is legally required before you disclose personal data — to prevent fraudulent access. The standard must be calibrated to the sensitivity of the request. For sensitive data categories, use two-factor verification (e.g., match on name + account email + phone on file). Critically: you cannot require more than reasonably necessary. Demanding a notarized government ID for a basic opt-out request is itself a violation. For authenticated users (logged in), authentication alone is sufficient verification for most requests.
4. Confirm Applicability and Exemptions Not every request must be fulfilled in full. Review whether any statutory exemptions apply: (a) responding would violate confidentiality obligations or third-party rights, (b) the request is manifestly unfounded or excessive (GDPR), (c) the information is subject to attorney-client privilege, or (d) the consumer submitted the same request within 12 months (CCPA limits to two free responses per year). Document your assessment even when you do fulfill the request.
5. Conduct a Cross-System Data Search Issue a documented data search across all systems where the consumer's personal data could exist: CRM, marketing automation, analytics, customer support tickets, financial records, email lists, advertising pixels, data brokers you've shared with, and any third-party processors with a data sharing agreement. Document which systems were searched, the date of search, and who performed it. Incomplete searches are the #1 cause of regulatory findings in DSAR enforcement actions.
6. Compile and De-identify Third-Party Data When preparing the response package for access requests, include all personal data held about the consumer but redact or exclude any personal data relating to third parties (e.g., a support ticket that mentions another customer). If your data store includes inferences drawn from the consumer's activity (ad targeting categories, credit risk scores), these must be disclosed under CCPA/CPRA — they are "personal information" even if the consumer never provided them directly.
7. Deliver the Response in the Required Format For access requests: deliver data electronically in a portable format (CSV or JSON preferred) unless the consumer specifically requests another format. For deletion: provide written confirmation that deletion has been completed, specifying the categories of data deleted and the date. For opt-out: confirm the effective date and which third parties have been notified. Under GDPR, responses must be in clear, plain language — no legalese.
8. Notify Downstream Processors and Data Brokers A deletion or opt-out request doesn't end at your database. Under CCPA, GDPR, and most US state laws, you must instruct service providers and third parties you've shared data with to honor the request. Maintain a current list of all entities you've shared or sold personal data to so you can issue notifications promptly. Failure to propagate deletion downstream is a common gap that regulators specifically investigate.
9. Document Everything — Create a Complete DSAR Record Every DSAR response must be fully documented: the original request, identity verification steps taken, systems searched, data provided or deleted, any exemptions applied with reasoning, all downstream notifications sent, and the final response date. Under GDPR's accountability principle, you must be able to demonstrate compliance. Under CCPA, records must be kept for 24 months. Maintain a DSAR log as a formal record.
10. Establish and Communicate the Appeals Process All US state privacy laws (VCDPA, CTDPA, CPA, TDPSA) require that you offer consumers the right to appeal if you deny their request. The appeal must be reviewed by someone with authority to overturn the original decision — not the same person who denied it. You must respond to appeals within 60 days (VCDPA/CTDPA/CPA) or a "reasonable period" (TDPSA). If the appeal is denied, inform the consumer how to escalate to the state Attorney General's office. Your privacy policy must describe the appeals process in plain language.

Common DSAR Mistakes — and Real Enforcement Cases

Regulatory bodies don't need to prove bad intent to issue fines. Process failures, delayed responses, and inadequate searches are sufficient. Here are documented enforcement actions where DSAR handling failures drove the penalty.

DSAR Compliance Checklist for Businesses

Use this checklist to assess your DSAR readiness before you receive a request:

• ☐ Dedicated privacy request intake channel (email or web form) is live and monitored
• ☐ Privacy policy accurately describes how consumers can submit requests and the appeals process
• ☐ Response tracking system logs receipt date, verification status, response date, and outcome for every request
• ☐ Identity verification procedure is documented and calibrated to request sensitivity
• ☐ Data inventory or records of processing activities (ROPA) documents all systems holding personal data
• ☐ Cross-system search protocol covers all first-party and third-party data stores
• ☐ Downstream processor notification process is documented and tested
• ☐ Response templates exist for each request type (access, deletion, correction, opt-out, portability)
• ☐ Appeals workflow is in place for denied requests, with a separate reviewer
• ☐ DSAR records are retained for at least 24 months
• ☐ Staff training on DSAR obligations is current (especially customer-facing teams who may receive requests first)
• ☐ Global Privacy Control (GPC) signals are recognized and processed as opt-out requests