What Is a Data Subject Access Request?
A Data Subject Access Request (DSAR) is a formal request from a consumer exercising their privacy rights under state law. While the specific rights vary by state, DSARs generally fall into these categories:
- Right to know/access — The consumer wants to know what personal data you have about them
- Right to delete — The consumer wants you to delete their personal data
- Right to correct — The consumer wants you to fix inaccurate data
- Right to opt out — The consumer wants to stop the sale or sharing of their data
- Right to data portability — The consumer wants their data in a portable format
For e-commerce businesses, DSARs are a regular operational reality. Any customer can submit one, and you are legally required to respond within specific timeframes.
Response Timelines by State
One of the trickiest aspects of DSAR compliance is that each state sets its own response deadlines:
| State | Initial Response Deadline | Extension Available | Total Maximum |
|---|---|---|---|
| California (CPRA) | 45 days | 45 days | 90 days |
| Virginia (VCDPA) | 45 days | 45 days | 90 days |
| Colorado (CPA) | 45 days | 45 days | 90 days |
| Connecticut (CTDPA) | 45 days | 45 days | 90 days |
| Utah (UCPA) | 45 days | 45 days | 90 days |
| Texas (TDPSA) | 45 days | 45 days | 90 days |
| Oregon (OCPA) | 45 days | 45 days | 90 days |
| Montana (MCDPA) | 45 days | 15 days | 60 days |
| Delaware (DPDPA) | 45 days | 45 days | 90 days |
Most states have converged on the 45-day standard with a 45-day extension, but there are exceptions. Montana only allows a 15-day extension. Always check the specific law for the state the consumer is in.
Important: The clock starts when you receive the request, not when you verify the consumer's identity. Do not delay acknowledging receipt.
Setting Up Your DSAR Process
Step 1: Create Intake Channels
You need at least two ways for consumers to submit requests:
- Web form — A dedicated page on your website (e.g., yourstore.com/privacy-request)
- Email address — A monitored inbox (e.g., privacy@yourstore.com)
- Toll-free number — Required by California for businesses with $25M+ in annual revenue
Make these channels easy to find. Link to them from your privacy policy and consider adding a link in your site footer.
Step 2: Acknowledge and Log
When a request comes in:
- Log it immediately — Record the date received, the consumer's identity, the type of request, and the applicable state law
- Acknowledge receipt — Send a confirmation to the consumer within a few business days
- Start the clock — You now have 45 days (in most states) to respond
Step 3: Verify Identity
Before fulfilling any request, you must verify that the person making the request is who they claim to be. This prevents unauthorized access to customer data.
Verification methods for e-commerce businesses:
- Match to existing account — If the consumer has an account, ask them to log in and submit the request from their authenticated session
- Data matching — Ask the consumer to provide 2-3 pieces of information that match what you have on file (email address, order number, shipping address)
- Government ID — For sensitive requests, you may request a copy of government-issued ID (but you must delete the ID copy after verification)
Do not ask for more information than necessary to verify identity. Collecting a Social Security number to verify a DSAR would be excessive and counterproductive.
Step 4: Search and Compile
Once verified, search all systems where you store personal data about that consumer:
- E-commerce platform (Shopify, WooCommerce, etc.)
- Email marketing platform (Klaviyo, Mailchimp, etc.)
- Analytics tools (Google Analytics user data, if identifiable)
- Customer support system (Zendesk, Gorgias, etc.)
- Payment processor records
- CRM or customer database
- Ad platforms (if you can identify the user's data)
Step 5: Fulfill the Request
For access/know requests: Compile the data into a readable format and deliver it securely to the consumer. Many businesses use a secure download link. California requires that you provide data in a "portable and, to the extent technically feasible, readily useable format."
For deletion requests: Delete the data from all systems and direct your service providers to do the same. Document what was deleted and what was retained under an exception (such as data needed for legal compliance or to complete a transaction).
For correction requests: Make the correction in all systems where the inaccurate data exists. Notify service providers to correct their copies as well.
For opt-out requests: Stop selling or sharing the consumer's data immediately. This includes suppressing their data from any data feeds to advertising platforms.
Step 6: Respond to the Consumer
Send a clear, written response that:
- Confirms the actions you took
- Explains any data retained under a legal exception
- Provides information about how to appeal (most states require an appeals process)
- Notes the deadline by which you responded
Exceptions: When You Can Decline a Request
You are not required to fulfill every request. Common exceptions include:
- Legal obligations — You may retain data needed to comply with tax, accounting, or other legal requirements
- Transaction completion — You can retain data necessary to complete an ongoing transaction
- Security — You can retain data needed to detect and prevent fraud or security incidents
- Free speech — Data used to exercise free speech rights may be exempt
- Verification failure — If you cannot reasonably verify the consumer's identity, you can decline the request
When you decline a request, you must explain the reason and inform the consumer of their right to appeal.
Handling High Volumes
If your store receives many DSARs, consider:
- Automating intake with web forms that capture structured data
- Using DSAR management software that tracks deadlines and workflows
- Pre-building data export scripts for your major platforms
- Creating deletion playbooks with step-by-step instructions for each system
- Training customer service staff to recognize and properly route privacy requests
Common Pitfalls
- Missing the deadline — This is the most common violation and the easiest to avoid with proper tracking
- Incomplete searches — Failing to check all systems where customer data lives
- Over-collecting for verification — Asking for too much information to verify identity
- Not notifying service providers — When you delete data, your vendors must delete it too
- No appeals process — Most states require you to offer an appeal mechanism if you decline a request