Providing Clarity To Clients Navigating Compliance
With The Complexities Of DSARs & Other Privacy Rights
One of the key components of comprehensive privacy laws is the range of data privacy rights afforded to those protected by the law. One of the most common of these rights is data subject access requests (DSARs), sometimes referred to as the “right of access.” The nuances of what the right to access entails differ depending on the applicable privacy law, such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR), but generally refer to a “data subject” or “consumer” being able to request to know what personal information an entity is processing, among other details such as the source of such data and transfers or disclosures of the same. In addition to DSARs, there are several other privacy rights afforded under most privacy laws, including a mix of the following:
- The right to delete one’s personal information.
- The right to notice how one’s personal information will be processed (generally via a privacy policy or other “notice”).
- The right to correct (“rectify”) one’s personal information.
- The right to limit how their personal information is processed
- The right to “data portability,” which refers to being able to move one’s personal information from one platform to another.
- The right to opt out of selling or “sharing” (as is regulatorily defined) personal information.
- The right to opt-out or opt-in to processing “sensitive” personal information.
- The right to be free from discrimination as a result of exercising one’s privacy rights.
- The right to opt out of certain automated decision-making and profiling.
- In the context of children, there are certain opt-out and opt-in rights to processing their personal information, depending on their age.
Although there are central and overarching themes throughout many privacy laws concerning which privacy rights are afforded to those protected under the law, there are critical nuances to account for in terms of compliance. For example, the timelines for response differ among laws; whereas some require a response within 30 days, others may provide 45 days. Still, others mandate the means and methods for submission of privacy rights requests, how such requests must be confirmed, and prescribe the content required in response. Further, there are details regarding the processes for allowing an authorized agent to exercise privacy rights on behalf of an individual. Perhaps even more importantly, instituting and following verification procedures and following regulatory guidance noting the need to follow “data minimization principles” for confirming the identity of the individual making a privacy rights request is paramount so that legal risk is not created due to an inadvertent data breach by giving an unauthorized person someone else’s personal information.
Beyond compliance with the patchwork of privacy rights frameworks among various comprehensive privacy laws, DSARs, in particular, have been increasingly used as a negotiation tool to leverage against an entity, especially when the contents may be voluminous and costly, and arduous to produce, not to mention the potential of containing confidential information. The most common contexts we see this is in the employer-employee relationship, where a disgruntled employee is seeking redress, and in the online consumer context, where a banned user is seeking to be resinated. Understanding how to navigate these uniquely sensitive situations is imperative, as it concerns potential exceptions so that the organization is protected while still complying with the law.
With more privacy laws being passed and more people choosing to exercise their privacy rights, including via a variety of consumer-focused “mass automated DSAR request” platforms on the market, such as Mine, complying with DSARs and other privacy rights is imperative. Aside from reputational risk and subsequent cost, privacy regulators ranging from those in the European Union, such as France’s CNIL and the United Kingdom’s ICO, as well as here in the United States, such as California’s Privacy Protection Agency, are actively enforcing privacy rights compliance. For example, one of the most notable recent enforcement actions in the context of alleged privacy rights noncompliance was in a matter brought by the Swedish Authority for Privacy Protection (“SAPP”), which then issued a €5 million fine against Spotify for its failure to uphold Article 15 of the GDPR.
At RICHT, we help a variety of client types, ranging from consumer-focused offerings to those operating in the enterprise and business-to-business sector, navigate the complex landscape of DSARs and other data privacy rights compliance, as well as how to leverage DSAR automation tools to accomplish privacy rights compliance at scale. In an era where data protection laws are increasingly stringent and global in reach, ensuring your company’s adherence to regulations is paramount. From providing clients with compliant privacy policies and privacy rights pages to data processing agreements (DPAs) with vendors to ensure privacy rights “flow-through” and developing robust DSAR and other privacy rights processes, procedures, and “playbooks,” we aim to position clients in a confident privacy rights compliance posture while operating their global and usually complex businesses.
DSAR Data Privacy Rights Law Services We Offer
Compliant Privacy Policies
DSAR Operations & Playbooks
DSAR Responses
E-Discovery & Data Review
Authorized Agent Requests
Privacy Rights Advisory
Data Subject Verification
Find Out How A DSAR Data Privacy Rights Lawyer Can Help
DSAR & Privacy Rights News & Resources
- Belgium: DPA Fines Telecommunications Company €100,000 For Delay In Responding To Access Request: The Belgian Data Protection Authority (Belgian DPA) published its Decision No. 207/2024 as issued on August 23, 2024, in which the Belgian DPA fined an unnamed telecommunications company for violations of the General Data Protection Regulation (GDPR), following a complaint from an individual. Read more →
- Microsoft-owned Adtech Xandr Accused of EU Privacy Breaches: A complaint was filed in Italy against Microsoft adtech subsidiary Xandr alleging multiple GDPR violations, including failing to fulfill users’ right to access and using inaccurate data to build user profiles for targeted advertising. Read more →
- UK: High Court Rules Data Subjects Have Right To Know Identities Of Recipients Of Personal Data: The High Court in its judgment, in the case of Harrison v Cameron & Another held that under the UK General Data Protection Regulation (UK GDPR), data subjects have the right to be informed of the specific identities of the recipients of their personal data not just the categories of recipients. Read more →
- EDPB Guidelines On Data Subject Rights – Right Of Access
- Google Cloud Eliminates ‘Exit Fees’ For Departing Customers (Data Portability)
- CPPA Enforcement Advisory Re: Data Minimization in Privacy Rights Requests