Providing Clarity To Clients Navigating Compliance
With The Complexities Of DSARs & Other Privacy Rights
One of the key components of comprehensive privacy laws is the range of data privacy rights afforded to those protected by the law. One of the most common of these rights is the data subject access request (DSAR), also known as the “right of access.” The nuances of what the right to access entails differ depending on the applicable privacy law, such as the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR), but generally refer to a “data subject” or “consumer” being able to request to know what personal information an entity is processing, among other details such as the source of such data and transfers or disclosures of the same. In addition to DSARs, there are several other privacy rights afforded under most privacy laws, including a mix of the following:
- The right to delete one’s personal information.
- The right to notice how one’s personal information will be processed (generally via a privacy policy or other “notice”).
- The right to correct (“rectify”) one’s personal information.
- The right to limit how their personal information is processed
- The right to “data portability,” which refers to the ability to transfer one’s personal information from one platform to another.
- The right to opt out of selling or “sharing” (as is regulatorily defined) personal information.
- The right to opt out or opt in to processing “sensitive” personal information.
- The right to be free from discrimination as a result of exercising one’s privacy rights.
- The right to opt out of certain automated decision-making and profiling.
- In the context of children, there are certain opt-out and opt-in rights to processing their personal information, depending on their age.
Although there are central and overarching themes throughout many privacy laws concerning which privacy rights are afforded to those protected under the law, there are critical nuances to account for in terms of compliance. For example, the timelines for response differ among laws; whereas some require a response within 30 days, others may provide 45 days. Still, others mandate the means and methods for submission of privacy rights requests, how such requests must be confirmed, and prescribe the content required in response. Furthermore, there are details regarding the processes for authorizing an agent to exercise an individual’s privacy rights on their behalf. Perhaps even more importantly, instituting and following verification procedures and following regulatory guidance, noting the need to follow “data minimization principles” for confirming the identity of the individual making a privacy rights request, is paramount so that legal risk is not created due to an inadvertent data breach by giving an unauthorized person someone else’s personal information.
Beyond compliance with the patchwork of privacy rights frameworks among various comprehensive privacy laws, DSARs, in particular, have been increasingly used as a negotiation tool to leverage against an entity, especially when the contents may be voluminous, costly, and arduous to produce, not to mention the potential of containing confidential information. The most common contexts in which we see this are the employer-employee relationship, where a disgruntled employee seeks redress, and in the online consumer context, where a banned user seeks reinstatement. Understanding how to navigate these uniquely sensitive situations is imperative, as it concerns potential exceptions, so that the organization is protected while still complying with the law.
With the increasing number of privacy laws being passed and more people exercising their privacy rights, including through various consumer-focused “mass automated DSAR request” platforms on the market, such as Mine, it is imperative to comply with DSARs and other privacy rights. Aside from reputational risk and subsequent costs, privacy regulators, ranging from those in the European Union, such as France’s CNIL and the United Kingdom’s ICO, as well as those in the United States, including California’s Privacy Protection Agency, are actively enforcing compliance with privacy rights. For example, one of the most notable recent enforcement actions in the context of alleged noncompliance with privacy rights was a matter brought by the Swedish Authority for Privacy Protection (“SAPP”), which subsequently issued a €5 million fine against Spotify for its failure to uphold Article 15 of the GDPR.
At RICHT, we help a variety of client types, ranging from consumer-focused offerings to those operating in the enterprise and business-to-business sector, navigate the complex landscape of DSARs and other data privacy rights compliance, as well as how to leverage DSAR automation tools to accomplish privacy rights compliance at scale. In an era where data protection laws are becoming increasingly stringent and global in scope, ensuring your company’s compliance with regulations is paramount. From providing clients with compliant privacy policies and privacy rights pages to data processing agreements (DPAs) with vendors to ensure privacy rights “flow-through” and developing robust DSAR and other privacy rights processes, procedures, and “playbooks,” we aim to position clients in a confident privacy rights compliance posture while operating their global and usually complex businesses.
DSAR Data Privacy Rights Law Services We Offer
DSAR Operations & Playbooks
DSAR Responses
E-Discovery & Data Review
Authorized Agent Requests
Privacy Rights Advisory
Data Subject Verification
Find Out How A DSAR Data Privacy Rights Lawyer Can Help
DSAR & Privacy Rights News & Resources
- Three Lessons From the Latest Celebrity DSAR: UK GDPR Compliance Under Scrutiny
A high-profile case involving British TV presenter Gregg Wallace’s lawsuit against the BBC illustrates common challenges organizations face when handling data subject access requests (DSARs) under UK GDPR Article 15. First: controllers must process even broad, complex requests efficiently, narrowing only with the requester’s cooperation and ensuring timely, proportionate searches. Second: acknowledge and communicate about extensions or delays early and transparently, as poor communication risks complaints or legal action. Third: apply redactions and exemptions carefully—balancing disclosure with privacy, privilege, and other legal limits—ideally with legal review to avoid appearing opaque. Proper DSAR handling builds trust and lowers legal risks, especially in contentious employment disputes.
Read More → - 2025 State Privacy Guide: Comparison of Rights Under US Consumer Data Privacy Laws
The evolving landscape of U.S. state consumer data privacy laws now includes 19 statutes with varying consumer rights that create a complex patchwork for businesses to navigate. Recent amendments in Connecticut and Utah have expanded consumer rights, while California’s Privacy Protection Agency has introduced regulations on the right to opt out of automated decision-making technology. This guide includes a detailed chart comparing the rights granted under each law, helping stakeholders understand differences and overlaps. It is part five in a series analyzing key elements of state privacy and AI regulations, with more insights and charts to follow.
Read More → - noyb Win: YouTube Ordered to Honour Users’ Right of Access
Austria’s data protection authority has ordered YouTube to comply with the EU’s General Data Protection Regulation (GDPR) by providing users access to their personal data. This decision follows a complaint filed by the privacy group noyb in 2019, which alleged that YouTube and other streaming services were violating data access rights. The regulator gave Google four weeks to comply or appeal. The ruling highlights enduring challenges in enforcing user data rights and stresses the importance of timely and transparent data access for consumers.
Read More → - How Long Do I Have to Respond to a DSAR?
Data Subject Access Requests (DSARs) timelines vary by jurisdiction, but meeting deadlines is critical for compliance. Under the CCPA and similar U.S. state laws, companies must confirm receipt within 10 days and fulfill requests within 45 days, with a possible 45-day extension for complex cases. Opt-out requests, however, require a 15-day response with no extension. The GDPR requires responses “without undue delay” and no later than one month, extendable by two months for complex requests. Brazil’s LGPD expects prompt responses, typically within 15–30 days. Extensions and rejections must be justified, documented, and handled cautiously to avoid regulatory risk. Efficient DSAR management benefits from automation and centralized processes, enabling the timely meeting of jurisdiction-specific deadlines and maintaining compliance.
Read More → - DSAR Response Letter: How to Properly Respond to Data Subject Access Requests
This article provides practical guidance on responding to Data Subject Access Requests (DSARs) in compliance with privacy laws, such as the GDPR and CCPA. It breaks down the types of DSARs organizations might receive, outlines timelines and identity verification requirements, and explains when to reject or fulfill requests. The piece includes email templates for acknowledging receipt, verification reminders, completion notifications, and handling scenarios with no result or rejection, helping organizations navigate DSAR workflows efficiently and maintain legal compliance.
Read More → - NOYB files complaints against TikTok, AliExpress, and WeChat for not fulfilling DSARs: Privacy advocacy group noyb has filed complaints against AliExpress, TikTok, and WeChat, alleging that the companies systematically violate the GDPR by denying users full access to their personal data. According to noyb, the platforms either provide incomplete or unintelligible information, corrupted files, or simply ignore data access requests from European users, making it impossible for individuals to exercise their privacy rights under EU law. Regulators in several countries have been asked to investigate and potentially levy significant fines. Read More
- 5 DSAR Trends Essential for Earning Trust: Data subject access requests (DSARs), or subject rights requests (SRRs), are evolving. Whether your organization is based out of the EU, the US, or elsewhere in the world, consumers’ awareness and expectations are forcing businesses to adapt how they manage SRRs. Keeping track of these trends will help you better meet consumer expectations, win trust, and stay on privacy regulators’ good side. Read More
- Report Shows Lag in US State Privacy Law Universal Opt-Out Compliance: A joint study by Consumer Reports and Wesleyan University alleged 40 online retailers were noncompliant with universal opt-out requirements in U.S. comprehensive state privacy laws. The report claimed 12 websites likely retargeted consumers despite opt-out signals being sent. Read More
- Regulatory Attention Focused on Deletion Requests: Data protection authorities worldwide are intensifying their focus on individuals’ rights to have their personal data deleted. This heightened regulatory attention underscores the importance of organizations implementing robust compliance mechanisms to handle deletion requests effectively. Read More
- CPPA Puts the Brakes on Honda’s Data Privacy Practices: On March 7, 2025, the California Privacy Protection Agency (CPPA) issued a settlement order imposing a $632,500 fine on American Honda Motor Co., Inc. for violations of the California Consumer Privacy Act (CCPA). The CPPA alleged four main violations: (a) requesting too much information to process data subject rights requests, (b) failing to provide “symmetrical” data sale choices, (c) requiring too much authorized agent verification, and (d) failing to execute contracts with advertising technology partners. Read More
- EDPB Launches Coordinated Enforcement Framework Action on the Right to Erasure: On March 5, 2025, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action (“CEF action”) addressing the right to erasure. The new CEF action follows the EDPB’s 2024 CEF action on the right of access. Read More
- EDPB Adopts Report on GDPR Right of Access Following 2024 Coordinated Enforcement Action: On January 20, 2025, the European Data Protection Board (EDPB) adopted a report on the implementation of the right of access by controllers under the GDPR (the Report). The right of access was the subject of the EDPB’s third coordinated enforcement action (CEF) in 2024 which involved 1,185 controllers of varying size, industry, and sectors. Read More
- EU Court Rules GDPR Complaints Can’t be Rejected Based on Frequency: The EU’s top court (CJEU) issued a preliminary ruling on Thursday that the frequency of complaints made to data protection authorities under GDPR has no bearing on the validity of the complaint. Read More
- Belgium: DPA Fines Telecommunications Company €100,000 For Delay In Responding To Access Request: The Belgian Data Protection Authority (Belgian DPA) published its Decision No. 207/2024 as issued on August 23, 2024, in which the Belgian DPA fined an unnamed telecommunications company for violations of the General Data Protection Regulation (GDPR), following a complaint from an individual. Read More
- Microsoft-owned Adtech Xandr Accused of EU Privacy Breaches: A complaint was filed in Italy against Microsoft adtech subsidiary Xandr, alleging multiple GDPR violations, including failing to fulfill users’ right to access and using inaccurate data to build user profiles for targeted advertising. Read More
- UK: High Court Rules Data Subjects Have Right To Know Identities Of Recipients Of Personal Data: The High Court in its judgment, in the case of Harrison v Cameron & Another held that under the UK General Data Protection Regulation (UK GDPR), data subjects have the right to be informed of the specific identities of the recipients of their personal data not just the categories of recipients. Read More
- EDPB Guidelines On Data Subject Rights – Right Of Access
- Google Cloud Eliminates ‘Exit Fees’ For Departing Customers (Data Portability)
- CPPA Enforcement Advisory Re: Data Minimization in Privacy Rights Requests