What Is a Data Subject Access Request (DSAR) Under CCPA?

Under the California Consumer Privacy Act (CCPA), consumers have the right to request access to their personal data from businesses through a Data Subject Access Request (DSAR). Let’s look into the response procedure while staying compliant.

» Is your online store CCPA compliant? Here’s how to ensure CCPA compliance and cookie consent

DSAR Considerations

A DSAR is a formal request made by a data subject to learn which personal information has been gathered and saved by a company. Another party may submit a DSAR on behalf of the data subject as long as consent is provided in the form of a written authorization letter or other supporting documents.

The most common examples are requests by parents or legal guardians on behalf of their minor children, by relatives or friends, or by lawyers on behalf of their clients.

Fulfilling these requests come with certain risks. Here are some guidelines:

• • Requests should be authenticated

• • Ensure adherence to strict deadlines

• • Automated data scanning can help with data duplication

• • Avoid personal data sprawling by centralizing data in a secure area

• • Avoid data leaks by encrypting consumer responses

• • Track and record all activities for compliance validation

• • Ensure that the information gets into the right hands

Bulleted List

» What if a data breach occurs? Learn how to avoid a CCPA personal data breach

CCPA Requirements for DSAR Compliance

Anytime a customer, employee, or other person submits an access request, the business is required to disclose:

• • The types of personal information collected

• • The company’s data collection purpose

• • Which third parties the company shares the person’s data with

• • The sources from which the business collected personal data, if not directly

• • The actual personal data collected

Bulleted List

Before processing a data request, organizations must verify the user’s identity and maintain a log of all activities. After collecting the relevant data, companies must ensure that it meets DSAR standards without disclosing proprietary or someone else’s personal information and transmit it securely. Otherwise, a data breach or leakage can cost $750 for each leaked record.

CCPA Timelines for DSARs

Businesses subject to CCPA must disclose and deliver the requested data within 45 days, with one extension allowed for up to 45 more days. Other important timelines include:

• • Confirm receipt of the request within 10 business days

• • Respond to opt-out requests within 15 business days

• • Inform vendors to stop selling information within 90 business days

• • Maintain a log of requests for at least 2 years

Bulleted List

DSARs can be tricky when you’re dealing with large amounts of data. To ensure they’re legal, and optimally streamlined, consider automating the process.

Conclusion

While compliance is of the utmost importance, there are DSAR exceptions you should know about, including security (e.g. keeping personal information to detect fraud) and legal compliance (e.g. keeping personal information because the law requests it). To navigate this complex landscape, consider partnering with a specialist solution like PieEye.

» Worried about remaining compliant? Explore PieEye’s products for a solutio