Famously, construction on the Sydney Opera House finished ten years after its original deadline, ballooning its cost from $7 million to $102 million.
The James Webb Telescope was supposed to be orbiting around the Earth 14 years earlier than it was actually launched.
(This blog was supposed to come out last week.)
Humans are famously bad at estimating how long it takes to complete a task. We almost always plan too optimistically. This happens so frequently, in fact, psychologists have a name for it: It’s called the planning fallacy.
Even when there’s a hard deadline in place, we tend to overestimate our ability to meet it.
But if you don’t even know what that deadline is? Well, you might as well have missed it already.
That’s why it’s crucial to know when the law requires you to respond to subject rights requests (or DSARs). After all, you can’t plan to meet a timeline you’re not familiar with. This blog will teach you how long you have to respond to a DSAR here, along with other key timelines and requirements associated with data subject rights requests.
What Is a DSAR?
Data privacy laws give consumers certain rights, which translate into obligations for your organization. Consumers have the right, for example, to request access to all of the data your organization has collected on them. Or, they could request that you delete all of their data. Because it’s their data, they’re called the data subject.
There are multiple types of requests that data subjects have the right to make of your organization. It’s common for people to refer to all of these requests by the term DSAR, even though a DSAR technically only refers to requests to access data. If you want to be accurate, you’d use the term subject rights request, or SRR, to refer to all possible request types. For simplicity, we’ll use the term DSAR in this blog.
There’s a lot to unpack on this subject, so if you want to learn more about the basics of data subject rights, check out our blog, What Is a DSAR? A Complete Guide to Data Subject Access Requests. But if you’re just curious about the timelines involved with DSARs, read on.
DSAR Timeline
The timelines associated with DSARs differ from law to law. The graphic above depicts the timelines associated with multiple laws, but if you’re just curious about one specific law, jump down to the relevant section to learn more.
CCPA/CPRA DSAR Timeline
Under the CCPA, you must confirm receipt of any requests to delete, correct, or know about personal information within 10 days.
These requests need to be carried out in 45 days of receipt. It’s possible to request a 45-day extension for a total of 90 days, but you must notify the data subject first and only do so for especially complex requests. We recommend creating documentation that shows your rationale in these cases.
For requests to opt out of the sale or sharing of personal information and requests to limit the use of sensitive personal information, the timeline is shorter: You'll have just 15 days to comply with no chance for an extension. That’s why it’s important to automate these request types with a consent management platform (CMP).
TL;DR:
- 10 days to confirm receipt
- 15 days to fulfill requests to opt-out of sale/sharing and to limit the use of sensitive personal information
- 45 days to complete all other requests, with the option of a 45-day extension
Other US State Privacy Laws DSAR Timeline
Like the CCPA, state privacy laws in the US require you to respond to DSARs in 45 days, with the possibility of a 45-day extension under the same conditions described above.
However, there is no timeline associated with opting out of sale/sharing or limiting the use of personal information. Instead, you’ll have to instantly stop processing consumers’ personal information if they opt out. Again, the best way to achieve this is through a CMP.
Many, but not all, state privacy laws also provide a timeline for appeals over rejected requests. You might reject a request if it’s a duplicate, or if it’s “manifestly unfounded or excessive.” We recommend only rejecting non-duplicate requests with the guidance of legal counsel. But if you do reject a request, then consumers can appeal that decision. In that case, you have 60 days to provide documentation proving your basis for rejecting the request.
TL;DR:
- Instantly stop processing consumers’ personal information if they opt out
- 45 days to complete all requests, with the option of a 45-day extension
- 60 days to respond to appeals for rejected requests
GDPR DSAR Timeline
Under the GDPR, businesses must respond to DSARs “without undue delay” but no more than one calendar month from receipt of the request. Similarly to other privacy laws, businesses may extend the period by another two months. However, if the business chooses to extend response period, they have to inform the data subject along with a rationale for the delay within one month.
TL;DR:
- One calendar month to complete all requests, with the option of a two-month extension
LGPD DSAR Timeline
Brazil’s LGPD is a bit of an odd one—it has no specific timeline for DSAR responses and only requires a response as soon as possible. For detailed access requests, businesses must respond within 15 days. While there are no specific requirements for other request types, a 30-day response window has emerged as the standard expectation.
TL;DR:
- All requests, except for detailed access requests, must be processed without undue delay
- Detailed access requests must be completed within 15 days
A Note About Extensions and Rejections
If you extend your response or reject a DSAR request, just remember that the burden of proof is on you. Extensions can be low risk so long as there’s a justifiable reason for the delay that you document. Rejecting duplicate requests can also be low risk. Rejecting requests on the basis that they’re “manifestly unfounded or excessive”—a phrase that commonly appears in privacy regulations regarding rejections—is high risk and should be done with the guidance of legal counsel.
Unfortunately, asking for an extension because your data is all over the place and you’re struggling to keep up with the volume of requests you’ve received isn’t going to cut it should a regulator come investigating. Regulators want to see that you’ve made an effort to comply—and handling DSARs in a fully manual way or failing to keep your organization’s data organized doesn’t signal that you’re making a good-faith effort.
Osano can help you manage, execute, and organize subject rights requests. We provide features that help you meet DSAR timelines, like:
- Intake tailored to the data subject’s jurisdiction
- Centralized, secure messaging for sharing information with the data subject
- Alerts for upcoming deadlines
- Built-in guardrails to keep you in compliance with the dozens of privacy laws across the globe
- Automated fulfillment for requests, pending human verification
And we back it all up with our $500,000 “No Fines, No Penalties” Guarantee.
There’s more that we can do to help you maintain compliance with subject rights and other data privacy requirements—book time with an expert to explore all the ways we can help support your compliance.
