DSR Fulfillment Deadlines: Response time for the various data privacy laws

Fulfilling Data Subject Requests (DSRs) can be complex for various reasons (multiple data sources, millions of lines of data, numerous departments within an organization, collaboration, understanding varied fulfillment deadlines, and the sheer number of DSRs received.) The purpose of this document is to remove one of those complicating factors from the equation and make DSR fulfillment easier. This document goes through each of the data privacy laws, reviews the DSR rights each law provides, and calculates the response time for a standard DSR fulfillment as well as for an extended DSR fulfillment.

Current Privacy Laws

The GDPR and the CCPA are the two data privacy laws currently in effect that require compliance from many American companies. Under specified conditions, these laws allow for delays in the fulfillment of DSRs. They both allow for a delay in DSR fulfillment when the controller receives DSRs that are either too numerous or too complex. The CCPA also allows for delays when data needed to fulfill the DSR is kept on a legacy system that isn’t ordinarily accessed.

The General Data Protection Regulation (GDPR)

Under the GDPR, controllers initially have 1 month to respond to all DSR request types. If the controller cannot fulfill the request in that time, the controller must inform the data subject that there will be an extension as well as the reason for the necessity of the extension. An extension grants the controller an additional 2 months to fulfill the DSR. Therefore, a standard DSR must be fulfilled within one month of the request and a DSR that has been extended must be fulfilled within 3 months of the request.

The shortest period that a month can last is 28 days and the shortest amount of time that a period of 3 consecutive months can last is 89 days. Therefore, the following response times can be used as defaults to guarantee timely DSR fulfillment. It is certainly possible to strictly adhere to the ‘1 month/3 month’ approach, but the ‘days’ approach is often easier to implement into automated systems.

DSR Type Initial Request Response Time Total Response Time allowed in case of an extension
Access 28 Days 89 Days
Rectification 28 Days 89 Days
Erasure (Delete) 28 Days 89 Days
Restriction 28 Days 89 Days
Data Portability 28 Days 89 Days
Objection 28 Days 89 Days
Stop Profiling 28 Days 89 Days

California Consumer Privacy Act (CCPA)

When a California data subject exercises the Right to Know or Delete, businesses have 45 days to disclose and deliver the information. Under the CCPA, verifying a consumer’s identity is not an excuse to extend the deadline. However, with a valid reason for extension, the rights to Know or Delete can be extended to allow the controller a total time of 90 days to complete the requested DSR. When a consumer exercises their right to opt out, the controller must comply within 15 days, without the possibility of extension.

DSR Type Initial Request Response Time Total Response Time allowed in case of an extension
Delete 45 Day 90 Days
Know (Access) 45 Day 90 Days
Opt Out of Sale 15 Business Days 15 Business Days

Future Privacy Laws

The California Consumer Privacy Act has been partially amended by the California Privacy Rights Act. The name of the law won’t change but the impact that it has will. Accordingly, it makes sense to analyze the amended law separately from the original form of the CCPA.

California Consumer Privacy Act as Amended by California Privacy Rights Act (CPRA) [Hereinafter CCPA*]

When a California data subject exercises the Right to Know, Delete, or Correct, businesses have 45 days to disclose and deliver the information. Under the CCPA*, verifying a consumer’s identity is not an excuse to extend the deadline. However, with a valid reason for extension, the rights to Know, Delete, or Correct can be extended to allow the controller a total time of 90 days to complete the requested DSR. When a consumer exercises their right to opt out, the controller must comply within 15 business days, without the possibility of extension.

DSR Type Initial Request Response Time Total Response Time allowed in case of an extension
Correct 45 Day 90 Days
Delete 45 Day 90 Days
Know (Access) 45 Day 90 Days
Opt Out of Sale 15 Business Days 15 Business Days

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA provides that controllers must respond to requests to exercise their consumer rights within 45 days, which may be extended once for an additional 45 days, with an explanation of the reason for delay. The VCDPA also grants consumers the right to appeal a controller’s refusal of such a request through a novel “conspicuously available” appeal process to be established by the controller. Within 60 days of receiving an appeal, a controller must inform the consumer in writing of its response to the appeal, including a written explanation of the reasons for the decision. If the controller denies the appeal, it must also provide the consumer with an “online mechanism (if available) or other method” through which the consumer can submit a complaint directly to the Attorney General.

DSR Type Initial Request Response Time Total Response Time allowed in case of an extension
Access 45 Day 90 Days
Correct 45 Day 90 Days
Delete 45 Day 90 Days
Data Portability 45 Day 90 Days
Opt Out 45 Day 90 Days
Appeal 60 Days 60 Days

Colorado Privacy Act (CPA)

Like the GDPR, CCPA, and VCDPA before it, under the CPA a controller must respond to a consumer rights request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business extends that deadline, it must notify the consumers within the initial 45-day response period with an explanation for the extension.

Like the VCDPA, the CPA also provides consumers the right to appeal a business’ denial to take action within a reasonable time period. Unlike the VCDPA, the CPA provides controllers with a 45-day window to respond to the appeal and also allows for a 60-day extension to respond to the appeal when reasonably necessary.

DSR Type Initial Request Response Time Total Response Time allowed in case of an extension
Access 45 Day 90 Days
Correct 45 Day 90 Days
Delete 45 Day 90 Days
Data Portability 45 Day 90 Days
Opt Out 45 Day 90 Days
Appeal 45 Days 105 Days

Mitigate the Response Complexities

The hurdles to DSR compliance are numerous and costly. There are many different approaches to DSR compliance and inevitably some approaches are better than others. The Clarip approach doesn’t involve numerous repetitive surveys nor manually searching through millions of lines of data. The Clarip approach is an automated solution that tracks the relevant deadlines and allows clients to customize what happens when those deadlines approach. Clarip makes DSR fulfillment seem easy and manageable with centralized DSR tracking in the Clarip Privacy Center. Take control of your DSR response through Clarip’s automation. Clarip’s DSR solutions are available for GDPR, CCPA, CCPA*, VCDPA, and CPA. Contact us today to find out more at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

CONTACT