DATA SUBJECT ACCESS REQUEST RESPONSE TEMPLATE
[ORGANIZATION NAME]
PART A: REQUEST INTAKE AND TRACKING
Request Information
| Field | Information |
|---|---|
| Request ID | DSAR-[YEAR]-[NUMBER] |
| Date Received | |
| Received Via | ☐ Email ☐ Web Form ☐ Phone ☐ Mail ☐ Other: _____ |
| Requestor Name | |
| Requestor Email | |
| Requestor Phone | |
| Requestor Address | |
| State/Jurisdiction | |
| Response Deadline |
Request Type
☐ Right to Know/Access - Confirm processing and provide data (CCPA 1798.100, 1798.110)
☐ Right to Specific Pieces - Provide specific personal information collected (CCPA 1798.110)
☐ Right to Categories - Disclose categories of PI, sources, purposes, third parties (CCPA 1798.110, 1798.115)
☐ Right to Correct - Correct inaccurate personal information (CPRA 1798.106)
☐ Right to Delete - Delete personal information (CCPA 1798.105)
☐ Right to Opt-Out - Opt-out of sale/sharing (CCPA 1798.120)
☐ Right to Limit - Limit use of sensitive personal information (CPRA 1798.121)
☐ Right to Data Portability - Provide data in portable format
☐ Other: _______________________________
PART B: IDENTITY VERIFICATION
Verification Process
Verification Method Used:
☐ Account login verification
☐ Matching 2+ data points (name, address, email, account number)
☐ Matching 3+ data points (for sensitive data requests)
☐ Signed declaration under penalty of perjury
☐ Third-party identity verification service
☐ Other: _______________________________
Verification Checklist
| Data Point | Provided | Matched | Notes |
|---|---|---|---|
| Full Name | ☐ | ☐ | |
| Email Address | ☐ | ☐ | |
| Mailing Address | ☐ | ☐ | |
| Phone Number | ☐ | ☐ | |
| Account Number | ☐ | ☐ | |
| Last 4 SSN | ☐ | ☐ | |
| Date of Birth | ☐ | ☐ | |
| Transaction History | ☐ | ☐ | |
| Other: ____________ | ☐ | ☐ |
Verification Result
☐ Identity Verified - Proceed with request
☐ Additional Information Needed - Request additional verification
☐ Unable to Verify - Cannot verify identity, request denied
Verification Completed By: _______________________________
Date: _______________________________
PART C: AUTHORIZED AGENT VERIFICATION (If Applicable)
Agent Information
| Field | Information |
|---|---|
| Agent Name | |
| Agent Organization | |
| Agent Contact | |
| Registered with CA SOS | ☐ Yes ☐ No ☐ N/A |
Agent Authorization Verification
☐ Written permission signed by consumer
☐ Power of attorney
☐ Consumer identity separately verified
☐ Agent identity verified
Authorization Document Attached: ☐ Yes
PART D: RESPONSE TIMELINE
Timeline Tracking
| Milestone | Due Date | Completed Date | Notes |
|---|---|---|---|
| Request Received | [AUTO] | ||
| Receipt Confirmation Sent | [+10 business days] | ||
| Verification Request Sent | |||
| Verification Completed | |||
| Data Collection Complete | |||
| Response Prepared | |||
| Legal Review (if needed) | |||
| Response Sent | [+45 calendar days] | ||
| Extension Notice Sent (if needed) | |||
| Extended Response Sent | [+90 calendar days max] |
Extension (If Applicable)
☐ Extension required
Reason for Extension:
☐ Complex request requiring additional time
☐ High volume of requests
☐ Additional verification needed
☐ Other: _______________________________
Extension Notice Sent: ☐ Yes Date: _______________________________
PART E: DATA COLLECTION
Systems Searched
| System/Database | Searched | Data Found | Notes |
|---|---|---|---|
| CRM | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Marketing Database | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Customer Support | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| E-commerce Platform | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Analytics | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| HR System (employee) | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Email/Communications | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Financial Systems | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Third-Party Vendors | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Backup Systems | ☐ Yes ☐ No | ☐ Yes ☐ No | |
| Other: ____________ | ☐ Yes ☐ No | ☐ Yes ☐ No |
Third-Party Processors Contacted
| Vendor/Processor | Contacted | Response Received | Data Returned |
|---|---|---|---|
| ☐ | ☐ | ☐ | |
| ☐ | ☐ | ☐ | |
| ☐ | ☐ | ☐ |
PART F: RESPONSE LETTERS
RESPONSE LETTER 1: RECEIPT CONFIRMATION
[COMPANY LETTERHEAD]
[DATE]
[REQUESTOR NAME]
[ADDRESS]
Re: Confirmation of Your Privacy Rights Request
Request ID: [REQUEST ID]
Dear [REQUESTOR NAME]:
We have received your request submitted on [DATE] to exercise your privacy rights under [applicable law(s)]. Specifically, you have requested:
☐ Access to the personal information we have collected about you
☐ Correction of inaccurate personal information
☐ Deletion of your personal information
☐ Opt-out of the sale/sharing of your personal information
☐ Limitation on use of your sensitive personal information
☐ Other: [SPECIFY]
Verification Required
Before we can process your request, we need to verify your identity. [CHOOSE ONE:]
☐ Based on the information you provided, we have verified your identity and are processing your request.
☐ To verify your identity, please provide the following additional information:
- [LIST REQUIRED INFORMATION]
Please respond to this email or contact us at [CONTACT] within 15 days.
Timeline
We will respond to your request within 45 calendar days of verification. If we need additional time, we will notify you of any extension.
If you have questions, please contact us at:
[PRIVACY CONTACT INFORMATION]
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
RESPONSE LETTER 2: ACCESS REQUEST FULFILLMENT (RIGHT TO KNOW)
[COMPANY LETTERHEAD]
[DATE]
[REQUESTOR NAME]
[ADDRESS]
Re: Response to Your Request for Personal Information
Request ID: [REQUEST ID]
Dear [REQUESTOR NAME]:
We have verified your identity and processed your request to access the personal information we have collected about you. This response is provided pursuant to [California Civil Code Section 1798.110 / Virginia Code Section 59.1-577 / applicable law].
1. Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information about you:
☐ Identifiers (name, email address, postal address, IP address, account name)
☐ Personal information under California Civil Code Section 1798.80(e) (name, address, telephone number)
☐ Commercial information (products purchased, purchasing history)
☐ Internet or network activity (browsing history, search history, interactions with our website)
☐ Geolocation data
☐ Professional or employment information
☐ Inferences drawn from the above categories
☐ Sensitive personal information: [SPECIFY IF APPLICABLE]
2. Sources of Personal Information
We collected this information from the following sources:
☐ Directly from you (account registration, purchases, communications)
☐ Automatically (cookies, pixels, analytics tools)
☐ Third parties (advertising partners, data providers)
☐ Other: [SPECIFY]
3. Purposes for Collection and Use
We use this information for the following purposes:
☐ Providing and improving our products and services
☐ Processing transactions
☐ Communicating with you
☐ Marketing and advertising
☐ Security and fraud prevention
☐ Compliance with legal obligations
☐ Other: [SPECIFY]
4. Third Parties with Whom Information is Shared
We share personal information with the following categories of third parties:
☐ Service providers (payment processors, hosting, customer support)
☐ Business partners
☐ Advertising partners
☐ Analytics providers
☐ Government entities (when required by law)
5. Sale or Sharing of Personal Information
☐ We have sold or shared your personal information to third parties for the following purposes: [DESCRIBE]
☐ We have not sold or shared your personal information
6. Specific Pieces of Personal Information
[IF REQUESTED AND APPROPRIATE:]
The specific pieces of personal information we have collected about you are provided in the attached document. This information is provided in a portable, machine-readable format.
[ATTACH DATA FILE]
7. Retention
We retain your personal information as described in our Privacy Policy, generally for as long as necessary for the purposes described above or as required by law.
Your Rights
You have the right to:
- Request deletion of your personal information
- Opt out of the sale or sharing of your personal information
- [Additional rights per applicable law]
If you believe any information is inaccurate, you may request correction.
If you have questions about this response, please contact us at [PRIVACY CONTACT].
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
Enclosures: [Data file, if applicable]
RESPONSE LETTER 3: DELETION REQUEST FULFILLMENT
[COMPANY LETTERHEAD]
[DATE]
[REQUESTOR NAME]
[ADDRESS]
Re: Response to Your Deletion Request
Request ID: [REQUEST ID]
Dear [REQUESTOR NAME]:
We have verified your identity and processed your request to delete your personal information. This response is provided pursuant to [California Civil Code Section 1798.105 / applicable law].
Deletion Completed
☐ We have deleted the personal information we collected about you from our records.
☐ We have directed our service providers and contractors to delete your personal information from their records.
Exceptions
[IF APPLICABLE:]
We have retained certain personal information as permitted by law for the following reasons:
☐ Complete a transaction or provide a service you requested
☐ Detect security incidents or protect against malicious, deceptive, fraudulent, or illegal activity
☐ Debug to identify and repair errors
☐ Exercise free speech or another legal right
☐ Comply with the California Electronic Communications Privacy Act (Cal. Penal Code Section 1546)
☐ Engage in research in the public interest (with appropriate safeguards)
☐ Enable solely internal uses reasonably aligned with your expectations
☐ Comply with a legal obligation
☐ Make other internal and lawful uses compatible with the context of collection
[DESCRIBE SPECIFIC EXCEPTION AND DATA RETAINED]
What This Means
Your personal information has been deleted from our active systems. Please note:
- Backups may be retained for [PERIOD] for disaster recovery purposes
- We may retain certain information to comply with legal obligations
- Information shared with third parties before deletion may not be recoverable
Confirmation
This letter serves as confirmation that your deletion request has been processed.
If you have questions, please contact us at [PRIVACY CONTACT].
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
RESPONSE LETTER 4: CORRECTION REQUEST FULFILLMENT
[COMPANY LETTERHEAD]
[DATE]
[REQUESTOR NAME]
[ADDRESS]
Re: Response to Your Correction Request
Request ID: [REQUEST ID]
Dear [REQUESTOR NAME]:
We have verified your identity and processed your request to correct inaccurate personal information. This response is provided pursuant to [CPRA 1798.106 / applicable law].
Correction Made
☐ We have corrected the following personal information in our records:
| Field | Previous Value | Corrected Value |
|---|---|---|
| [FIELD] | [OLD] | [NEW] |
☐ We have directed our service providers to update their records accordingly.
Correction Not Made
☐ After review, we have determined that the information in our records is accurate based on [EXPLANATION].
☐ We are unable to verify the accuracy of the correction you requested. If you have documentation supporting your correction request, please provide it and we will review.
If you have questions, please contact us at [PRIVACY CONTACT].
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
RESPONSE LETTER 5: REQUEST DENIAL
[COMPANY LETTERHEAD]
[DATE]
[REQUESTOR NAME]
[ADDRESS]
Re: Response to Your Privacy Rights Request
Request ID: [REQUEST ID]
Dear [REQUESTOR NAME]:
We have reviewed your request submitted on [DATE]. Unfortunately, we are unable to fulfill your request for the following reason(s):
Denial Reason:
☐ Identity Verification Failed
We were unable to verify your identity. We attempted to verify your identity using [METHODS] but could not match your information to our records.
☐ No Personal Information Found
We have searched our records and have no personal information about you.
☐ Exempt Information
The information you requested is exempt from disclosure because:
[SPECIFY EXEMPTION]
☐ Manifestly Unfounded or Excessive Request
Your request is [manifestly unfounded / excessive] because [EXPLANATION]. You may submit a new request in [TIMEFRAME].
☐ Legal Exception Applies
We are retaining this information because [SPECIFY LEGAL EXCEPTION].
☐ Other:
[EXPLANATION]
Your Right to Appeal
You have the right to appeal this decision. To appeal, please:
☐ Submit your appeal to [EMAIL/ADDRESS]
☐ Include your Request ID and the reason you believe the denial was incorrect
We will respond to your appeal within [45/60] days.
Contact the Attorney General
If you are not satisfied with our response to your appeal, you may contact the [STATE] Attorney General:
[ATTORNEY GENERAL CONTACT INFORMATION]
If you have questions, please contact us at [PRIVACY CONTACT].
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
PART G: INTERNAL DOCUMENTATION
Request Processing Notes
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Exceptions Applied
| Exception | Justification | Data Retained |
|---|---|---|
Legal Consultation (If Applicable)
☐ Legal consultation required
☐ Legal consultation obtained
Legal Contact: _______________________________
Date: _______________________________
Guidance:
_______________________________________________________________________________
_______________________________________________________________________________
Final Status
☐ Request Fulfilled
☐ Request Partially Fulfilled
☐ Request Denied
☐ Request Withdrawn
Completed By: _______________________________
Date: _______________________________
Supervisor Review: _______________________________
Date: _______________________________
DOCUMENT CONTROL
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial version |
This template is for internal use. All completed forms and correspondence should be retained for 3 years per regulatory requirements.
About This Template
Jurisdiction-Specific
This template is drafted for general use across all U.S. jurisdictions. State-specific versions with local statutory references are also available.
How It's Made
Drafted using current statutory databases and legal standards for compliance regulatory. Each template includes proper legal citations, defined terms, and standard protective clauses.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: February 2026