How to Respond to Consumer Privacy Data Requests: A Multi-State Compliance Guide
Consumer Data Requests Are Here — Is Your Business Ready?
With 20 US states now enforcing comprehensive privacy laws, consumer data requests have become a daily reality for businesses of all sizes. Whether it’s a California resident asking you to delete their data, a Colorado consumer requesting access to what you’ve collected, or a Texas individual opting out of data sales, your business needs a reliable process to handle these requests quickly and correctly.
Getting it wrong isn’t just an inconvenience — it can trigger enforcement actions. California’s CPPA fined Ford $375,703 in March 2026 specifically for adding unnecessary friction to the opt-out process. PlayOn Sports paid $1.1 million for mishandling student data opt-out rights. The message is clear: regulators are watching how you handle consumer requests.
This guide walks you through exactly how to build a consumer data request process that works across all 20+ state privacy laws.
What Types of Consumer Requests Must You Handle?
Most state privacy laws grant consumers a similar core set of rights, though the specifics vary. Here are the five request types your business should be prepared to handle:
1. Right to Access / Right to Know
Consumers can request confirmation of whether you process their personal data and obtain a copy of that data. Every state with a comprehensive privacy law includes this right. Under California’s CCPA, you must disclose the categories and specific pieces of personal information collected, the sources, the business purposes, and the categories of third parties with whom you share it.
2. Right to Delete
Consumers can ask you to delete the personal data you’ve collected about them. All 20 state laws include deletion rights, though exceptions vary. Common exceptions include data needed to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech.
3. Right to Correct
Most states (but notably not Iowa) give consumers the right to correct inaccurate personal data. Your correction process should verify the claimed inaccuracy before making changes, and you should inform any third parties you’ve shared the data with.
4. Right to Opt Out of Sale / Targeted Advertising / Profiling
This is the most enforcement-heavy area. States require businesses to honor opt-out requests for the sale of personal data, sharing for targeted advertising, and in many states, profiling that produces legal or similarly significant effects. Twelve states now also require recognition of universal opt-out mechanisms like Global Privacy Control (GPC).
5. Right to Data Portability
When consumers request a copy of their data, many states require you to provide it in a portable, readily usable format. Typically this means a structured, machine-readable format like CSV or JSON.
Response Timelines: State-by-State Comparison
One of the trickiest parts of multi-state compliance is managing different response deadlines. Here’s what you need to know:
| State | Initial Response | Extension | Total Maximum |
|---|---|---|---|
| California (CCPA/CPRA) | 45 days | +45 days | 90 days |
| Virginia (VCDPA) | 45 days | +45 days | 90 days |
| Colorado (CPA) | 45 days | +45 days | 90 days |
| Connecticut (CTDPA) | 45 days | +45 days | 90 days |
| Texas (TDPSA) | 45 days | +45 days | 90 days |
| Oregon (OCPA) | 45 days | +45 days | 90 days |
| Montana (MCDPA) | 45 days | +15 days | 60 days |
| Most other states | 45 days | +45 days | 90 days |
Pro tip: Build your process around a 30-day target. This gives you buffer before any state’s deadline hits and accounts for the time needed to verify identity and locate all data.
Step-by-Step: Building Your Consumer Request Process
Step 1: Provide Clear Request Channels
California requires at least two methods for submitting requests, including a toll-free phone number for businesses that collect personal information offline. Most other states require at least one clear method. Best practice is to offer a web form (most efficient for both parties), an email address, and a toll-free number if you operate in California.
Make your request mechanisms easy to find. The privacy policy should prominently link to them, and for opt-out requests, a clear “Do Not Sell My Personal Information” link should appear in the website footer.
Step 2: Verify the Requestor’s Identity
You must verify that the person making the request is who they claim to be — or is an authorized agent. Use commercially reasonable methods: matching known account information, sending a verification email, or asking for specific data points you already have on file. Critically, do not collect additional personal data solely for verification purposes, and do not add unnecessary friction. The Ford enforcement case showed that requiring email verification for opt-out requests was considered an illegal barrier.
Step 3: Acknowledge the Request
Send a confirmation within 10 business days (California requirement, good practice for all states). Your acknowledgment should confirm receipt, state the type of request, provide an expected completion date, and note any additional steps needed from the consumer.
Step 4: Locate and Process the Data
This is where a data inventory becomes essential. You need to search all systems where consumer data may reside: CRM databases, email marketing platforms, analytics tools, customer support logs, backup systems, and third-party processors. Notify any service providers or third parties you’ve shared the data with about deletion or correction requests.
Step 5: Respond to the Consumer
Your response must be free of charge (up to twice per year per consumer in California). For access requests, provide data in a portable format. For deletion requests, confirm what was deleted and note any exceptions applied. For opt-out requests, stop the relevant processing immediately and confirm compliance.
Step 6: Document Everything
Maintain records of every request received, verification steps taken, actions performed, and responses sent. California requires businesses to maintain these records for 24 months. This documentation is your first line of defense in an enforcement investigation.
Appeals Process
Several states (Colorado, Connecticut, Virginia, and others) require you to provide an appeals process when you deny a consumer request. The appeal must be reviewed within 45–60 days, and if denied again, you must inform the consumer how to contact the state Attorney General. Building this process proactively shows good faith and prevents escalation.
Multi-State Compliance Strategy
Rather than building separate processes for each state, adopt the most protective standard across all laws:
- Offer all five request types to all consumers regardless of state — this is simpler than gating by location.
- Use the shortest timeline as your target (aim for 30 days).
- Honor GPC signals universally — it’s required in 12 states and expected to expand.
- Provide an appeals process for all denials — even in states that don’t require it.
- Document everything for at least 24 months.
Use our Privacy Law Calculator to determine which state laws apply to your business, then review the specific state-by-state comparison for any unique requirements.
Common Mistakes That Trigger Enforcement
- Adding friction to opt-out — requiring account creation, multi-step verification, or repeated confirmations (Ford, $375K fine).
- Ignoring GPC signals — failing to detect or honor the Sec-GPC header (multi-state enforcement sweep, 2026).
- Not having a clear request method — burying the request form deep in your site or requiring calls only.
- Slow or no response — missing the 45-day window entirely or failing to acknowledge receipt.
- Over-collecting during verification — asking for more personal data than needed to confirm identity.
The Bottom Line
Consumer data requests are not going away — they’re accelerating. With 20 states now enforcing privacy laws and regulators actively fining businesses for request-handling failures, a robust DSAR process is no longer optional. The good news: by building one strong process using the most protective standards, you can cover all states simultaneously. Start with a data inventory, establish clear request channels, train your team, and document everything.
Check whether your business falls under these laws with our Privacy Law Calculator, and use our GPC Compliance Checker to verify your universal opt-out readiness.
This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.