In the realm of data privacy, the Data Subject Access Request (DSAR) is a key element that eCommerce directors must understand and manage effectively. As an authority on data privacy compliance, I'll guide you through the intricacies of DSARs, their implications for your eCommerce business, and how to handle them in compliance with data privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Understanding DSARs Consumers make a Data Subject Access Request (DSAR) to access the personal data or information that an organization has collected about them. It's a fundamental right under data privacy laws like the GDPR and CCPA, allowing individuals to exercise control over their personal data. What Does a DSAR Cover? A DSAR can include requests for copies of personal data, including data about minors if the request comes from their parents or legal guardians. The request must come directly from the data subject, unless they have authorized another person to submit it. You can receive DSARs through various channels, including email, phone, post, or social media. DSARs under GDPR and CCPA Both the GDPR and CCPA provide for DSARs, though the specifics vary. The GDPR↗ applies to any organization that collects and processes the personal data of people in the EU, regardless of its location. It grants data subjects the right to access their personal data collected by an organization and to request a copy of it. The CCPA↗, on the other hand, applies to for-profit entities doing business in California that meet certain criteria. Like the GDPR, it grants consumers the right to access personal information that organizations have collected about them. Responding to a DSAR Upon receiving a DSAR, an organization must verify the request and make necessary arrangements for the data subjects to access the information. The response time depends on the applicable data privacy law. Under GDPR, organizations must respond within a month of receiving the request, while under CCPA, the response time is 45 days from the day of receiving the request. Can You Refuse a DSAR? Under certain circumstances, you can refuse to comply with a DSAR. In GDPR, for example, you can refuse a request if it is manifestly unfounded or excessive, or if sharing the requested information interferes with the rights and freedom of other data subjects. However, Under CCPA, you can refuse if you cannot verify the identity of the data subject or if the requested information falls under certain categories. Charging a Fee for DSAR You can only charge fees for a DSAR if the request is manifestly unfounded or excessive. Any fees charged must only cover the cost of collecting the relevant information and should not constitute a profit for your organization. How to Respond to a DSAR There isn't a specific format to respond to a DSAR. However, the major steps you can follow include: - Data Request Verification: Verify the data access request to ensure it is lawfully abiding and does not interfere with the rights and freedom of others.
- Identity Verification: Verify the identity of the data subject to prevent unauthorized access to someone else's information.
- Data Verification: Verify the requested data to determine if you need to proceed with the request.
- Send Data: After all the verification steps, gather the requested data and share it with the data subjects in an easy-to-understand format. In conclusion, understanding and effectively managing DSARs is crucial for eCommerce directors to ensure compliance with data privacy laws and to maintain the trust of their customers. Remember, this post is for informational purposes only and is not a substitute for legal advice. If you require legal assistance, please contact an attorney.
DSAR Requests and Your Shopify/BigCommerce Customer Data
Your eCommerce platform is a goldmine of customer information. When someone files a DSAR, you need to know exactly where their data lives across your tech stack.
On Shopify, customer data lives in several places: your customer profile (email, name, phone, addresses), order history, cart abandonment records, and any custom fields you've added. BigCommerce stores similar data plus subscription information if you sell recurring products. But here's the catch — your platform only holds part of what you've collected about them.
You also need to pull data from third-party apps connected to your store. If you use Klaviyo for email marketing, their database has behavioral data, email engagement history, and segmentation tags tied to that customer. Google Analytics holds their browsing behavior. Meta Pixel tracks cross-site activity for ad targeting. Gorgias might have support tickets. Yotpo might have review history and feedback.
When you receive a DSAR, you must gather data from all these sources, not just your Shopify dashboard. This is where most eCommerce brands fall short. You need a documented process that identifies every tool in your stack and who owns pulling data from each one.
Create an internal spreadsheet listing all your vendors: payment processors, email platforms, chat tools, review sites, loyalty programs, analytics services. Assign one person responsibility for requesting data exports from each vendor. Some services (like Klaviyo) make this easy; others require manual exports or support tickets.
Build this process before you get a DSAR. When the 30-45 day clock starts ticking, scrambling to figure out where data lives wastes precious time. Document your data flow once during an audit, then execute the same process for every request that comes in.
Common Reasons Brands Fail DSAR Compliance
The most frequent mistake isn't refusal to comply — it's incomplete compliance. You respond with data from your Shopify store but forget about the behavioral data Google Analytics captured, or the email engagement metrics in your marketing platform.
Another common failure: responding in an unusable format. The law says you must provide data in "an accessible, commonly used, machine-readable format." A PDF of screenshots doesn't cut it. You need structured data like CSV or JSON files. If a customer imported 500 purchases into your store and you respond with a 50-page PDF, they can't easily analyze it — and you haven't truly complied.
Identity verification done poorly also trips up brands. If you ask for "proof of identity" but accept any ID without matching it to customer records, someone could fraudulently access another person's data. Conversely, asking for excessive verification documentation beyond what's reasonable can violate the law itself.
Finally, timing failures happen when you don't track your DSAR deadline. You receive a request via email support on day one but the ticket doesn't get flagged as time-sensitive. By the time it reaches the right person, you're already at day 35 of your 45-day window.
Automating DSAR Workflows to Stay Compliant
Handling DSARs manually leaves room for error, especially as your customer base grows. Automation doesn't mean replacing human judgment — it means creating a repeatable system that catches nothing.
An effective workflow starts with a dedicated intake point. Don't let DSAR requests get lost in general customer support email. Create a specific email address (dsar@yourstore.com) or form on your website where customers know to submit requests. This makes tracking and deadline management much cleaner.
Once a request comes in, immediately log it with the received date, requester email, and deadline. This becomes your source of truth. Any automated system should calculate the deadline automatically (30 days for GDPR, 45 days for CCPA) and flag it when you're approaching day 20.
Next, automate the data gathering workflow. You can use Zapier or Make (formerly Integromat) to trigger exports from certain platforms automatically, or at minimum send reminders to team members who own specific systems. If you use Shopify, pull customer data via their API into a central location. Then aggregate everything into one file before sending to the customer.
Document every step: who received the request, what identity verification was performed, what data sources were queried, when the response was sent. This audit trail protects you if someone later claims you didn't respond or responded inadequately.
The goal is consistency. Every DSAR should follow the same steps in the same order with the same verification standards. That consistency also makes you faster — your third DSAR takes half the time of your first.
Building Your DSAR Response Template
Not every DSAR is identical, but your process should be. Create a standardized response template that you customize for each request.
Your template should include: confirmation that you received the request and the date received, the deadline by which you'll respond, what identity verification you're requesting, what data categories you'll include (customer profile, orders, communications, browsing history, etc.), and the format you'll provide (CSV, JSON, or downloadable zip file).
This transparency builds trust. The customer knows exactly what to expect and when. It also protects you — if they later dispute that you didn't send something, you have documented what you said you would send.
In your response, organize data by category rather than dumping everything in one massive file. One file for order history. Another for email interactions. A third for account profile data. This makes it easier for customers to understand and use their own information, and it demonstrates you took the request seriously.
Make sure your template includes a note that you've responded in compliance with applicable laws and that they can contact you with questions. This small detail shows professionalism and gives you a chance to clarify if they misunderstand something.
Handling DSARs at scale requires systems and documentation, not heroic manual effort. As your brand grows and customer requests increase, you'll need visibility into all the data you collect, where it lives, and how quickly you can assemble it. The difference between compliance and violation often comes down to whether you have a process or whether you're improvising.