Under the California Consumer Privacy Act (CCPA), consumers have the right to request access to their personal data from businesses through a Data Subject Access Request (DSAR). Let's look into the response procedure while staying compliant. » Is your online store CCPA compliant? Here's how to ensure CCPA compliance and cookie consent↗
DSAR Considerations
A DSAR is a formal request made by a data subject to learn which personal information has been gathered and saved by a company. Another party may submit a DSAR on behalf of the data subject as long as consent is provided in the form of a written authorization letter or other supporting documents. The most common examples are requests by parents or legal guardians on behalf of their minor children, by relatives or friends, or by lawyers on behalf of their clients. Fulfilling these requests come with certain risks. Here are some guidelines:
- Requests should be authenticated
- Ensure adherence to strict deadlines
- Automated data scanning can help with data duplication
- Avoid personal data sprawling by centralizing data in a secure area
- Avoid data leaks by encrypting consumer responses
- Track and record all activities for compliance validation
- Ensure that the information gets into the right hands
» What if a data breach occurs? Learn how to avoid a CCPA personal data breach↗
CCPA Requirements for DSAR Compliance
Anytime a customer, employee, or other person submits an access request, the business is required to disclose:
- The types of personal information collected
- The company's data collection purpose
- Which third parties the company shares the person's data with
- The sources from which the business collected personal data, if not directly
- The actual personal data collected
Before processing a data request, organizations must verify the user’s identity and maintain a log of all activities. After collecting the relevant data, companies must ensure that it meets DSAR standards without disclosing proprietary or someone else’s personal information and transmit it securely. Otherwise, a data breach or leakage can cost $750 for each leaked record.
CCPA Timelines for DSARs
Businesses subject to CCPA must disclose and deliver the requested data within 45 days, with one extension allowed for up to 45 more days. Other important timelines include:
- Confirm receipt of the request within 10 business days
- Respond to opt-out requests within 15 business days
- Inform vendors to stop selling information within 90 business days
- Maintain a log of requests for at least 2 years
DSARs can be tricky when you're dealing with large amounts of data. To ensure they're legal, and optimally streamlined, consider automating the process.
Conclusion
While compliance is of the utmost importance, there are DSAR exceptions you should know about, including security (e.g. keeping personal information to detect fraud) and legal compliance (e.g. keeping personal information because the law requests it). To navigate this complex landscape, consider partnering with a specialist solution like PieEye↗. » Worried about remaining compliant? Explore PieEye's products↗ for a solution
How DSARs Impact Your eCommerce Operations
When a customer submits a DSAR to your Shopify store, the request doesn't just affect your marketing team—it ripples across your entire business. Your customer service reps need to know they're receiving these requests. Your analytics team (running Google Analytics or similar tools) needs to understand which data points fall under the request. Your email marketing platform (Klaviyo, Omnisend, etc.) needs to be searchable and auditable.
The practical challenge: your customer data lives in multiple places. Order history in Shopify. Email preferences in your email service provider. Pixel data (Meta Pixel, Google Analytics) in third-party platforms. Abandoned cart information in your recovery tool. Customer notes scattered across support tickets. A DSAR requires you to pull data from all these sources, deduplicate it, and deliver it in a readable format—all within 45 days.
Your brand needs a documented process for this. Who receives the request first? How do you route it internally? Which team member verifies the customer's identity? How do you ensure the data you send doesn't accidentally include information belonging to other customers? Without a clear workflow, you risk missing deadlines or sending incomplete (or worse, incorrect) data—both of which trigger regulatory scrutiny.
Authenticating DSAR Requests Without Friction
Not every request claiming to be from a customer actually is. Authenticated requests protect you, but authentication also needs to work for your real customers.
If someone emails your support inbox saying "Send me my data," you need to verify they actually own that email address and have the right to that data. For parents requesting on behalf of minors, you need documentation proving guardianship. For lawyers requesting on behalf of clients, you need a signed power of attorney.
The catch: overly strict authentication frustrates legitimate customers. A customer who submits a DSAR through your website portal can be verified via login credentials they already have. That's simple. But a parent requesting data for their 14-year-old needs a different process—you'll likely need a birth certificate or custody papers, which takes longer and requires careful handling.
For eCommerce brands, a hybrid approach works best. Offer an easy self-service portal where logged-in customers can request their own data immediately. For requests from authorized representatives, build a secondary workflow that requires documented proof of authority before you start the clock. This respects legitimate requests while protecting against fraudulent ones.
Managing Third-Party Data Sharing Disclosures
Your DSAR response must include not just the data you collected, but also which third parties you shared it with. For eCommerce brands, this list is often longer than you'd expect.
When you run Facebook ads, Meta gets pixel data about your site visitors. When you use Google Analytics, Google receives behavioral data. Your payment processor (Stripe, PayPal, Square) has transaction details. Your shipping carrier knows addresses and order contents. Your review platform has customer names and purchase history. Your attribution tool tracks user journeys. Each of these is a "third party" under CCPA, and you must disclose them in every DSAR response.
The complexity compounds when you're unsure whether a vendor is actually a "third party" under CCPA or just a "service provider" (which has different disclosure rules). A DSAR forces you to audit your entire martech stack and vendor agreements. You should be asking: Do we have contracts that define how this vendor can use our customer data? Are we sharing identifiable information or just aggregated analytics? Do they combine our data with data from other sources?
Document these vendor relationships clearly—your DSAR fulfillment depends on it, and regulators scrutinize this section heavily.
The Cost of Slow or Incomplete DSAR Responses
Missing a DSAR deadline or sending incomplete data isn't a small slip-up. California's Attorney General can pursue enforcement, and individual consumers can file private lawsuits for statutory damages of $100 to $750 per consumer per incident.
For a mid-market eCommerce brand processing hundreds or thousands of DSARs per year, that exposure adds up fast. If you miss the 45-day deadline on ten requests, and customers sue, you're looking at potential liability ranging from $1,000 to $7,500 per missed request. If you send incomplete data (say, you forget to include data from your email platform), regulators may view that as non-compliance, not a honest mistake.
The financial incentive to get this right is strong. But so is the operational burden. You need clear documentation of when requests arrive, when you began processing, and what data sources you queried. You need to show you checked your work before sending it out. You need evidence that the customer actually received the data securely.
This is where many eCommerce brands realize they need help. Building these systems in-house—developing data mapping, automating queries across platforms, securing transmission—takes engineering time and ongoing maintenance. As your business scales and collect more data, DSARs become harder to manage manually.