9 Essential Tips for Businesses Responding to Consumer Privacy Requests
 9 Essential Tips for Businesses Responding to Consumer Privacy Requests
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5, rated)
Loading...
February 13, 2025 0

9 Essential Tips for Businesses Responding to Consumer Privacy Requests

in Beyond Hashed Out, Hashing Out Cyber Security

Would your organization know how to respond to a customer’s privacy request for access to (or deletion of) all personal data you’ve collected about them?

Editor’s Note: This is a guest blog contribution from Masha Komnenic, Director of Global Privacy at Termly. Masha shares her insights on how businesses and other organizations should respond to consumer data privacy requests in a compliant manner.

Data privacy laws and regulations give consumers certain rights regarding the privacy of their personal data. One such privacy control method is submitting a consumer privacy request (also known as a customer privacy request or a data subject access request [DSAR] under specific regulations) to any business that collects or uses their personal data.

Every business that collects or processes consumer data should have protocols in place for responding to consumers’ requests to exercise their privacy rights. This is crucial since many data privacy laws require you to respond to such requests promptly.

In this guide, I explain what rights your users might have over their personal information and how you can respond to a customer privacy request in a secure, compliant, and efficient manner.

Let’s hash it out.

TL;DR: A Skimmer’s Guide to Consumer Privacy Request

Don’t have time to read an entire article about responding to a customer privacy request?

9 Tips for Responding to a Consumer Privacy Request

Here are nine simple tips your business can follow when responding to a data subject access request.

Tip 1: Recognize the Type of Customer Privacy Request

When a consumer makes a privacy request, your business must recognize what type of request they’re submitting; this way, you know how to properly respond.

Common types of requests include:

  • Access requests: When a consumer asks for all details your business has collected about them, this is an access request. Your business should have a process to retrieve this information safely and securely.  For example, you can send them encrypted files of their data via a secure email or an access link or implement multi-factor authentication (MFA) where legally appropriate.
  • Correction requests: If a consumer wants to correct or amend the information you have on them, this is known as a correction request. Your business must have a process in place for amending personal data.
  • Deletion requests: Some consumers might request to be “forgotten” or ask you to delete or erase their personal data. Your business should have a protocol for safely and securely deleting user data.
  • Opt-out requests: Opt-out rights vary by law, but individuals often have the right to opt out of targeted advertising and the selling of their data. Businesses typically use consent banners to comply with this portion of privacy laws.

Here’s a quick example of the data privacy-related tool, a cookie consent popup banner, which is used on TheSSLstore.com that links to the site’s privacy policy:

Consumer privacy request graphic example: A screenshot of TheSSLstore.com's privacy policy agreement regarding cookies.
Image caption: A screenshot of the cookie consent popup that appears when users visit the website. It asks users to either accept all or specify how their data can be used.

You should establish formal processes for responding to each type of customer privacy request and train the relevant members of your team on how to approach each type of request.

Include this information in your website’s privacy policy so your users are aware of what they need to do to submit one of these requests. You can use a reputable website privacy policy generator to help easily make one of these clauses for your policy.

Tip 2: Establish Who Should Respond to the Data Subject Access Request

Ensure you know who on your team is responsible for fulfilling customer privacy requests by creating a formal procedure.

Under laws like the European Union’s General Data Protection Regulation (GDPR), you must appoint a data protection officer who might handle this for you. Otherwise, you can pick someone on your team or hire someone who is impartial and knowledgeable about data privacy compliance.

Consumers might submit privacy requests through unplanned email channels or text support messages, and several privacy laws still require you to honor and fulfill them.

At the very least, everyone within your organization should know who to forward these responses to if one should cross their path. To ensure this, make compliance part of all employees’ mandatory training. This is essential because consumers can submit these requests through any channel they desire. Your business must respond to these requests in a legally compliant timeline, or else you can get fined for violating the law.

Pro tip: Here’s an example of a Right to Erasure Request Form you can use to craft responses for GDPR data subject access requests.

Tip 3: Consider the Timing of the Responses

The timing of your response matters, so make sure you’re prepared to respond to consumer privacy requests as quickly as possible.

Privacy laws require you to respond to these requests as soon as reasonably possible, and some have strict timelines. For example, the GDPR requires you to respond within one month, and the CCPA requires you to respond within 15 or 45 days, depending on the type of consumer privacy request.

Your business should immediately respond to the initial request with a simple confirmation email or message confirming you’ve received the request and providing details about the next steps the consumer can expect.

Tip 4: Verify the Consumer’s Identity Before Sharing Information

An overview illustration of some of the consumer privacy request submission methods for data subject access requests
Image caption: This graphic illustrates examples of some of the ways that data subject access requests (DSARs) can be submitted.

Privacy laws require businesses to verify the requester’s identity to prevent unauthorized people from accessing personal data that doesn’t belong to them. As such, your business must have methods in place for verifying the identity of consumers who submit consumer access requests to follow through on their privacy rights.

For example, you can ask the individual to verify or confirm information you already have about the consumer. However, you should not ask them for more personal details, as this is explicitly not allowed under several privacy laws like the GDPR and Brazil’s LGPD.

Depending on the specific law or regulation, data privacy related requests can be made in writing (via physical mail or electronic means) or orally (provided you verify the requestor’s identity through other means).

Tip 5: What to Include in Your Response

When responding to a customer privacy request, make sure you include the following details:

  • Directly address the request of the consumer in a simple, straightforward manner.
  • Explain the steps you’re taking to fulfill their request.
  • Give a timeline for when they can expect their request to be completed.
  • If you cannot fulfill the request, explain the situation in an honest, up-front manner.
  • Explain how the consumer can appeal against your decision, should they desire to.

Your response should be easy to read and provided to the consumer for free unless otherwise allowed by law. An example of a response could look as follows; however, the specifics are up to you and depend on which privacy law applies:

Dear [CONSUMER],

This email confirms that we have received your privacy request. We have identified    this request as a privacy request under the [APPLICABLE LAW]. You will hear back from us with more information within the next __ to __ business days. Please reach           out to _____ in the meantime if you have any questions. Understand that under [APPLICABLE PRIVACY LAW] you have the right to appeal our decision based on      your request, which you can do any time by responding to this email or [submitting a             form at this secure link].

Thank you,

[BUSINESS NAME]

Tip 6: Enable the Consumer to Securely Access Their Personal Data

Not all consumer privacy requests involve asking businesses to delete their private data. Some requests are from consumers who want either electronic or physical access to it. Under the European Union’s General Data Protection Regulation (GDPR), businesses can provide access using a secure electronic system or physical delivery method. For example:

  • Send the consumer their encrypted data using a secure, SSL/TLS encrypted access link. (You can do this by installing a website security certificate on your server.) Separately email or physically mail a secret (i.e., a passcode, PIN, or other unique input) that can be used to access the data to a verified address.
  • Use a physical courier or other special delivery service that will verify the identity of the recipient and require them to provide a signature before handing over the documentation or an encrypted CD. If the latter, you can provide the decryption key or passcode separately.

Tip 7: Have a Plan for Deleting Data

Because several laws give consumers the right to request to have their data deleted, you should have a formal plan in place for successfully doing so in a timely manner. This includes communicating with any third parties (vendors, partners, etc.) that you may have shared the information with.

For example, you might implement the following data deletion and erasure methods:

  • Physical destruction: Permanently destroying the storage device is the most secure method because it becomes unusable.
  • Shredding: Shredding physical documents is important because privacy laws apply to physical copies of data as well as digital copies.
  • Degaussing: This method relies on demagnetization to remove data from hard drives or tape media.
  • Cryptographic erasure: This traditionally refers to encrypting data and wiping the encryption key to prevent access. However, this may not always be the best method as encryption is a two-way process that’s designed to be reversed (which could be problematic down the road when quantum computers become common). An alternative approach is to cryptographically hash the data instead before erasing it, as this one-way hash function makes recovering the data infeasible.

Ensure you’re storing data securely, allowing you to adequately delete consumer information without putting it at risk. The way you do this is up to your business, as privacy laws do not provide requirements for how you should delete data.

Some third-party vendors can help with data storage and deletion. However, you must vet them and sign legally compliant contracts with them to ensure they adequately follow all applicable privacy laws that impact you and the data you’re sharing with them.

It’s also important you know where all data you collect gets stored, like databases, backups, or through third-party service providers. This helps ensure you properly delete the data in all of its available formats.

Tip 8: Keep Detailed Records of the Process

As you respond to customer privacy requests, track every action you take and log all interactions. The way you log this information and who is responsible for doing so is up to your business, and you should keep the logs for at least a year.

Make sure your archive includes details about

  • how and when you received the request,
  • the steps taken to verify the requester’s identity,
  • which additional third party (or parties) were notified in personal data deletion requests (if the data had been shared with third-party service providers or contractors), and
  • how the issue was resolved.

Maintaining this documentation with the information mentioned in this section can help if the customer follows up with additional questions or if your business is ever subject to a privacy audit.

Tip 9: Make Data Security a Top Priority Within Your Organization

A basic illustration of a consumer privacy response checklist of steps that should be completed when responding to a data subject access request

It’s essential that you keep data safe and secure at all times, especially when receiving and fulfilling a customer privacy request. Be sure to provide a TLS-secured channel that people can use to submit their electronic consumer privacy requests. Using an HTTPS connection protects data in transit against theft from man-in-the-middle (MitM) attacks.

Limit who has access to data, which includes limiting who fulfills privacy requests from your consumers. In other words, don’t let everyone on your team have access to personal data your business relies on. Only select individuals who must access the data for the purpose of their roles should be able to see and use it.

You should also never reveal or access data from another person while fulfilling a privacy request — doing so violates several privacy laws.

Finally, ensure your entire team is trained to understand the importance of customer privacy so they know how to handle these requests correctly.

Methods for Receiving Customer Privacy Requests

Your business should add one or more of the following consumer privacy request submission methods to your website to help your consumers easily submit requests to follow through on their privacy rights:

  • Data Subject Access Request form: A DSAR form is a simple form you can add to your site so users can submit a request to follow through on their rights.
  • Dedicated email address: Some laws require businesses to provide consumers with a working email address for submitting privacy requests.
  • Browser settings: Some U.S. privacy laws require you to honor universal opt-out mechanisms like Global Privacy Controls as a verifiable request from users to opt out of data sharing or targeted advertising.
  • Physical address: You can provide a physical mailing address for consumers to submit privacy requests. Be sure to respond to physical mail on time, or you risk violating privacy laws.
  • Other types of requests: Some laws allow users to submit privacy requests in any way they choose, so be prepared to receive requests through unpredictable avenues, like telephone calls, email addresses, or customer support channels.

Having different avenues on your website for users to submit privacy requests makes it easier for your business to keep track of these inquiries. It also makes it more convenient for the consumer because they’ll know how to reach you if they have questions, comments, or concerns about their data privacy.

Examples of Common Data Privacy Laws and Regulations

We’ve covered how to respond to privacy requests, so now, let’s examine why this is such an important process for businesses to establish in the first place.

Several different privacy laws exist around the world (some of which we covered at the beginning of the article), and it’s likely that one or more of the following regulations impact your business:

These laws give individuals different rights over how external entities collect, share, and use their personal information and outline specific guidelines for submitting requests to follow through on these rights.

For example, some laws require entities to provide users with a working email address, while others require an online form or other mechanism to be available. Some set format or communication channel requirements while others don’t.

Most laws also explain that the request from the consumer must be reasonable, and the business’s response should be free of charge, once every 12 months. Some laws state that “unfounded” or “excessive” requests may result in a “reasonable fee” to cover any administrative costs.

The entity must also be able to verify the consumer’s identity without requesting additional personal information from them, and you cannot compromise anyone else’s privacy rights when fulfilling a request.

What Privacy Rights Do Consumers Have?

The specific rights your users have depend on what privacy law protects them and their data. However, here’s a summary of some of the most common rights granted by privacy laws.

The Right to Know

Nearly every privacy law gives people the right to know what data an entity collects about them.

You must typically present this to them in a readable, reasonable, and accessible format as part of your website’s privacy policy.

The Right to Access Personal Data

Privacy laws typically give users the right to access all information an entity has collected about them upon reasonable request. In other words, they can request a copy of all information a company has collected about them.

Some laws make exceptions and only require this as long as gathering the information is technically feasible.

The Right to Data Portability

Many privacy laws give individuals the right to access a portable copy of the data a company has collected about them.

Portability refers to the ability to move the information in its existing format from one service provider to another without affecting the contents of it. This differs from data access requests because the copy must be in a portable format, making it easy to share the information with another entity or company. The purpose of this right is to help make it easier when consumers decide to switch insurance carriers, cell phone companies, or other heavily data-driven services.

The Right to Correct/Amend

Laws like the GDPR and U.S. data privacy laws often give users the right to request to have their information corrected or amended by an entity.

The entity typically must honor this request so long as amending the data is reasonable or technically feasible.

The Right to Delete/Be Forgotten

Most privacy laws give individuals the right to request to have their data deleted or erased by an entity.

Under the GDPR, this is known as the right to be forgotten. However, some U.S. state-level laws exclude this right, like Utah and Texas.

Right to Pursue Private Action:

In the U.S., the CCPA gives individuals the right to private action if an entity violates the law and their data falls victim to a breach or unauthorized access. However, not all U.S. data privacy laws afford the right to private action.

Opt-Out of Data Selling

Many privacy laws allow people to opt out of having their data sold to third parties.

The definition of “selling” varies by law, and this is a common addition in many U.S. state-level privacy laws.

Opt-Out of Data Sharing

It’s also common for privacy laws to give people the right to opt out of having their data shared with third parties — though it’s slightly less common than selling.

The definition of share varies by privacy law, and it encompasses more than the simple exchange of money or other high-value items.  

Opt-Out of Targeted Advertising

Most (though not all) U.S. state-level privacy laws give individuals the right to opt out of targeted advertising.

Individuals must be allowed to opt out, and this right must be explained to them in a reasonable privacy notice.

Opt-Out of Profiling

Most U.S. state-level privacy laws also give people the right to opt out of profiling made by automated systems that may significantly impact them professionally, legally, or personally.

Non-Discrimination

Many U.S. data privacy laws (e.g., CCPA and Texas’s data privacy law [TDPSA]) give consumers the right to non-discrimination over their personal data, building equity and fairness into privacy law.

Final Thoughts on Handling Consumer Privacy Requests

Responding to a customer privacy request doesn’t have to be complicated — it’s all about being organized, responsive, timely, and transparent throughout the process.

Establish different protocols for your team and train every member of your organization to follow them. Outlining clear steps makes resolving privacy requests easier, more efficient, and legally compliant.

By following these consumer privacy request-related tips I covered above, you can comply with applicable privacy laws and show your customers you respect their privacy and value their trust.

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Masha Komnenic

Masha Komnenic, Director of Global Privacy at Termly. She has been a privacy compliance mentor to many international business accelerators and specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Her certifications include FIP, CIPT, CIPM, CIPP/E and CIPP/US.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now