Decoding Data Subject Rights in the US: Everything Organizations Must Know
Quick Insights:
Data Subject Rights (DSRs) in the US are primarily governed by state privacy laws, including the CCPA/CPRA, the VCDPA, and the CPA. These rights give consumers greater control over their personal data. For organizations, DSR compliance is not only a legal responsibility but also an operational requirement. Companies need strong data mapping, clear DSR workflows, automation, and the ability to meet strict response timeline. For CIPP/US learners, it is important to understand the core consumer rights and the key differences between major state privacy laws. Organizations that handle DSR compliance proactively can build customer trust and avoid penalties, while those that ignore it risk both regulatory action and reputational damage.
A customer may not complain or escalate an issue. They may simply ask, “What personal data do you have about me, and can you delete it?” At first, this request may seem simple, but inside an organization, it can quickly create confusion. Legal teams may need to interpret the company’s obligations, IT teams may struggle to locate where the data is stored, and compliance teams may race to meet regulatory deadlines.

In 2026, this type of request is no longer unusual. It has become a regular operational expectation for organizations that collect and process personal data. Data Subject Rights have moved beyond legal language and now represent real-time accountability. Every request tests an organization’s data visibility, internal processes, and overall compliance maturity.
Organizations that fail to manage these requests properly do not only face the risk of fines. They also risk losing customer trust. On the other hand, organizations that handle DSRs effectively can turn privacy compliance into a competitive advantage. This is why understanding Data Subject Rights in the US is essential, especially for professionals preparing for the IAPP CIPP/US Certification.
What Are Data Subject Rights in the US?
Data Subject Rights (DSRs) are the rights granted to individuals (consumers) regarding their personal data. In the U.S., these rights are primarily governed by state-level privacy laws, not a single federal regulation.
Core Consumer Privacy Rights”
Most laws share a common foundation:

1. Right to Know (Access)
Consumers can request:
- What personal data is collected
- Sources of that data
- Purpose of processing
- Third parties the data is shared with
Real-world example:
A user asks: “What information do you have about me?”
Your organization must:
- Pull data from CRM, marketing tools, support systems, and analytics platforms
- Provide a clear, structured response
2. Right to Delete
Consumers can:
- Request deletion of personal data
- With some legal/operational exceptions
Real-world example:
A customer closes their account and says, “Delete everything you have about me.”
3. Right to Opt-Out (Sale/Sharing)
Consumers can:
- Opt out of selling or sharing personal data
- Restrict targeted advertising
Real-world example:
A user clicks: “Do Not Sell or Share My Personal Information.”
4. Right to Correct
Consumers can:
- Request correction of inaccurate personal data
Real-world example:
A user updates:
- Wrong address
- Incorrect name spelling
- Outdated contact details
5. Right to Data Portability
Consumers can:
- Request their data in a portable, usable format
Real-world example:
A user wants to: Move data from one platform to another
6. Right to Non-Discrimination
Consumers should not be penalized for:
- Exercising their privacy rights
Real-world example:
- Denying service
- Charging higher prices unfairly
Key State-Level Laws You Must Know
1. California – CCPA / CPRA
Key Highlights:
- Most mature privacy law in the US
- Introduced Right to Opt-Out of Sale
- CPRA added:
- Right to Correct
- Right to Limit Use
- Disclosure of Sensitive Personal Information
- Risk assessment and cybersecurity audit requirements for certain businesses under CPPA regulations effective January 1, 2026
2. Virginia – VCDPA
Key Highlights:
- Focus on data processing transparency
- Requires Data Protection Assessments (DPIA-like)
- Strong opt-out provisions
- Requires controllers to respond to consumer rights requests within 45 days, with one possible 45-day extension when reasonably necessary
3. Colorado – CPA
Key Highlights:
- Universal opt-out mechanism
- Emphasis on profiling and automated decision-making
- Strong consumer rights enforcement
- Requires data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising, profiling, sale of personal data, and sensitive data processing
4. Other Emerging States (Quick Mention)
- Connecticut (CTDPA)
- Utah (UCPA)
- Texas, Florida (recent expansions)
Key Differences Across US State Privacy Laws
| Feature | CCPA/CPRA (California) | VCDPA (Virginia) | CPA (Colorado) |
| Opt-Out of Sale | Yes | Yes | Yes |
| Right to Correct | Yes | Yes | Yes |
| Sensitive Data Controls | Strong | Moderate | Strong |
| Data Protection Assessments | Required for certain high-risk processing activities under newer CPPA regulations | Required | Required |
| Enforcement | Attorney General + CPPA | Attorney General | Attorney General + District Attorneys |
How Organizations Should Implement DSR Compliance
This is where most companies struggle. Understanding rights is easy, but operationalizing them is the real challenge.
1. Build a Data Discovery and Mapping Framework
You must know:
- What data you collect
- Where it is stored
- Who has access
Without this, DSR compliance is impossible.
2. Update Privacy Policies and Notices
Ensure:
- Clear explanation of rights
- Transparent data usage
- Easy instructions for submitting requests
- Clear instructions for opt-out, correction, deletion, access, portability, and limitation of sensitive personal information where applicable
3. Create a DSR Request Workflow
Your process should include:
- Identity verification
- Request logging
- Internal routing
- Response tracking
- Appeal handling, where required by state law
- State-specific routing rules because timelines and rights can vary by law
4. Define Timelines and SLAs
Most major US state privacy laws require organizations to respond to verified consumer requests within 45 days. Some laws allow an additional 45-day extension when reasonably necessary, provided the consumer is notified within the original response period. California opt-out requests must be handled as soon as feasibly possible and no later than 15 business days.
Delays = Compliance risk
5. Automate Where Possible
Use tools for:
- Request tracking
- Data retrieval
- Audit logs
- Identity verification support
- Deadline monitoring
- State-law-specific workflow automation
Manual processes don’t scale.
6. Maintain Audit and Documentation
Always document:
- Requests received
- Actions taken
- Response timelines
- Reasons for denial, if a request is rejected
- Extensions, appeal decisions, and legal exceptions applied
Critical for audits and legal defense
Common Mistakes Organizations Make
- Treating DSRs as one-time compliance tasks
- Lack of data visibility
- No standardized workflow
- Ignoring state-specific nuances
- Using one generic process for every state without checking legal differences
- Missing shorter opt-out deadlines
- Failing to document exceptions, denials, and appeal outcomes
These gaps often lead to non-compliance penalties.
In Conclusion
Data Subject Rights represent a major shift in power from organizations to consumers. In 2026 and beyond, organizations that only react to privacy requests will struggle to keep up with regulatory expectations and customer demands.
However, organizations that prepare proactively will be better positioned to manage compliance, protect consumer rights, and build long-term trust. The real difference lies in having the right systems, processes, and awareness in place. DSR compliance is not only about avoiding penalties; it is also about creating transparency, strengthening customer confidence, and supporting long-term business resilience.
Master US Privacy Laws with InfosecTrain’s CIPP/US Certification Training
Take the Next Step in Your Privacy Career
Understanding Data Subject Rights is a critical skill for modern organizations. Enroll in InfosecTrain’s IAPP CIPP/US Certification Training course to develop the expertise and hands-on skills needed to interpret, implement, and effectively manage US privacy laws. With InfosecTrain, you don’t just prepare for an exam, you build real-world privacy expertise:
- Comprehensive coverage of US privacy laws
- Hands-on, practical learning approach
- Expert-led training sessions
- Exam-focused preparation strategy
- Career-focused outcomes
Frequently Asked Questions
What are Data Subject Rights in the US?
Data Subject Rights in the US allow consumers to access, delete, correct, and control how their personal data is used under state privacy laws.
How do organizations handle Data Subject Requests (DSRs)?
Organizations manage DSRs through identity verification, request tracking, data retrieval, and timely response processes.
What is the difference between CCPA, VCDPA, and CPA?
CCPA focuses on data sales opt-out, VCDPA emphasizes processing transparency, and CPA includes strong profiling and opt-out provisions.
What tools help with DSR compliance?
Tools that support DSR compliance include data discovery and mapping tools, privacy management platforms, workflow automation systems, and audit tracking solutions.
What are common mistakes in DSR compliance?
Common mistakes include poor data visibility, manual processes, missed deadlines, and a lack of documentation.
