Data Subject Access Requests (DSARs): Mastering the Fulfillment Process

ON THIS PAGE

This article walks you through the real-world steps, tools, and tips for handling DSARs smoothly and staying compliant.

Introduction to Data Subject Access Requests (DSARs)

A few years ago, hardly anyone asked what data companies had on them. Now? People are writing in and saying, “Hey—what do you actually know about me?”

You might not like it, but yeah—they have every right to ask. GDPR in Europe, CCPA in California—those laws give them the green light.

What they really want is everything: the data you’ve collected, the reason you took it, and whether anyone else got a look.

And honestly? That info’s probably scattered across tools you forgot you even used. CRMs, analytics dashboards, email platforms... it adds up.

The laws don’t all work the same way:

  • GDPR gives you about 30 days to reply.
  • CCPA/CPRA makes you spell out what types of data you collect and who you send it to.
  • Other laws like Brazil’s LGPD and Canada’s PIPEDA follow similar logic, but the details are different.

People tend to file DSARs when something hits the news—like a breach, or a big scandal around data misuse. And they’re serious about it.

Blow it off, and you’re not just risking a fine. You’re losing trust—and let’s be real, once that’s gone, it’s hard to fix.

DSARs Legal Framework

Once a DSAR lands in your inbox, the countdown begins—and you don’t have unlimited time to sort it out.

The moment a request comes in, expectations shift from “if” to “how.” Most privacy laws set strict response windows, and they’re not suggestions—they’re deadlines with teeth.

Under GDPR, you may qualify for an extension if the request is unusually complex, but only if you communicate clearly before the first month is up. U.S. state laws, like California’s CPRA and others in Colorado or Virginia, offer similar flexibility.

Still, the burden is on your organization to justify the delay and notify the requester in advance. Regulators tend to look for three things:

  • Did you acknowledge the request quickly?
  • If there was a delay, did you explain it in writing?
  • Was the final response complete and on time?

Failing on any of those points can get expensive. In the EU, penalties can climb into the millions. In the U.S., states are starting to take a more aggressive stance—especially as new enforcement bodies take shape.

Under GDPR, fines can reach €20 million, or 4% of your company’s global annual revenue—whichever is higher.

CCPA/CPRA violations can land you $2,500 per violation, or $7,500 if the violation is intentional or involves a minor.

And increasingly, it’s not just about legal exposure. Agencies are publishing case summaries, naming violators, and showing the public what non-compliance looks like. One missed deadline might not trigger a fine—but it could trigger headlines.

Bottom line: if you’re relying on a slow or manual process to respond, don’t wait for a DSAR to expose the cracks. Fix it while you still have breathing room.

Leveraging CMPs for DSAR Readiness

Most people think of a CMP as just a Cookie Banner solution. But when it comes to responding to a data subject access request, the information collected through that banner can be a useful starting point—especially for websites that handle a high volume of visitors.

If you're using CookieScript, you've already got tools that help you keep track of what data was collected, when, and under what conditions.

In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform.

The platform is also recognized as a Google-certified CMP in the Gold tier, highlighting its compliance with the latest consent management requirements.

Using Consent Records to Support a DSAR

When someone asks to see the data you've collected about them, it's not always clear where to begin.

CookieScript makes that first step easier. It logs consent events with time stamps, categories, and a unique ID for each visitor session. That alone helps you:

  • Confirm whether data was collected legally
  • Narrow down the window you need to investigate
  • Export consent history to include in your response or internal documentation

This isn’t just about convenience—it’s part of what regulations expect from you. Under GDPR and other frameworks, being able to demonstrate when and how you collected data is a core requirement.

Finding the Right Data, Faster

Consent logs won’t show you everything, but they can help you avoid chasing the wrong leads. If you know when a user gave permission—or withdrew it—you can match that to other systems like CRMs or analytics tools.

Several other features from CookieScript come into play here:

  • Automatic script blocking makes sure no tracking happens without consent, helping separate compliant data from everything else.
  • Third-party cookie blocking helps prevent the collection of data you can’t trace—avoiding the kind of “we don’t know” answer that regulators don’t want to hear.
  • Monthly scans keep your list of third-party scripts and cookies up to date, which matters when you're asked who else may have received personal data.

Documenting Your Process

Being able to respond is one thing. Being able to prove that you responded properly is another. CookieScript lets you download consent records and generate reports that show exactly when each user gave or declined consent, what categories they accepted, and whether they made changes later on.

This kind of reporting is especially useful when:

  • You’re running internal privacy audits
  • A regulator asks for documentation
  • You need to show a full history of user choices tied to a DSAR

It won’t replace a full DSAR management system, but it gives you traceable, timestamped records that are easy to organize and store.

Extra Tools That Support Broader Compliance

Some features in CookieScript don’t directly help with DSARs but still support your overall data protection efforts:

  • geo targeting ensures you’re collecting consent in a way that matches local regulations.
  • Google Consent Mode v2 and IAB TCF 2.2 support alignment with ad platforms and programmatic advertising compliance.
  • Self-hosted code can be helpful if you want to avoid external scripts on privacy-sensitive projects.
  • 42 supported languages make it easier to reach global users.
  • Privacy Policy Generator helps you create legal notices that stay in sync with your data practices.
  • Cookie Banner sharing is more about deployment convenience than DSAR handling, but it’s nice to have if you're managing multiple sites.

In short, CookieScript gives you more than just a banner. If you're already using it, you’ve got a solid foundation to handle DSARs faster, with less guesswork—and with the kind of transparency regulators expect to see.

Register for free Show pricing plans

In Conclusion

If you haven’t run through your DSAR process recently, it’s probably overdue. Think of it like checking your smoke alarm—it’s one of those things you’ll wish you’d done before something goes wrong. Better to work out the kinks now than scramble when a real request shows up.

Frequently Asked Questions

What is a DSAR?

A DSAR (Data Subject Access Request) is a formal request from an individual to access the personal data your organization holds about them. CookieScript can help by logging consent details that serve as a starting point when fulfilling such requests.

Who can submit a DSAR?

Anyone whose data you’ve collected—customers, users, even employees—can submit a DSAR under laws like GDPR and CPRA. CookieScript helps you verify consent history linked to specific sessions or users.

How quickly do I need to respond to a DSAR?

Under GDPR, you have 30 days. Under CPRA and similar U.S. laws, it’s 45 days. CookieScript can reduce turnaround time by organizing consent records and making them easy to export.

What should be included in a DSAR response?

You need to provide the data collected, why it was collected, and who it was shared with. CookieScript helps clarify what data was collected with consent, and when.

How can I verify that data collection was lawful?

One way is by keeping a detailed record of user consent. CookieScript stores time-stamped consent events, which you can use to confirm lawful processing.

What happens if I ignore a DSAR?

You risk heavy fines and reputational damage. CookieScript helps minimize that risk by giving you access to audit-ready consent logs.

Can a DSAR request be denied?

Yes, in limited cases—such as when the request is unfounded or excessive. However, having detailed consent logs from CookieScript helps you make that call with proper documentation.

How do I handle third-party data in a DSAR?

You must identify and disclose if third parties had access to the user’s data. CookieScript’s monthly scans and script tracking help identify third-party cookies in use.

What if I can’t locate the requested data?

Start with what you can confirm. CookieScript helps by giving you exact timestamps and categories for consent, so you can trace potential data sources across your systems.

Do I need a full DSAR system to comply?

Not necessarily—but you do need reliable tools. CookieScript doesn’t replace a DSAR platform, but it gives you essential consent data that makes the process faster and more defensible.