How to Request Your Data From Companies (Data Subject Access Requests)

Every day, companies collect vast amounts of your personal data — from your browsing habits and purchase history to your location and contact details. But did you know you have the legal right to find out exactly what they have? A Data Subject Access Request (DSAR) is your most powerful tool for reclaiming control over your personal information.

What Is a Data Subject Access Request?

A Data Subject Access Request, or DSAR, is a formal request you send to a company asking them to disclose all the personal data they hold about you. Under laws like the GDPR in Europe, the CCPA/CPRA in California, and numerous other state privacy laws across the United States, companies are legally obligated to respond to these requests within a set timeframe.

You can submit a DSAR to virtually any organization that processes your personal data, including retailers, social media platforms, banks, insurance companies, data brokers, employers, and healthcare providers.

Your Rights Under Major Privacy Laws

CCPA/CPRA (California)

California residents can request that businesses disclose the categories and specific pieces of personal information collected about them. Companies must respond within 45 days, with the possibility of a 45-day extension if they notify you.

GDPR (European Union)

EU residents have the right to access their personal data, and organizations must respond within one calendar month. The response must include the purposes of processing, the categories of data held, and who the data has been shared with.

Other U.S. State Privacy Laws

States including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others have enacted privacy laws that grant residents similar data access rights. Response deadlines typically range from 30 to 45 days.

How to Submit a DSAR

Step 1: Find the Right Contact

Look for the company's privacy policy on their website — usually linked in the footer. The policy should include contact information for their Data Protection Officer (DPO) or a dedicated privacy email address. Many larger companies now have online DSAR portals or web forms.

Step 2: Write Your Request

Your request doesn't need to follow a specific format, but it should include:

• A clear statement that you are making a data subject access request
• Your full name and any identifiers the company may have on file (email address, account number, username)
• The specific data you want access to (or request all data they hold)
• Your preferred format for receiving the data (electronic copy is standard)
• A reference to the specific law you're invoking (CCPA, GDPR, etc.)

Step 3: Submit and Document

Send your request via the company's preferred channel — email, web form, or postal mail. Keep a copy of your request and note the date you sent it. This is critical for tracking response deadlines.

Step 4: Verify Your Identity

Companies will typically ask you to verify your identity before releasing data. Be prepared to provide a form of identification, but be cautious about sharing sensitive documents. A reputable company should never ask for your Social Security number to process a DSAR.

Step 5: Review and Follow Up

Once you receive the response, review it carefully. If the company fails to respond within the legal deadline, or if the response is incomplete, you have the right to escalate. In the U.S., you can file a complaint with your state's Attorney General. In the EU, contact your local Data Protection Authority.

What Companies Must Disclose

When a company responds to your DSAR, they should provide:

• The categories and specific pieces of personal data they hold about you
• The sources from which the data was collected
• The business or commercial purpose for collecting the data
• The categories of third parties with whom the data has been shared
• Whether the data has been sold or disclosed for a business purpose

Using DSARs to Clean Up Your Digital Footprint

Data access requests aren't just about curiosity — they're a strategic first step toward cleaning up your online presence. Once you know what data a company holds, you can follow up with a deletion request to have that information removed. This is especially powerful when targeting data brokers who aggregate and sell your personal information.

For most people, however, the sheer number of companies holding your data makes individual DSARs impractical. There are hundreds of data brokers alone, each requiring a separate request. This is where a service like PrivacyOn becomes invaluable — we continuously monitor and remove your personal information from over 100 data broker sites, so you don't have to send hundreds of individual requests.

Tips for Effective DSARs

• Start with data brokers. They often hold the most comprehensive profiles. Use DSARs to discover exactly what they have before requesting deletion.
• Target companies after breaches. If you receive a breach notification, submit a DSAR to understand the full scope of your exposed data.
• Be specific when needed. If you're only concerned about certain data (e.g., location tracking), you can narrow your request.
• Use authorized agents. Many laws allow you to designate someone to submit DSARs on your behalf — parents can act for minors, and services like PrivacyOn can act on your behalf for data broker removals.
• Keep records. Document every request and response. This creates a paper trail if you need to escalate.

Take Control of Your Data

Submitting data access requests is one of the most empowering steps you can take for your digital privacy. It forces transparency from the companies profiting from your personal information and gives you the foundation to demand deletion. Whether you tackle it yourself or use PrivacyOn to automate the process across 100+ data brokers, the important thing is to start exercising your rights today.