Book a demo Log in / Sign up

Data Subject Access Request Form Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Subject Access Request Form?

The Data Subject Access Request Form has become increasingly important with the evolution of data privacy laws in the United States, particularly with the implementation of the CCPA/CPRA and similar state laws. This document serves as a formal mechanism for individuals to exercise their legal right to understand what personal information organizations hold about them, how it's being used, and who it's being shared with. It helps organizations maintain compliance with privacy regulations while providing a clear, structured process for handling data access requests.

Frequently Asked Questions

Is a Data Subject Access Request Form legally binding in the United States?

Yes, a properly completed Data Subject Access Request Form creates legal obligations for organizations under applicable US privacy laws. Under the CCPA/CPRA in California, companies must respond within 45 days (extendable to 90 days), while HIPAA-covered entities must respond within 30 days for medical records. Organizations that fail to respond or improperly deny requests face significant penalties and potential legal action.

How long does it take to complete a Data Subject Access Request Form?

Most Data Subject Access Request Forms can be completed in 10-15 minutes with basic personal information and specific details about the data you're requesting. The key is being as specific as possible about what personal information you want to access, the time period involved, and your relationship with the organization. Having account numbers, dates of service, or other identifying information ready will speed up the process.

Can organizations charge me for responding to my Data Subject Access Request?

Generally no, organizations cannot charge fees for initial Data Subject Access Requests under CCPA/CPRA and most US privacy laws. However, HIPAA allows healthcare providers to charge reasonable copying fees for medical records, and some laws permit fees for excessive or repetitive requests. Organizations must clearly explain any fees before processing your request and cannot use fees as a barrier to discourage legitimate requests.

How is a Data Subject Access Request different from a Freedom of Information Act (FOIA) request?

A Data Subject Access Request seeks your own personal information held by private companies or organizations, while FOIA requests seek government records and documents from federal agencies. Data Subject Access Requests are governed by privacy laws like CCPA, HIPAA, and FERPA, whereas FOIA applies only to federal government agencies. The response timeframes, fee structures, and exemptions are completely different between these two types of requests.

Does my Data Subject Access Request Form need to include specific legal language to be valid?

No specific legal language is required, but your request must clearly identify you as the data subject and specify what personal information you want to access. Under CCPA and other US privacy laws, organizations cannot reject requests due to informal language, but including details like account numbers, service dates, and specific data categories will help ensure a complete response and avoid delays.

Can I submit a Data Subject Access Request for someone else's personal information?

Generally no, you can only request your own personal information unless you have legal authority to act on someone's behalf. Exceptions include parents requesting their minor child's information, legal guardians acting for disabled adults, or authorized agents with written permission. Healthcare providers under HIPAA have additional rules for personal representatives, and you'll need to provide documentation proving your authority to make the request.

Where should I send my completed Data Subject Access Request Form if the organization doesn't specify?

Look for the organization's privacy policy which typically includes contact information for privacy requests, such as a dedicated email address or mailing address. Many companies have online portals for submitting these requests. If no specific contact is listed, send it to the company's general counsel, compliance department, or main business address with "ATTN: Privacy Officer" or "Data Subject Access Request" clearly marked on the correspondence.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Subject Access Request

Sector

Business

Cost

Free to use

Last updated

About the Data Subject Access Request Form

A Data Subject Access Request Form is your legal tool for obtaining information about the personal data organizations collect and store about you. Under United States privacy laws, including California's CCPA/CPRA and federal regulations like HIPAA and FERPA, you have the right to know what personal information companies hold, how they use it, and who they share it with. This form provides a standardized way to exercise these rights while ensuring your request meets all legal requirements for processing.

When do you need this document?

You need a Data Subject Access Request Form whenever you want to understand what personal information an organization has collected about you. This is particularly important when dealing with healthcare providers under HIPAA, educational institutions under FERPA, financial services companies under GLBA, or any business operating in California under CCPA/CPRA. You might use this form before switching service providers, during legal proceedings where your data is relevant, or simply to understand your digital footprint. The form is also essential when you suspect unauthorized data collection or want to verify the accuracy of information being used for decisions affecting you.

Key legal considerations

Identity verification is a critical component of any data access request, as organizations must protect personal information from unauthorized disclosure. Your form should include sufficient identification details and be prepared to provide additional verification if requested. Response timeframes vary by jurisdiction and law type-CCPA requires responses within 45 days, while HIPAA allows up to 30 days for medical records. Be specific about the type of information you're requesting and your preferred format for receiving it. Organizations may charge reasonable fees for copying and processing, particularly for extensive requests. Remember that certain information may be exempt from disclosure, such as trade secrets, attorney-client privileged communications, or data that would compromise others' privacy rights.

Legal requirements in United States

United States data access rights vary significantly by state and federal law. California's CCPA/CPRA provides the most comprehensive rights, allowing residents to request disclosure of personal information categories, sources, business purposes for collection, and third-party sharing details. Federal agencies must comply with the Privacy Act of 1974, which grants individuals access to records maintained about them. Healthcare entities must follow HIPAA's right of access provisions, typically providing medical records within 30 days. Educational institutions under FERPA must allow students and eligible parents to inspect education records. Financial institutions under GLBA have specific disclosure requirements for nonpublic personal information. Each law has distinct procedures, exemptions, and response timeframes, so ensure your request complies with the specific regulations governing your situation and the organization you're contacting.

GOVERNING LAW

Applicable law

This Data Subject Access Request Form is drafted to comply with United States law. Key legislation includes:

CCPA/CPRA: California Consumer Privacy Act/California Privacy Rights Act - Most comprehensive state-level privacy law in the US, serving as a de facto national standard. Grants specific rights to California residents regarding their personal data.

Privacy Act of 1974: Federal law applying to federal agencies that regulates the collection, maintenance, use, and dissemination of personal information.

HIPAA: Health Insurance Portability and Accountability Act - Specific regulations governing access to and protection of medical and health information, with special requirements for data access.

FERPA: Family Educational Rights and Privacy Act - Federal law that protects the privacy of student education records, with special considerations for student data access.

GLBA: Gramm-Leach-Bliley Act - Federal law focusing on financial information privacy, with specific requirements for financial institutions regarding personal data handling.

VCDPA: Virginia Consumer Data Protection Act - State-specific privacy law providing Virginia residents with rights regarding their personal data.

Colorado Privacy Act: State law providing Colorado residents with comprehensive privacy rights and establishing requirements for businesses handling personal data.

Utah Consumer Privacy Act: State legislation establishing privacy rights for Utah residents and requirements for businesses processing personal data.

Connecticut Data Privacy Act: State law providing Connecticut residents with privacy rights and establishing obligations for businesses handling personal information.

GDPR: General Data Protection Regulation - While an EU regulation, it's often considered for US organizations dealing with EU residents' data and serves as a benchmark for privacy best practices.

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it