Data Subject Request Form Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Data Subject Request Form?

The Data Subject Request Form serves as a crucial tool for organizations to comply with U.S. privacy regulations while managing individuals' requests regarding their personal data. This document is essential for businesses subject to state privacy laws such as CCPA/CPRA, VCDPA, CPA, UCPA, and CTDPA, as well as sector-specific regulations like HIPAA, GLBA, and FERPA. The form standardizes the process of receiving, verifying, and responding to data subject requests, helping organizations maintain compliance while protecting individuals' privacy rights.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Data Subject Request Form

A Data Subject Request Form is a critical compliance document that enables individuals to exercise their privacy rights under various United States data protection laws. This form serves as the formal mechanism through which consumers can request access to their personal information, seek corrections to inaccurate data, request deletion of their information, or exercise other rights granted under state and federal privacy legislation. Organizations subject to privacy regulations use this form to standardize their response processes and ensure legal compliance.

When do you need this document?

You need a Data Subject Request Form if your organization collects personal information from residents of states with comprehensive privacy laws, including California, Virginia, Colorado, Utah, or Connecticut. Businesses meeting revenue thresholds or data processing volumes under these laws must provide consumers with accessible methods to exercise their rights. Healthcare organizations subject to HIPAA, financial institutions under GLBA, and educational institutions governed by FERPA also require formal request processes. E-commerce businesses, SaaS companies, retailers with online presence, and any organization maintaining customer databases should implement this form to handle privacy requests effectively.

Key legal considerations

The form must clearly identify the types of requests available under applicable laws, including rights to know what personal information is collected, delete personal information, correct inaccuracies, and opt-out of sale or sharing. Identity verification procedures are crucial to prevent unauthorized access to personal information, requiring appropriate documentation and confirmation processes. Response timelines vary by jurisdiction but typically range from 30 to 45 days, with possible extensions under specific circumstances. Organizations must maintain records of requests and responses for compliance audits. The form should specify any applicable exemptions or limitations, such as when deletion might conflict with legal retention requirements or when certain information categories are excluded from access rights.

Legal requirements in United States

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), businesses must respond to verified requests within 45 days and provide information free of charge up to twice per year. The Virginia Consumer Data Protection Act (VCDPA) requires responses within 45 days and allows consumers to appeal denials. Colorado's Privacy Act (CPA) mandates 45-day response times with appeal processes through the state attorney general. Utah's Consumer Privacy Act (UCPA) provides similar timelines but with different exemptions for certain business types. Connecticut's Data Privacy Act (CTDPA) requires 45-day responses and specific disclosure formats. Federal laws like HIPAA require responses within 30 days for healthcare records, while FERPA mandates 45 days for educational records. All jurisdictions require clear communication of any request denials with specific reasoning and available remedies.

GOVERNING LAW

Applicable law

This Data Subject Request Form is drafted to comply with United States law. Key legislation includes:

CCPA/CPRA: California Consumer Privacy Act/California Privacy Rights Act - Most comprehensive data privacy law in the US, applies to businesses serving California residents and grants specific rights to data subjects

VCDPA: Virginia Consumer Data Protection Act - Effective January 1, 2023, provides similar rights to CCPA/CPRA for Virginia residents

CPA: Colorado Privacy Act - Effective July 1, 2023, includes specific data subject rights for Colorado residents

UCPA: Utah Consumer Privacy Act - Effective December 31, 2023, provides privacy rights for Utah residents

CTDPA: Connecticut Data Privacy Act - Effective July 1, 2023, establishes privacy rights for Connecticut residents

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing privacy and security of healthcare-related data

GLBA: Gramm-Leach-Bliley Act - Federal law governing privacy and security requirements for financial institutions

FERPA: Family Educational Rights and Privacy Act - Federal law protecting privacy of student education records in educational institutions

GDPR Considerations: General Data Protection Regulation - While EU-based, must be considered if organization handles EU residents' data

Identity Verification: Requirements for verifying the identity of individuals making data subject requests

Request Types: Different categories of requests including access, deletion, correction, and portability

Response Timeframes: Mandatory timeframes for responding to data subject requests under various regulations

Response Format: Required format and content of responses to data subject requests

Exemptions: Legal exemptions and limitations to data subject rights under various regulations

Record-keeping: Requirements for maintaining records of data subject requests and responses

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it