Skip to content

Template · DSAR / DSR REPLY

DSR reply template · CCPA/CPRA consumer request

Subject-request response skeleton. Substitute every user-specific value before sending; an unredacted template sent to a data subject is a notifiable error.

Scope law CCPA/CPRA Jurisdiction California Variables 18 to substitute Last reviewed
Editorial research — not legal advice
Procedural flow — universal across regimes 1 Request received Day 0 clock starts 2 Verify identity reasonable proof don't over-collect 3 Search systems all sub-processors retention horizons 4 Compile response categories · sources purposes · recipients 5 Deliver secure channel commonly-used format 6 Inform of rights complaint to regulator appeal mechanisms If complex or numerous requests Most regimes permit extension only if you notify the data subject within the original window.
Response windows by jurisdiction (Day 0 = request received) Day 0 d10 d15 d30 d45 d60 d90 PIPA Korea 10 days LGPD (Brazil) 15 days APPI (Japan) no fixed window PIPEDA (Canada) 30 days +30 days Quebec Law 25 30 days PDPA Singapore 30 days Swiss FADP 30 days AU Privacy Act 30 days GDPR (EU) 30 days +60 days UK GDPR 30 days +60 days DPDPA (India) 30 days CCPA / CPRA (CA) 45 days +45 days VCDPA (Virginia) 45 days +45 days TDPSA (Texas) 45 days +45 days Statutory window Extension on notice No fixed window (statute uses "without delay")
DSAR clock by regime — Day 0 = request received. Solid bar = primary statutory window. Dashed extension = where the regime permits one (notify before original deadline). Editorial reading; not legal advice.
Regime Response window Extension Statute Notes
PIPA Korea 10 days PIPA Art 35(3) Strict 10-day clock from receipt
LGPD (Brazil) 15 days LGPD Art 19 Confirmation immediate; full data within 15 days
APPI (Japan) No fixed window APPI Art 28 "Without undue delay" — no fixed statutory window
PIPEDA (Canada) 30 days +30 days PIPEDA Sched 1, 4.9.4 Extension permitted; must notify within original window
Quebec Law 25 30 days Quebec L25 Art 33 30 days from receipt; no statutory extension
PDPA Singapore 30 days PDPA s.21 Within 30 days; refusal must be in writing
Swiss FADP 30 days FADP Art 25(3) Statute uses "as soon as possible"; OFDP guidance ~30d
AU Privacy Act 30 days AU APP 12.4 "Reasonable time" per APP 12; OAIC standard ≈30 days
GDPR (EU) 30 days +60 days GDPR Art 12(3) 1 month, extendable by 2 months for complex/numerous requests
UK GDPR 30 days +60 days UK GDPR Art 12(3) Same clock as GDPR; ICO enforces
DPDPA (India) 30 days DPDPA s.11–13 Draft rules consultation 2025; expected reasonable time
CCPA / CPRA (CA) 45 days +45 days Cal. Civ. Code §1798.130(a)(2) 45-day window; extension permitted on notice
VCDPA (Virginia) 45 days +45 days Va. Code §59.1-577 Same 45-day clock; extension on notice
TDPSA (Texas) 45 days +45 days Tex. Bus. & Com. Code §541.054 Same 45-day clock; extension on notice

Build your DSAR procedure to the strictest applicable clock for the jurisdictions you cover.

Template body

18 placeholders · 13 sections

Subject: Re: California Privacy Rights Request — {{ticket_id}}

Dear {{requestor_name}},

Thank you for your request received on {{request_received_date}}. This is our response under the California Consumer Privacy Act (as amended by CPRA).

Identity verification

We verified your identity using {{identity_method}}. We have a reasonable degree of certainty under §1798.140(j).

Your request type

{{request_type}} — substitute one of: know / access / delete / correct / opt-out of sale or sharing / limit use of sensitive PI.

What we hold (last 12 months)

Categories collected

{{categories_list}}

Sources

{{sources_list}}

Business purposes

{{purposes_list}}

Categories disclosed for business purpose

{{disclosure_business_purpose_list}}

Categories sold or shared

{{sold_or_shared_list_or_none}}

Sensitive personal information

{{sensitive_pi_list_or_none}}

Action taken

{{action_taken_summary}}

Your other rights

  • Know / Access — request what categories we have, sources, purposes, and recipients
  • Delete — request deletion subject to exceptions (§1798.105(d))
  • Correct — request correction of inaccurate PI
  • Opt-out of sale/sharing — your choice is recorded; GPC signal will continue to be honoured
  • Limit use of sensitive PI — restrict use to disclosed business purposes (CPRA §1798.121)
  • Non-discrimination — we do not deny service or charge differently for exercising rights

Authorized agents

If you used an authorized agent, we verified the power of attorney on {{poa_verified_date}}.

Right to complain

You may file a complaint with the California Privacy Protection Agency (CPPA): https://cppa.ca.gov/.

If any of the above is unclear or you wish to follow up, please reply within 15 business days.

Best regards, {{privacy_team_name}} {{controller_name}} {{privacy_email}}

Ticket {{ticket_id}} · Response sent {{response_date}} · {{days_taken}} of the 45-day CCPA §1798.130(a)(2) response window. Businesses may extend by an additional 45 days once, with notice (§1798.130(a)(2)(B)).

Variables to substitute

Replace each {{token}} in the body before deploying.

VariableType
{{ticket_id}} string
{{days_taken}} int
{{request_type}} string
{{sources_list}} string
{{privacy_email}} string
{{purposes_list}} string
{{response_date}} date
{{requestor_name}} string
{{categories_list}} string
{{controller_name}} string
{{identity_method}} string
{{poa_verified_date}} date
{{privacy_team_name}} string
{{action_taken_summary}} string
{{request_received_date}} date
{{sensitive_pi_list_or_none}} string
{{sold_or_shared_list_or_none}} string
{{disclosure_business_purpose_list}} string
How to use this template · Methodology

Adapt, then deploy. Editorial reading as of 2026-05-05; not legal advice. This template is a starting point — drafted against the named statute and the relevant regulator's published guidance, not your specific facts.

Substitute every placeholder. Tokens like {{controller_name}} must be replaced with your concrete values. Leaving placeholders unsubstituted is a recurring failure mode in published compliance documents; reviewers and regulators tend to read partially-completed disclosures as a documentation problem in itself.

Verify the assumptions. The "Assumes" block above lists the prerequisites we drafted against. If your facts differ — different processor list, different audience, different sub-processors — adapt the template, don't deploy it as-is.

Counsel review before going live. Templates are scaffolding, not finished artefacts. Route the final pass through counsel admitted in the jurisdiction where you operate.

Full methodology → · All templates → · Scope law: CCPA/CPRA →

Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. This template does not establish a lawyer-client relationship and is not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment. Report an inaccuracy →