How your business responds to a data request can say a lot about how seriously you take privacy. A clear, well-handled response builds trust, but a vague or delayed one can frustrate users and raise compliance risks.
As DSAR volumes continue to climb across major data privacy laws like the GDPR and CCPA, timely and transparent communication is no longer optional.
In this article, I break down what DSARs are, share examples of good vs. bad responses for the most common types, and explain how Termly can help you efficiently manage them.
What Are DSARs?
A Data Subject Access Request (DSAR) is when someone asks your business to access, modify, delete, or transfer the personal data you hold about them.
These requests give individuals more control over their information and hold businesses accountable for how they use that information.
DSARs are required under major privacy laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act, and other emerging state laws in the U.S. Depending on the law, users may have the right to:
- See what data you’ve collected about them
- Request corrections or deletions
- Opt out of data sharing or targeted advertising
- Receive their data in a portable format
Every request deserves careful handling, not just to meet legal deadlines, but also to maintain user trust. As more users become aware of their privacy rights, DSAR submissions are rising fast across all regions.
Learn more about the latest DSAR trends and statistics.
Good vs. Bad DSAR Responses
Even when businesses follow the same privacy laws, the quality of their responses can vary widely. Some make the process simple, respectful, and transparent, while others leave users confused or ignored.
Below, we break down examples of good vs. bad DSAR responses for the most common types of requests and explain what separates an effective reply from a risky one.
1. “Tell Me What Data You Have” (Access Request)
This is the most common type of DSAR that Termly’s platform receives.
These requests, also known as access requests, ask a business to share what personal information it holds about a user, how it’s used, and who it’s shared with.
Real-World Scenario
You work for an eCommerce company that sells home goods.
A customer emails you asking:
“Can you tell me what data you have about me and how it’s used?”
Bad Response Example
“All of our data practices are explained in our privacy policy. You can review it here: [link].”
This response dismisses the request instead of addressing it.
Directing a user to a privacy policy doesn’t fulfill an access request because it fails to confirm what data is actually stored, how it’s processed, or whether it has been shared with others.
It also gives the impression that your business doesn’t have a reliable process for retrieving and presenting personal data.
Good Response Example
“Thanks for reaching out about your data. We located your account under the email [[email protected]]. Based on your activity, we currently store your name, email address, shipping information, and order history.
We collect this data to process purchases, manage your account, and send shipping updates. We do not sell or share your information with third parties for marketing purposes.
If you’d like, we can provide a full export of your personal data in a downloadable file. Please confirm this email address for security before we proceed.”
This response is clear, direct, and user-focused.
It acknowledges the request, specifies what information is held, and explains why it’s collected.
It also takes the right security step by asking the user to confirm their identity before sharing additional data.
Takeaway
A good access request response provides clarity and reassurance. It should identify the data you hold, describe how it’s used, and explain the next steps for secure delivery or follow-up.
2. “Delete My Data” (Deletion Request)
The second most common DSAR Termly’s platform receives is the deletion request.
Also known as the right to erasure or the right to be forgotten, this allows individuals to ask a business to remove their personal information from its systems permanently.
Real-World Scenario
You work for a subscription-based fitness app.
A former subscriber contacts your team saying:
“I canceled my account a few months ago. Please delete all my data from your system.”
Bad Response Example
“We can’t delete your data because it’s part of our system records.”
This response fails to recognize the user’s rights and doesn’t provide any explanation or next steps.
Even if certain data must be retained for legal or operational reasons, simply refusing the request without clarification violates the spirit of privacy laws and leaves users frustrated.
Good Response Example
“We’ve received your request to delete your account data. Most of your personal information, including your name, email address, and workout history, has been permanently deleted from our active systems.
Some records, such as payment history, must be retained for accounting and legal compliance, but these are securely stored and not used for any other purpose.
Your request is now complete, and you’ll receive a confirmation email once all associated data has been removed from backup storage.”
This response acknowledges the request, explains what data can and cannot be deleted, and provides a clear confirmation of completion.
It balances legal obligations with transparency, reassuring the user that their data has been handled appropriately.
Takeaway.
A strong deletion response should communicate clearly and follow through on what’s promised.
If certain data must be retained for compliance reasons, explain why and assure the user that it won’t be used beyond that purpose.
A vague refusal or partial explanation can make users doubt your transparency and increase the risk of regulatory complaints.
3. “Don’t Sell or Share My Data” (Opt-Out Request)
Opt-out requests are becoming more frequent as privacy laws like the CCPA expand users’ rights to limit how their data is shared or used for targeted advertising.
These user requests typically ask a business to stop selling or sharing personal information with third parties.
Real-World Scenario
You work for an online retailer that uses advertising partners to run targeted campaigns.
A shopper emails your privacy team saying:
“I want to opt out of having my data shared or sold for advertising purposes.”
Bad Response Example
“We don’t sell personal data.”
While this might be true in a narrow sense, it misses the broader intent of the request.
Many privacy laws define “sharing” to include certain types of targeted advertising or cross-context behavioral tracking.
Dismissing the request outright shows a lack of understanding and could lead to user complaints or legal scrutiny.
Good Response Example
“We’ve received your request to opt out of data sharing for advertising purposes. Your preferences have been updated, and your information will no longer be shared with our advertising or analytics partners.
You can review or change these settings anytime by visiting the ‘Do Not Sell or Share My Personal Information’ link in our website footer. Please note that you may still see general ads that aren’t based on personal data.”
This response confirms that the request was received, explains the action taken, and provides a straightforward way for the user to review or update their preferences later.
It avoids legal jargon while maintaining accuracy and transparency.
Takeaway
An effective opt-out response confirms that the user’s preferences have been applied and clarifies what types of data use will continue.
Even if your business doesn’t “sell” data in the traditional sense, addressing the user’s concerns directly shows that you respect their privacy choices and understand the intent behind data protection laws.
4. “Send Me My Data” (Portability Request)
Also known as a data portability request, this DSAR allows users to receive a copy of their personal data in a format that can be easily transferred to another service.
The goal is to give individuals more control and flexibility over their data, especially when switching providers.
Real-World Scenario
You work for a cloud-based project management tool.
A customer reaches out saying:
“I’m moving my projects to another platform. Can you send me a copy of all my data?”
Bad Response Example
“We don’t offer data exports for users at this time.”
This response disregards the user’s rights and fails to provide an alternative.
Refusing a data portability request without explanation or follow-up can be considered noncompliant under laws such as the GDPR and CCPA, and it leaves users feeling powerless over their information.
Good Response Example
“We’ve verified your identity and prepared a copy of your personal data, including your account details, project information, and uploaded files.
You can download this information securely using the encrypted link below. The link will remain active for seven days, and the file is provided in a machine-readable format (.CSV).
Please let us know if you need assistance importing your data into another platform.”
This response shows transparency, security, and user support.
It confirms verification, specifies the included data, and provides it in a portable, accessible format. It also offers help if the user has additional questions, demonstrating a service-oriented approach to compliance.
Takeaway
A strong portability response gives users clear access to their data in a secure, structured, and usable format. It’s not enough to simply say you can’t provide it.
Businesses should have a process in place to deliver information safely and on time.
This not only fulfills legal obligations but also reinforces trust in your company’s data practices.
5. “I Have a Special Request” (Comment-Based Request)
Many DSAR forms include an open comments field that allows users to provide additional context or combine multiple privacy rights into a single request.
These “special requests” don’t always fit neatly into a single legal category, but they still deserve careful review and a thoughtful response.
Real-World Scenario
You work for a software company that offers both free and paid accounts.
A user submits a DSAR form with the comment:
“Please send me any data you’ve collected about my account in the past six months, and delete my contact information if I’m no longer active.”
Bad Response Example
“We only process standard DSAR requests like access or deletion. Please submit one of those instead.”
This response ignores the details of the user’s comment and forces them to do extra work to fit into the business’s system.
Even if the request doesn’t align perfectly with a specific privacy right, dismissing it shows a lack of flexibility and customer care.
Good Response Example
“Thanks for clarifying your request. You asked to see any data collected in the past six months and to delete your contact information if your account is inactive.
We’re currently compiling the data from that timeframe and will share a summary once complete. If we confirm that your account is inactive, we’ll delete your contact information and notify you once the process is complete.
Please let us know if you’d like to review older records or limit the deletion to specific data types.”
This response acknowledges the unique nature of the request, demonstrates active listening, and sets clear expectations.
It shows the business is willing to work with the user rather than rely on rigid categories.
Takeaway
When users submit special or comment-based requests, flexibility and communication matter.
Even if a request doesn’t fall under a specific right, taking the time to understand and respond thoughtfully shows accountability and strengthens user trust.
How Termly Helps You Manage DSARs
Handling DSARs manually can quickly become overwhelming, especially as requests increase and privacy laws continue to evolve. That’s where Termly’s DSAR solution comes in.
With Termly, you can create and manage data requests in one place, ensuring every submission is handled efficiently, securely, and in line with global privacy standards.
- Configure a DSAR form in minutes: Set up a hosted or embeddable form that lets users easily request access to their data.
- Make it accessible anywhere: Add the form to your website or app, so users always know how to reach you.
- Get automatic notifications: Receive instant email alerts when a new request is submitted, helping your team respond quickly and stay organized.
- Meet global privacy requirements: Termly’s DSAR solution supports major frameworks like the GDPR, CCPA/CPRA, VCDPA, and more, helping your business align with privacy obligations worldwide.
By using Termly’s tools, businesses can simplify intake, automate communication, and maintain a clear record of every request, all without building a system from scratch.
Responding to DSARs isn’t just about following the law; it’s about showing your users that their data rights matter.
Every response is a chance to build transparency and trust. Whether you’re handling a simple access request or a complex deletion inquiry, the right approach makes all the difference.
More about the author
Written by Hanna De La Garza
Hanna is a Content Writer at Termly, where she creates engaging resources on data privacy, consent management, regulatory updates, and more. She focuses on making complex topics accessible for business owners and contributes to both new content initiatives and updates to existing materials to ensure accuracy and clarity.
More about the author
Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy
