40 Essential DSAR Statistics Every Business Should Know in 2025

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: June 6, 2025

Handle DSARs with Termly
DSAR-Stats-01

Data Subject Access Requests (DSARs) have become a cornerstone of modern privacy laws, allowing individuals to exercise their right to access, correct, delete, or limit the use of their personal information.

As privacy regulations like the GDPR and CCPA continue to evolve and expand, privacy awareness is rising, and with it, the volume and complexity of DSARs.

To help you prepare, we’ve gathered key DSAR statistics that reveal where things are headed. You can also explore our comprehensive guide on DSARs for more insights.

Table of Contents
  1. DSAR Trends We’re Seeing at Termly
  2. DSAR Statistics From Across the Industry

At Termly, we’ve tracked and analyzed major shifts in DSAR activity over the past few years, both in volume and complexity.

All insights presented are drawn from DSARs submitted through Termly customers’ websites, giving you a real-world look at how consumers interact with privacy tools today.

Let’s explore these trends in detail.

DSAR Volumes Are Surging

If your business is seeing more DSARs, you’re not alone. The number of requests is climbing year after year, and it’s not slowing down.

California Consumer Privacy Act (CCPA) Requests

Between 2021 and 2024, CCPA requests submitted through Termly’s platform grew by 246%, showing how quickly consumer demand is rising.

DSAR-CCPA

Here’s how that growth played out over the years:

  • 2021: 5,808 requests
  • 2022: 6,149 requests
  • 2023: 10,074 requests
  • 2024: 20,113 requests

From 2023 to 2024 alone, the volume nearly doubled, likely influenced by the enforcement of the California Privacy Rights Act (CPRA) starting in 2023, which expanded CCPA rights and triggered greater regulatory pressure.

Looking ahead, websites using Termly in the first quarter of 2025 already saw 5,449 requests, indicating the trend is continuing upward, as this quarterly total exceeds any previous quarter’s requests, forecasting another year of growth.

Businesses under the CCPA should establish a process to meet all CCPA DSAR obligations.

General Data Protection Regulation (GDPR) Requests

While CCPA continues to dominate request volume, GDPR requests are steadily rising, emphasizing the importance of following all GDPR DSAR requirements for businesses.

Between 2021 and 2024, GDPR requests for sites using Termly grew by 222%, showing that users outside the U.S. are just as eager to take control of their data.

DSAR-GDPR

The numbers below reflect that steady rise in GDPR activity:

  • 2021: 583 requests
  • 2022: 598 requests
  • 2023: 1,279 requests (more than doubled from 2022)
  • 2024: 1,877 requests

The jump from 2022 to 2023 reflects a broader shift in global attitudes toward data rights, but it may also be tied to the high-profile enforcement actions unfolding at the time.

While Meta’s record €1.2 billion GDPR fine wasn’t officially announced until May 2023, the underlying case had been ongoing for years and received media attention leading up to the ruling. This case likely increased public awareness of GDPR violations and user rights.

The first quarter of 2025 recorded 475 requests for sites using Termly, maintaining the elevated rate from 2024 and indicating sustained global awareness and activity in GDPR submissions.

State Privacy Laws Are Driving New DSAR Activity

U.S. state-specific privacy laws have also led to new categories of DSARs.

These laws generally grant residents rights to access, correct, delete, or obtain copies of their personal data, significantly increasing compliance complexity for businesses.

DSAR-State-By-State

Here’s how Termly users’ request volumes looked for some of these state laws:

State Privacy Law  2024  Q1 2025 
Colorado Privacy Act (CPA)  814 177
Connecticut Data Privacy Act (CTDPA)  289 64
Utah Consumer Privacy Act (UCPA)  225 119
Virginia Consumer Data Protection Act (VCDPA)  255 68

These early numbers from newer state-level regulations indicate that DSAR activity isn’t limited to historically privacy-focused regions like California and the EU.

Instead, consumers across the U.S. actively engage with privacy mechanisms as soon as new laws roll out.

More Websites Are Receiving DSARs

One of the most evident signs of growing privacy engagement is the number of websites receiving DSARs.

CCPA and GDPR requests are being submitted across more websites than ever before. Combined, the number of distinct websites that use Termly and receive requests grew by 290% between 2021 and 2024, indicating a broad industry-wide impact.

Q1 2025 shows continued activity with 2,285 distinct websites, suggesting another strong year of DSAR engagement across various compliance frameworks.

Creating a DSAR process can help simplify receiving and responding to consumer requests to follow through on their privacy rights.

Requests Per Website Are Increasing

It’s not just about how many websites get DSARs but also how many each site receives. The numbers below show how request density for websites using Termly has grown over time:

  • CCPA average requests per website rose from 13.7 in 2021 to 15.4 in 2024.
  • GDPR average requests increased from 5.7 in 2021 to 7.3 in 2024.

The total average requests per website surged from 19.4 in 2021 to 61.0 in 2024.

Early 2025 averages indicate continued high complexity, with CCPA sites averaging 3.8 requests per site, pointing toward further increases in operational challenges this year.

Most Common DSAR Request Types

Looking beyond total volume, the types of DSARs users submit can reveal what they care most about — and what businesses need to be prepared to deliver.

The following statistics represent percentages of requests from websites that use Termly.

DSAR-Request-Types-CCPA

For requests made under the CCPA, the most common type by far is a “request to know,” making up 45% of all CCPA submissions.

These requests typically ask what data a business has collected and how it’s being used.

The next most common are “requests to delete,” which account for 21%.

This trend shows that most users aren’t immediately looking to cut ties — they’re looking for transparency first.

Under GDPR requests, the distribution is a bit more balanced.

DSAR-Request-Types-GDPR

The two leading requests under the GDPR are “delete personal information” at 35% and “confirm personal information” at 30%.

For businesses, this means that the right of access isn’t just a legal requirement; it’s the foundation of user trust.

Investing in strong internal processes to respond to these common request types will help build credibility in the eyes of increasingly privacy-aware users.

DSAR Statistics From Across the Industry

While Termly’s internal data offers a firsthand look at how consumers engage with DSAR tools, it’s also valuable to examine broader industry trends.

The following insights reveal how businesses manage DSAR workloads, where users submit DSARs from, and the operational challenges companies face as privacy expectations rise.

Rising DSAR Volumes and User Engagement

As global privacy awareness grows, so does the number of individuals exercising their data rights. The stats below illustrate just how quickly DSAR activity is accelerating:

  • 36% of internet users worldwide stated having exercised their right of DSARs in 2024, up from 24% in 2022. (Statista)
  • 60% of respondents reported an increase in DSARs over the past year. (EY Law)
  • 3,070 Data Privacy Officers saw an increase in DSARs over the past year. (PrivacyEngine).
  • DSAR Software Market size was valued at $100 Million in 2023 and is projected to reach $500 Million by 2030. (Verified Market Research)

With requests multiplying and demand for DSAR management tools surging, businesses that don’t invest in scalable privacy infrastructure risk falling behind.

Who’s Submitting Requests and From Where?

The statistics below offer a closer look at who’s filing requests and where they’re coming from, shedding light on the evolving nature of DSAR activity.

  • More than 66% of DSARs are made by employees. (PrivacyEngine)
  • At 26.7%, respondents aged 45 to 54 were the most engaged on the topic of DSARs. (PrivacyEngine)
  • At 25.9%, the 55-64 age group was the next most-engaged group.
  • 60.9% of respondents who engaged on the topic of DSARs were women. (PrivacyEngine)

These numbers suggest that DSARs are being used beyond the scope of traditional consumer privacy laws.

Some requests may come from users in unregulated regions. However, it’s also possible they’re using a VPN or other safety features to enhance privacy.

DSARs also, notably, come from employees, not just customers.

PrivacyEngine found that DSARs made by employees are often in the context of disputes with their employers. This growing trend shows that DSARs are becoming a powerful tool for workplace transparency and accountability.

Operational Pressure and DSAR Complaints

From rising costs to resource strain and regulatory complaints, managing DSARs has become a complex task — especially for industries that handle large volumes of personal data.

The following statistics illustrate DSAR strain on businesses:

  • 69.5% of DPOs said that their biggest DSAR spending was on hiring data protection consultants. (PrivacyEngine)
  • 88% handle DSARs in-house, mostly through dedicated data protection teams, but often splitting the work between HR, legal, IT, and compliance. (EY Law)
  • 33% of respondents had received “bulk” DSARs. (EY Law)
  • 51% had received complaints from data subjects about DSARs. (EY Law)
  • 15% increase in DSAR complaints filed with the UK’s ICO between 2023–2024 (from 1,622 to 1,874). (Financial Times)
  • Financial companies accounted for 16% of all DSAR complaints, the highest of any sector. (Financial Times)
  • ICO action against financial companies for DSAR mishandling increased 22% year-over-year, from 563 to 688 formal rebukes. (Financial Times)

These figures show that DSARs are more than just a legal checkbox — they represent a growing operational challenge.

Financial institutions, in particular, are under pressure.

As the Financial Times reports, they handle vast amounts of sensitive data like transaction records and credit card information spread across multiple systems, making it harder to fulfill requests accurately and on time.

For all organizations, these trends signal the need for more efficient processes, clear accountability, and greater investment in DSAR readiness.

Consumer Views on Data Privacy Rights

Consumer expectations around data privacy are evolving as quickly as the regulations designed to protect them — just check out these shocking privacy statistics:

  • In 2024, 53% of respondents said they were aware of their country’s privacy laws. (Cisco)
  • 68% of global consumers are somewhat or very concerned about privacy online. (IAPP)
  • 81% say the information companies collect will be used in ways that people are not comfortable with. (Pew Research)

It is clear that most users are concerned about how their data is being handled. For businesses, this presents both a challenge and an opportunity: earning trust starts with transparency, and being proactive about privacy practices can make all the difference.

Termly’s solutions make it easier to align with consumer and regulatory expectations.

Our comprehensive Consent Management Platform (CMP) helps you give users more control over their data and demonstrate a commitment to responsible data practices.

Features like an embeddable DSAR form make it easier for you to collect, organize, and respond to access requests — all from one platform.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources