When someone submits a Data Subject Access Request (DSAR), they’re exercising their legal right to access, change, or control the personal data a business holds about them.
DSAR volumes submitted through Termly show just how steep the rise has been: CCPA requests grew by 246% between 2021 and 2024, while GDPR requests increased by 222% in the same period.
With new state privacy laws rolling out and user awareness climbing, it’s safe to say that DSARs are no longer rare or optional for businesses to consider.
In this article, I explore the five most common types of DSARs you’re likely to receive and share practical steps you can take to handle them smoothly.
The Most Common Types of DSARs
While privacy laws differ in their exact wording and guidelines, there are five common privacy rights consumers typically submit DSARs to follow through on, as highlighted by Termly’s dataset of nearly 60,000 requests.
Below, I break down each type, why it matters, and how your business should respond.
1. “Tell Me What Data You Have” (Request to Know)
Percent of all requests: 43.9% (Termly)
The most common request by far, these DSARs ask for clarity on what personal information a company has collected about an individual, why it was collected, and/or who it’s been shared with.
This right is at the heart of almost every privacy law, including the CCPA and the GDPR, which view transparency as the foundation of data protection.
Why Users Make This Request
Many people are unsure what companies actually track, so this request is often the first step in building trust.
Some users make access requests before deciding whether to delete their data.
How Businesses Should Respond
To handle access requests effectively, businesses should focus on clarity, accuracy, and delivering information in a user-friendly way.
- Keep a detailed data inventory and map where personal data is stored.
- Provide responses that are clear and written in plain language, not legalese.
- Share categories, purposes, and third-party disclosures, and deliver the information securely within the required timeframe.
2. “Delete My Data” (Deletion Request)
Percent of all requests: 17.7% (Termly)
Second only to requests to know, deletion requests allow users to ask for the removal of their personal information.
Under the GDPR, this is known as the “right to be forgotten,” and under the CCPA, businesses must honor deletion unless an exemption applies.
Why Users Make This Request
People can request deletion for any reason.
Some examples might be when they stop using a service, when they’re uncomfortable with how data is being used, or when they simply want to reduce their digital footprint.
How Businesses Should Respond
When responding to deletion requests, the key is striking a balance between legal retention requirements and the user’s right to have their information removed.
- Verify whether you have a lawful basis to retain the data (e.g., compliance obligations).
- Build workflows that remove information across all systems, not just the primary database.
- Always confirm back to the user once deletion is complete.
3. “Don’t Sell or Share My Data” (Opt-Out Requests)
Percent of all requests: 12.3% (Termly)
These opt-out requests primarily aim to prevent companies from selling or sharing personal data, particularly for advertising or profiling purposes.
The CPRA expanded California’s opt-out rights to include cross-context behavioral advertising, allowing users to prevent their data from being used to build targeted profiles.
Why Users Make This Request
Privacy-savvy users might not want their data used to fuel targeted ads, and new state laws give them more control than ever.
How Businesses Should Respond
Opt-out requests require clear processes to ensure that user choices are consistently honored across all systems and partners.
- Display a clear “Do Not Sell or Share My Personal Information” link on your website.
- Ensure opt-outs are honored across all tools and ad networks.
- Integrate opt-out preferences with your consent management platform so they apply automatically.
4. “Send Me My Data” (Portability Request)
Percent of all requests: 12.3% (Termly)
Also known as the right to data portability, these requests require you to provide users with a copy of their personal data in a format that they can use elsewhere.
The GDPR first popularized this right, but it is now also reflected in multiple U.S. state laws.
Why Users Make This Request
Data portability is about giving users flexibility and control.
Some people may make this request to maintain a personal archive, while others may want to transfer their information to a competitor or a new service more easily.
How Businesses Should Respond
Portability requests call for secure, structured delivery methods that give users control over their information without exposing it to risk.
- Provide the data in a commonly used, machine-readable format, such as CSV.
- Deliver it securely, with appropriate encryption, and only after verifying the requester’s identity.
- Keep records of what was shared in case questions arise later.
5. “I Have a Special Request” (Specify Comment)
Percent of all requests: 6.4% (Termly)
DSAR forms often include a free-text field for comments.
While not a formal category of rights, this space allows users to clarify their request, combine multiple rights, or raise unique concerns.
Why Users Make This Request
They may want a narrower search (e.g., “just show me what you collected in the past year”), or they may flag a concern that doesn’t fit neatly into existing rights.
How Businesses Should Respond
Since comment-based requests often fall outside strict legal categories, the best response approach is flexibility and open communication.
- Read these comments carefully; they often provide context that saves time.
- If unclear, reach out to the requester for clarification before proceeding.
- Even if the comment doesn’t create a new legal obligation, a respectful reply goes a long way in building trust.
What Are DSARs?
A DSAR is a formal request from an individual to act on their privacy rights. While the exact rights differ depending on the law, DSARs generally allow people to:
- Access their personal data and understand how it’s being used
- Delete their information if they no longer want a business to keep it
- Correct inaccurate or outdated details
- Limit or opt out of certain types of processing, like targeted advertising
- Receive a copy of their data in a portable format
In short, DSARs give individuals more control over their digital footprint and hold businesses accountable for how they handle personal information.
The Growing DSAR Landscape
The past few years have made one thing clear: DSAR activity isn’t slowing down, it’s accelerating.
Between new privacy laws, growing consumer awareness, and stricter enforcement, businesses are fielding more requests than ever before. Here’s what the numbers show:
DSAR volumes are climbing.
CCPA requests submitted through Termly grew by 246% between 2021 and 2024, nearly doubling from 2023 to 2024 alone.
GDPR requests increased by 222% over the same period, reflecting a growing global awareness of data rights.
In Q1 2025, sites using Termly already logged more requests than in any previous quarter, signaling another year of growth.
New state laws are driving fresh activity.
Regulations in Colorado, Connecticut, Utah, and Virginia have introduced additional DSAR categories, from the right to correct data to new opt-outs for sensitive personal information.
User engagement is higher than ever.
According to Statista, 36% of internet users worldwide exercised their DSAR rights in 2024, up from just 24% in 2022.
Together, these shifts indicate that DSARs aren’t only increasing in number but also becoming more complex and consequential.
For businesses, the challenge isn’t just responding to requests, but doing so quickly, consistently, and in a way that reinforces user trust.
Why Businesses Need To Be Prepared
The rise in DSAR activity isn’t just a trend. It’s creating real operational, financial, and reputational challenges for businesses.
Organizations that lack a clear process risk falling behind in several key areas.
Operational strain
The average number of DSARs per website using Termly grew from 19.4 in 2021 to 61.0 in 2024. That means even small and mid-sized businesses are seeing multiple requests per month.
Each request can involve identity verification, data searches across multiple platforms, and a careful review of what can be legally shared or deleted.
For businesses that rely on multiple tools or store customer data in various locations, the workload can accumulate quickly.
Rising complaints
Users are becoming more vocal about how their data is handled, and they’re not shy about pushing back if a business is slow to respond or unclear in its communication.
Even if a company ultimately fulfills a request, a clumsy process can still lead to frustrated users and negative feedback.
According to EY Law, 51% of businesses reported receiving complaints about how they handled DSARs.
These complaints not only drain resources but can also erode customer trust and potentially escalate to regulators if left unresolved.
Regulatory risk
Regulators are paying attention. The UK’s Information Commissioner’s Office, for example, saw a 15% increase in DSAR-related complaints between 2023 and 2024.
Under the GDPR, failing to respond properly to a DSAR is considered a violation of data subject rights, and those infringements fall into the highest penalty tier.
That means fines can reach up to €20 million or 4% of a company’s global annual revenue, whichever is higher.
Preparing for DSARs isn’t about checking a compliance box; it’s about building sustainable processes that reduce risk and strengthen relationships with your users.
Businesses that invest in DSAR readiness now will be better equipped to handle the growing complexity of requests in the years ahead.
How Termly Helps You Handle DSARs
Understanding the types of requests you’ll receive is only half the battle. The real challenge is handling them efficiently, consistently, and in line with the laws that apply to your business.
That’s where Termly’s DSAR solution comes in.
With Termly, you can:
- Create a DSAR form in minutes: Configure an embeddable form or use a Termly-hosted link, allowing users to submit their requests easily.
- Make it accessible everywhere: Add the form directly to your website or app, ensuring users always know how to reach you.
- Receive automatic notifications: Get email alerts the moment someone submits a DSAR, so nothing slips through the cracks.
- Meet CCPA/CPRA requirements: Use pre-made links like “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information straight from your Termly dashboard.
- Match global laws with one solution: Whether you’re covered by the GDPR, CCPA/CPRA, VCDPA, UCPA, or other frameworks, Termly helps you stay aligned with worldwide DSAR requirements.
Our DSAR solution is designed for small to medium-sized businesses that lack the time or resources to develop compliance workflows from scratch.
Instead of scrambling when requests arrive, Termly helps provide a streamlined process that saves time, reduces risk, and demonstrates to users that you take their privacy seriously.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
