What Is a Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR) is when a customer asks your business to take a certain action on their personal data. As an example, if you are a Shopify merchant, a “data subject” would be any one of your customers, and their order history would be their “data”.

Under privacy laws like the GDPR in Europe or the CCPA/CPRA in California, customers (called “data subjects”) have certain rights over their information - and they can exercise those rights by submitting a DSAR to you.

While “access” is the most common request (and where the “A” in DSAR comes from), most merchants will see a mix of different request types.

Key Takeaways

• DSARs = legal rights, not just preferences. Customers have the right to access, delete, or correct their personal data.
• Timelines matter. 30 days under GDPR, 45 days under CPRA, and just 15 days for certain opt-outs.
• Identity verification is conditional. Required for access/deletion, but not for opt-outs under CCPA/CPRA.
• Centralize requests. DSAR Pages prevent missed emails and give you one place to manage compliance.
• Documentation is protection. Keep logs of every DSAR — what was requested, what was done, and when.
• Communication builds trust. Confirm receipt, update customers, and close the loop once completed.
• Pair with consent logs. DSAR handling and consent tracking together cover the core of GDPR compliance.

What Kind of DSARs Can You Receive?

Depending on where your customers are located, you may receive different types of DSARs. 

Each privacy law (GDPR, CCPA/CPRA, LGPD, etc.) comes with its own set of rights, but most fall into these categories:

• Access requests – Customers ask to see what personal data you hold about them.
  Deletion requests – Also called the “right to be forgotten.” Customers want their data permanently erased.
• Correction requests – Customers ask you to fix inaccurate or outdated information.
• Restriction requests – Customers ask you to stop processing their data (but still keep it stored).
• Opt-out of sale/sharing – Required by CCPA/CPRA, this lets customers stop their data from being shared with third parties.
• Limit sensitive data use – Customers may restrict how you use sensitive information (like financial data or precise location).
• Portability requests – Customers ask for their data in a portable format so they can transfer it elsewhere.

In addition to these, customers also have the right to be informed about how their data is collected and used.

You’ll typically cover this with your cookie banner and privacy policy, but sometimes customers will raise questions through DSARs too.

How DSARs Are Actually Received and Handled

So, what does a DSAR look like in real life? Unlike chargebacks or Shopify notifications, there isn’t a single standardized format. 

Requests can come in through many different channels, and it’s up to you to recognize and process them correctly.

Where DSARs Usually Come From

• Email: A customer might write to your support inbox with a request like “Please delete all my personal data.”
• Contact forms: If you use a generic “Contact Us” form, DSARs can easily appear there.
• Social media or live chat: Customers sometimes submit DSARs in less formal places. These still count!
• DSAR Pages: The simplest and most reliable method is a dedicated form on your website — which is exactly why Consentmo includes a built-in DSAR Page for Shopify stores.

Why DSAR Pages Help

Without a central process, DSARs may get lost among other emails and messages. A missed request isn’t just bad for customer trust — it could also lead to penalties under GDPR or CCPA. 

By handling everything through a dedicated DSAR Page, merchants ensure:

• Customers can easily submit a request
• The process is standardized and secure
• Deadlines and responses are tracked automatically
• Nothing gets lost in email or chat threads

Having a dedicated DSAR page on your website is one of the best ways to be mindful of compliance, boost customer trust and overall stay on the safe side of legal requirements.

Your Responsibilities When It Comes To Handling DSARs

When a DSAR lands in your inbox, it’s easy to feel overwhelmed. The process becomes much simpler if you break it down into a few clear steps. We’ve outlined the 4 essential responsibilities every Shopify merchant should follow when responding to DSARs. Let’s look at them one by one.

1. Respond Within the Legal Timeline

Every privacy law sets a strict deadline for responding to DSARs. Missing these deadlines can expose your store to fines or complaints and that’s why it’s important to track each request as soon as it comes in and note the due date.

• GDPR (EU/UK): Respond within 30 days.
  
• CCPA/CPRA (California): Respond within 45 days, but opt-out requests (Do Not Sell/Share) must be honored in 15 days.
  
• Other laws (LGPD, FADP, etc.): Similar timelines, usually 30–45 days. You can sometimes request an extension (for complex requests), but you’ll need to document the reason.

2. Verify the Requester’s Identity

Before sharing or deleting personal data, you need to confirm that the person making the request really is who they claim to be. This usually involves asking the customer to confirm details like their email address or login credentials. 

However, not all requests require verification. For example, under the CCPA/CPRA, opt-out requests (“Do Not Sell/Share” or “Limit Use of Sensitive Data”) must be honored without additional checks. 

• For access, deletion, correction, portability - verify the requester’s identity before processing.
  
• For opt-outs and limits on sensitive info (CCPA/CPRA) - no verification required.

3. Keep a Detailed Record

When handling DSARs it is best to have trackable records of all actions taken as regulators may ask you to prove that you responded correctly. That means you should document when the request was received, the actions you took, who handled it, and the final outcome. 

Having this paper trail protects your business if questions ever arise. Compliance tools like Consentmo automatically log every DSAR in your admin, so you always have a clear history ready to show.

4. Communicate Clearly With the Customer

Transparency is key to maintaining trust. Customers want to know that their request has been received, what’s happening behind the scenes, and when they can expect a result. 

Even if you’re still processing their DSAR, sending a quick confirmation can go a long way in preventing confusion or frustration. A simple message like, “We’ve received your deletion request and are working on it - you’ll hear back within 30 days” sets expectations and shows that you take their privacy seriously.

Also, in case any complaints are involved - it’s important to handle requests clearly and in a friendly manner as you may risk legal escalation.

Handling DSARs with Consentmo In 5 Easy Steps

With Consentmo, DSARs don’t just arrive randomly in your inbox — they’re logged, tracked, and managed in one secure workflow inside your Shopify admin. Here’s how it works:

Step 1: Receiving the Request

Customers can submit DSARs directly through your store’s DSAR Pages (e.g., GDPR page, US Laws page, CCPA “Do Not Sell” page). You can generate a DSAR page for each privacy law and link it in your store’s footer or compliance center.

You can instantly generate GDPR, CCPA, LGPD, and other DSAR pages with one click. Each page has its own request form tailored to the legal requirements.

Your store might serve customers worldwide — that’s why DSAR pages can be localized in multiple languages (English, Japanese, Portuguese, Thai, etc.). 

Step 2: Logging the Request

Every request shows up automatically in your Customer Data Requests log. Here you’ll see:

• Request type (e.g., “Deletion request,” “Do Not Sell,” “Edit profile”)
• Source (which compliance page it came from)
• Requester’s email
• IP address
• Timestamp

You can filter by date, request type, or source — making it easy to manage multiple DSARs at once.

With Consentmo, you can also enable an automatic Google Drive backup for safekeeping and full records!

Step 3: Processing the Request

Consentmo provides request-specific forms where customers can update or edit their information, and merchants can process actions like deletion or opt-out. 

You can even brand these forms with your logo, colors, and custom CSS to keep the experience consistent.

Step 4: Customer Confirmation Emails

Once a request is submitted, Consentmo automatically sends a confirmation email to the customer. These emails include a secure link back to their request page where they can track progress or download reports. You can fully customize the email design (colors, logo, button text, header/footer HTML).

Step 5: Do Not Sell Requests

For US customers under CCPA/CPRA, you can generate with 1-click a ready to use “Do Not Sell My Data” page straight from Consentmo.

Adding this page to your footer ensures customers can easily opt out of data sales - and the request goes straight into your DSAR log.

With this workflow, DSARs become structured and trackable instead of scattered emails. From intake to completion, everything happens inside Consentmo, giving you both compliance and peace of mind.

DSARs Made Simple

Responding to DSARs doesn’t have to be complicated or stressful. With the right process and tools in place, you can stay compliant, build customer trust, and avoid regulatory risks — all while saving your team valuable time.

Consentmo’s DSAR Pages give your customers a simple, self-service way to exercise their rights, and give you a secure dashboard to track, verify, and fulfill every request.

Next helpful read: From Click to Compliance: Understanding GDPR Consent Logs - learn how keeping clear records of cookie consents is just as important as responding to DSARs. Together, DSAR Pages and Consent Logs form the backbone of your compliance stack.