DSARs and Opt-Outs

Under both GDPR and CCPA, individuals have rights over their data. A Data Subject Access Request (DSAR) is a formal exercise of those rights. This lesson covers what you're required to provide, how to respond, and how to handle opt-outs.

The Rights Under GDPR

Right of access (Article 15): Individuals can request all personal data you hold about them. You must respond within 30 days with a copy of that data in a portable format.

Right to erasure (Article 17): Also called "right to be forgotten." Individuals can request deletion of their personal data where there's no overriding legitimate basis to retain it. You must comply within 30 days.

Right to object (Article 21): Individuals can object to processing based on legitimate interests. You must cease processing unless you have compelling legitimate grounds that override their interests.

How to Handle a DSAR

Step 1: Acknowledge receipt within 3 days. Step 2: Verify the requester's identity (to prevent fraudulent requests). Step 3: Search your data systems for information relating to that individual: your CRM, Kopimore's data export (contact their support), email systems, and any other tools that store individual-level data. Step 4: Compile and deliver the data package within 30 days.

Opt-Outs Under CCPA

CCPA requires a "Do Not Sell My Personal Information" link if you sell personal data. If you use Kopimore for internal sales purposes only (not reselling data to third parties), you may not be a "data seller" under CCPA. Consult legal counsel on your specific situation. At minimum, include a contact address for privacy requests in your privacy policy.