Data Subject Rights Under US Privacy Laws

Data subject rights are the legally recognized entitlements that allow individuals to exercise control over personal information held by organizations. In the United States, these rights are distributed across a patchwork of sector-specific federal statutes and a growing body of state-level comprehensive privacy laws, rather than a single national framework. The absence of a unified federal standard means that the scope, enforceability, and operational procedures for these rights vary significantly depending on the industry, data type, and jurisdiction involved. Understanding how this fragmented structure operates is essential for compliance professionals, privacy officers, and researchers navigating the current US regulatory landscape.

Definition and scope

A data subject right is a statutory entitlement granted to an individual — the "data subject" — to take specific actions regarding personal information that a covered entity collects, processes, stores, or shares. These rights create corresponding obligations for organizations, requiring documented procedures for responding to requests within defined timeframes.

In the United States, no single omnibus privacy law defines a universal catalog of data subject rights comparable to the European Union's General Data Protection Regulation (GDPR). Instead, rights are granted through discrete instruments. The California Consumer Privacy Act and its amendment, the California Privacy Rights Act (CPRA), establish one of the broadest state-level right catalogs, covering California residents. At the federal level, sector-specific statutes such as HIPAA, FERPA, the Gramm-Leach-Bliley Act, and COPPA each define narrower, population-specific rights.

As of 2024, at least 19 states have enacted comprehensive consumer privacy legislation, according to the International Association of Privacy Professionals (IAPP). Each statute defines its own thresholds, exclusions, and right categories, creating a multi-layered compliance environment.

How it works

Data subject rights are exercised through a formal request mechanism. The standard operational sequence across most US privacy statutes follows this structure:

1. Request submission — The individual submits a verifiable consumer request through a channel designated by the covered entity (web form, toll-free number, or email address).
2. Identity verification — The organization verifies the requestor's identity to prevent unauthorized disclosure. Under the CPRA (California Civil Code §1798.130), verification methods must be reasonably calibrated to the sensitivity of the data.
3. Request categorization — The organization determines which right is being invoked and whether the request falls within a statutory exemption.
4. Response execution — The organization fulfills, partially fulfills, or denies the request with a written explanation within the applicable timeframe.
5. Documentation — The transaction is logged for audit and regulatory review purposes.

The CPRA requires covered businesses to respond to most requests within 45 calendar days, with a single 45-day extension permitted when reasonably necessary. HIPAA's access right under 45 C.F.R. §164.524 sets a 30-day general timeframe for records held in designated record sets, extendable once by 30 days.

The principal categories of rights recognized across US statutes include:

• Right to access/know — The right to obtain a copy of personal information held and to know the categories of data collected and the purposes for which it is used.
• Right to deletion/erasure — The right to request that personal information be deleted, subject to enumerated exceptions (legal holds, fraud prevention, contractual obligations).
• Right to correction — The right to request correction of inaccurate personal information; codified under the CPRA and adopted by Connecticut, Colorado, Virginia, and other state frameworks.
• Right to portability — The right to receive personal information in a structured, machine-readable format for transfer to another entity.
• Right to opt out of sale or sharing — The right to direct a business to stop selling or sharing personal information with third parties; a defining feature of California's framework and most post-CPRA state laws.
• Right to limit use of sensitive data — A specific mechanism under CPRA allowing consumers to restrict processing of defined sensitive data categories.
• Right to non-discrimination — The prohibition against penalizing a consumer for exercising privacy rights, including through price differences or service degradation.

Common scenarios

Healthcare records requests under HIPAA — A patient requests a copy of their electronic health record from a hospital. The covered entity must provide access under 45 C.F.R. §164.524, and per the HHS Office for Civil Rights guidance, may charge only a reasonable cost-based fee. Denial is permitted in narrowly defined circumstances, such as when access could endanger the individual or another person.

CPRA deletion request from a California resident — A consumer submits a deletion request to a data broker. The data broker must delete the consumer's information and direct all service providers and contractors to do the same, unless an exception applies. Under CPRA, data brokers operating in California must register with the California Privacy Protection Agency (CPPA), which maintains enforcement authority.

FERPA access request from a student — A university student requests inspection of their education records. Under 20 U.S.C. §1232g (FERPA), the institution must provide access within 45 days. The statute limits the right to the student (or parent, if the student is a dependent minor) and excludes certain categories such as law enforcement unit records.

Opt-out of targeted advertising under Virginia's CDPA — A Virginia resident exercises the opt-out right under the Consumer Data Protection Act (Va. Code Ann. §59.1-578) against a company engaged in targeted advertising. The company must cease processing the individual's data for that purpose and may not require the individual to create an account to submit the request.

Decision boundaries

Not all individuals qualify as data subjects under every statute, and not all organizations qualify as covered entities. Boundary conditions govern whether a right applies in a given situation.

Jurisdiction and residency thresholds — Most state comprehensive privacy laws apply only to residents of that state and only to businesses meeting defined size or data-volume thresholds. Virginia's CDPA, for example, applies to controllers that process the personal data of at least 100,000 Virginia consumers annually, or 25,000 consumers if the controller derives over 50% of gross revenue from the sale of personal data (Va. Code Ann. §59.1-572).

Federal preemption and sector carve-outs — HIPAA-covered entities are subject to the HIPAA access framework, which may preempt or coexist with state law depending on whether the state provision is more protective. The FTC Act, enforced by the Federal Trade Commission, does not explicitly enumerate data subject rights but shapes organizational obligations through unfair or deceptive practice standards.

Exemption categories — Common statutory exemptions that override a data subject's right to deletion include:

• Compliance with a legal obligation (court orders, regulatory subpoenas)
• Detection or prosecution of security incidents or illegal activity
• Completion of a transaction for which the data was collected
• Scientific, historical, or statistical research in the public interest
• Free speech and journalism protections under the First Amendment

Contrast: GDPR vs. US State Law — The GDPR grants data subjects a right to object to automated decision-making including profiling with legal or significant effects (Article 22). In the United States, only a subset of state laws — including Colorado's Privacy Act (C.R.S. §6-1-1309) and Connecticut's Act Concerning Personal Data Privacy — include analogous protections against solely automated decisions. Federal statutes such as the Fair Credit Reporting Act (15 U.S.C. §1681) address specific automated decisions (credit determinations) but do not establish a general right against profiling.

The data protection penalties and enforcement landscape reinforces these boundaries: enforcement authority is fragmented across the Federal Trade Commission, state attorneys general, and specialized agencies such as the CPPA and HHS Office for Civil Rights, each with distinct penalty structures and procedural rules.

For organizations operating across multiple states, a state data privacy laws comparison is a necessary reference point for mapping which rights apply to which consumer populations and establishing compliant response workflows.

References

• California Privacy Rights Act – California Civil Code §1798.100 et seq. (California Legislative Information)
• HHS Office for Civil Rights – HIPAA Privacy Rule: Individual Right of Access (45 C.F.R. §164.524)
• Virginia Consumer Data Protection Act – Va. Code Ann. §59.1-571 et seq. (Virginia Law)
• FERPA – 20 U.S.C. §1232g (U.S. Department of Education)
• Colorado Privacy Act – C.R.S. §6-1-1301 et seq. (Colorado General Assembly)
• Federal Trade Commission – Privacy and Security Enforcement
• California Privacy Protection Agency (CPPA)
• International Association of Privacy Professionals (IAPP) – US State Privacy Legislation Tracker
• [NIST Privacy Framework, Version 1.0 (NIST)](https://www.nist