Data Subject Rights Under US Privacy Laws

Data subject rights are the legally enforceable entitlements that individuals hold over the personal data collected, processed, or sold by organizations. Across the United States, these rights are defined by a patchwork of state-level statutes rather than a single federal framework, creating significant variation in scope, applicability, and enforcement mechanisms. For professionals navigating data protection providers and organizations managing compliance obligations, understanding where specific rights apply — and to whom — is foundational to lawful data operations.

Definition and scope

A data subject right grants an individual the ability to take a defined legal action regarding personal information that an organization holds about them. These rights typically fall into five functional categories: the right to know (what data is collected), the right to access (obtain a copy), the right to deletion (erasure of qualifying data), the right to correct (rectify inaccurate data), and the right to opt out (of data sales or targeted advertising).

No single federal US statute creates a universal set of data subject rights applicable to all sectors and all individuals. Sector-specific federal laws establish narrower rights in defined domains: the Health Insurance Portability and Accountability Act (HIPAA, 45 CFR §164.524) grants patients a right of access to protected health information; the Fair Credit Reporting Act (FCRA, 15 U.S.C. §1681g) grants consumers rights over credit file disclosures; the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. §1232g) governs access to educational records.

At the state level, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) (California Civil Code §1798.100 et seq.), establishes the most comprehensive general-purpose data subject rights framework in the US. As of 2024, at least 20 states had enacted comprehensive consumer privacy legislation with substantively similar right structures (International Association of Privacy Professionals, US State Privacy Legislation Tracker).

How it works

The operational structure of data subject rights follows a defined request-and-response cycle, regardless of which statute governs:

  1. Submission — The data subject submits a verifiable consumer request through a designated channel (web form, toll-free number, or email address) established by the covered business.
  2. Verification — The organization authenticates the requestor's identity to a reasonable degree of certainty, using methods proportionate to the sensitivity of the data involved. The CCPA/CPRA requires businesses to avoid collecting additional personal information beyond what is necessary for verification (California Civil Code §1798.130(a)(7)).
  3. Processing — The covered entity searches its data systems, applies applicable exemptions (such as conflicting legal obligations or third-party data), and prepares a response.
  4. Response — Under CCPA/CPRA, businesses must respond within 45 days, extendable by an additional 45 days with notice. HIPAA requires covered entities to provide access within 30 days of a request, with one 30-day extension permitted (45 CFR §164.524(b)(2)).
  5. Appeal or complaint — If the request is denied, the individual may appeal internally (required under Virginia's Consumer Data Protection Act, Va. Code §59.1-578) or lodge a complaint with the relevant enforcement authority.

The California Privacy Protection Agency (CPPA) holds rulemaking and enforcement authority over CCPA/CPRA rights. For federal sector-specific rights, enforcement rests with the Federal Trade Commission (FTC), the Department of Health and Human Services Office for Civil Rights (HHS OCR), or the Consumer Financial Protection Bureau (CFPB), depending on the applicable statute.

Common scenarios

Four scenarios account for the majority of data subject rights exercises in practice:

Access and portability requests arise most frequently in financial services and healthcare, where individuals seek copies of data held by insurers, lenders, or providers. Under FCRA, consumers are entitled to one free credit file disclosure every 12 months from each nationwide consumer reporting agency (FTC, Free Credit Reports).

Deletion requests are most common in retail, e-commerce, and advertising technology sectors. Businesses operating under CCPA/CPRA must honor deletion requests subject to enumerated exceptions, including data necessary to complete a transaction, detect security incidents, or comply with a legal obligation (California Civil Code §1798.105(d)).

Opt-out of sale or sharing requests are structurally distinct from deletion rights. Under CCPA/CPRA, a business that sells or shares personal information must provide a "Do Not Sell or Share My Personal Information" link, and must honor opt-out signals including Global Privacy Control (GPC) as a valid opt-out mechanism per CPPA regulations (11 CCR §7025).

Correction requests gained formal statutory footing under CPRA and have been adopted in the Colorado Privacy Act (C.R.S. §6-1-1306) and Connecticut Data Privacy Act among others. Correction rights do not require organizations to alter data where the requestor's version cannot be verified.

Decision boundaries

Determining whether a data subject right applies in a given situation requires resolving three threshold questions:

Covered entity status — Not all organizations are covered under all statutes. CCPA/CPRA applies to for-profit businesses meeting at least one of three thresholds: annual gross revenue exceeding $25 million, buying or selling personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling consumers' personal information (California Civil Code §1798.140(d)). Nonprofits and government entities are generally excluded from CCPA coverage.

Applicable exemptions — Data subject rights are not absolute. The CCPA/CPRA exempts data subject to HIPAA, FCRA, and FERPA from its own rights provisions where those federal statutes already govern. This avoids duplication but creates gaps where neither federal nor state law provides comprehensive coverage.

Jurisdiction of the data subject — Rights attach to residents of specific states. A deletion request from a Texas resident is evaluated under the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code §541), not CCPA. For organizations supporting multi-state compliance programs, the provides orientation on how coverage maps across jurisdictions.

Practitioners and researchers building compliance frameworks should consult the how to use this data protection resource page for structural guidance on navigating the sector-specific providers and regulatory reference materials available in this network.

📜 19 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Data Protection Listings ANA › Professional Services Authority › National Data Protection Authority › Data Protection Providers Data Protection... US Data Protection Laws: Federal and State Landscape ANA › Professional Services Authority › National Cyber › National Data Protection Authority US Data Protection Laws: Federal... Personally Identifiable Information: Definitions and Scope ANA › Professional Services Authority › National Cyber › National Data Protection Authority Personally Identifiable...