Under most US state privacy laws, consumers have the right to know what data you hold, access it, delete it, correct it, and opt out of certain uses. Here is what you need to have in place to honor those rights legally — and on time.
The Rights Landscape
Not all states have identical rights frameworks, but there is significant overlap. If you build a process that handles the most common rights, you will be covered for most of your exposure.
- Right to Know — What categories of personal data you collect about them
- Right to Access — A copy of the specific personal data you hold about them
- Right to Delete — Erasure of their personal data (with limited exceptions)
- Right to Correct — Correction of inaccurate personal data
- Right to Opt-Out of Sale — Stop the sale or sharing of their data for advertising
- Right to Data Portability — Their data in a portable, machine-readable format
- Right to Non-Discrimination — You cannot penalize them for exercising any right
- Right to Appeal — If you deny a request, they can appeal your decision
Setting Up a Request Process
You need two things: a way to receive requests, and a way to respond to them.
Intake method
Provide at least one of the following: a designated email address (e.g., [email protected]), a web form on your website, or a toll-free number. The method must be reasonably accessible. If you only serve digital customers, email or a web form is sufficient.
Identity verification
You need to verify that the person making the request is who they say they are before handing over or deleting data. For most businesses, asking the requestor to confirm from the email address on file — or answer a simple verification question — is sufficient. Do not ask for more information than you need to verify identity.
Response timeline
Most state laws require a substantive response within 45 days. You can extend by another 45 days if needed, but you must notify the consumer of the extension within the original 45-day window. California allows up to 90 days total for complex requests.
Documentation
Keep records of every rights request you receive, how you responded, and when. If a regulator ever asks, you need to show a trail. A simple log — even a spreadsheet — is sufficient to start.
Deletion Requests — The Exceptions
You do not have to delete everything on request. You can retain data when it is necessary to:
- Complete a transaction or fulfill a contract
- Detect security incidents or protect against fraud
- Comply with a legal obligation (for example, tax records)
- Exercise free speech or another legal right
- Engage in research in the public interest
If you deny a deletion request, tell the consumer why — and tell them they have the right to appeal your decision.
The Appeal Process
Several states — Virginia, Colorado, Connecticut, and others — require you to have a process for consumers to appeal a denied request. The appeal process must be conspicuous, easy to use, and completed within a reasonable timeframe (typically 60 days). If you deny the appeal, you must provide a way for the consumer to contact the relevant state authority.
Opt-Out of Sale and Sharing
If your business sells personal data or shares it for targeted advertising, you must provide a clear and conspicuous way for consumers to opt out. California and Texas specifically require a "Do Not Sell or Share My Personal Information" link on your website's homepage. Other states have similar requirements worded differently — but the substance is the same.
Practical minimum: A designated privacy inbox ([email protected]), a one-page internal procedure for handling requests, and a simple log to track them. That is a compliant starting point for most SMBs.
Need help building a consumer rights process?
We design intake workflows, verification procedures, and response templates that actually work.
Book a Free Consultation