A Data Access Request, also known as a Right to Know request or consumer data request, is a formal written request by an individual (consumer or data subject) to a business or organization demanding disclosure of the personal information that the business has collected about them. The request may also seek supplementary information about the categories of data collected, the sources, the business purposes for collection, and the third parties with whom the data has been shared.

In the United States, the right to access personal data is established by a growing framework of state privacy laws. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code §1798.100 et seq.), was the first comprehensive state privacy law and remains the most detailed. Under Cal. Civ. Code §1798.110, California consumers may request that a business disclose the categories of personal information collected, the categories of sources, the business purpose for collecting, the categories of third parties to whom data was disclosed, and the specific pieces of personal information collected.

Virginia's Consumer Data Protection Act (VCDPA, Va. Code §59.1-577), Colorado's Privacy Act (CPA, C.R.S. §6-1-1303), Connecticut's Data Privacy Act (CTDPA, Conn. Gen. Stat. §42-520), and numerous other state laws enacted since 2023 provide similar consumer rights of access to personal data. While each law differs in its specifics, the core right of consumers to know what personal information has been collected about them is consistent across all comprehensive state privacy laws.

In the healthcare context, the HIPAA Privacy Rule (45 CFR §164.524) provides a separate right of access to protected health information maintained by covered entities and business associates.

A Data Access Request is needed whenever an individual wants to know what personal information a business or organization has collected about them. Common situations include employees or former employees requesting access to their personnel records and personal data held by their employer; consumers requesting access to the purchasing, browsing, and behavioral data collected by online retailers, social media platforms, or data brokers; individuals investigating potential identity theft or data breaches; individuals who wish to exercise their right to deletion or correction and need to first understand the scope of data held; and attorneys or advocates preparing for litigation or regulatory complaints.

Under the CCPA/CPRA, the right to know applies to businesses that meet the Act's threshold requirements, including businesses with annual gross revenue exceeding $25 million, businesses that annually buy, sell, or share the personal information of 100,000 or more consumers, and businesses that derive 50 percent or more of their annual revenue from selling or sharing consumers' personal information. Under other state privacy laws, the thresholds vary.

The request should be submitted as early as possible because response deadlines run from the date of receipt. Under the CCPA/CPRA, the business must respond within 45 calendar days with one possible 45-day extension. Under the VCDPA, CPA, and CTDPA, the response deadline is also 45 days with one possible 45-day extension.

A comprehensive Data Access Request should include several essential elements to comply with applicable state privacy laws and maximize the likelihood of a complete response.

The requester's identifying information must be provided, including full name, address, state of residence, and email address. The state of residence is important because different state laws provide different rights. Account numbers, customer IDs, or other reference information held by the business should be included to help the business locate the requester's data.

The legal basis section should identify the specific state privacy law under which the request is made. For California residents, this is the CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.). For Virginia residents, the VCDPA. For Colorado residents, the CPA. The request should invoke both the right to know the specific pieces of personal information and the right to know the categories, sources, purposes, and third-party disclosures.

The scope of the request should specify whether the requester is seeking all personal information or limiting the request to specific categories or time periods. The preferred response format should be stated, noting that the CCPA/CPRA requires delivery in a portable and readily usable format when provided electronically.

The response deadline section should cite the applicable statutory response period and the extension provisions. The request should note that no fee may be charged unless the request is manifestly unfounded, excessive, or repetitive. Finally, the requester should state their willingness to provide identity verification while noting that the business should not require disproportionate proof of identity.