Data Access Request
CCPA/CPRA Right to Know — State Privacy Laws
[Requester Name]
[Requester Address]
Email: [Requester Email]
Tel: [Requester Phone]
Date: [Request Date]
[Business Department]
[Business Name]
[Business Address]
Dear Sir or Madam,
I am writing to exercise my right to access my personal information pursuant to applicable state privacy law. I am a resident of the State of [Requester State].
My name is [Requester Name] and I can be contacted at the address and email address stated above. To assist you in locating my personal information, my account or reference details are: [Identity Reference].
1. LEGAL BASIS
1.1 This request is made pursuant to the following applicable laws:
- California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code §1798.100 et seq.: California residents have the right to know what personal information a business has collected, the categories of sources, the business purpose for collecting, and the categories of third parties with whom the information was shared.
- Virginia Consumer Data Protection Act (VCDPA), Va. Code §59.1-577: Virginia residents have the right to confirm whether a controller is processing their personal data and to access that data.
- Colorado Privacy Act (CPA), C.R.S. §6-1-1303: Colorado residents have the right to confirm whether a controller is processing their personal data and to access that data.
- Connecticut Data Privacy Act (CTDPA), Conn. Gen. Stat. §42-520: Connecticut residents have the right to confirm processing and access their personal data.
- Any other applicable state privacy law providing a right of access to personal information.
1.2 If I am a California resident, this request is also made under the CCPA/CPRA right to know the specific pieces of personal information collected (Cal. Civ. Code §1798.110).
2. PERSONAL INFORMATION REQUESTED
2.1 I request access to [Data Scope].
2.2 [Data Scope Detail]
2.3 In addition, I request the following supplementary information as required by applicable state privacy law:
- The categories of personal information collected about me.
- The categories of sources from which the personal information was collected.
- The business or commercial purpose for collecting or selling my personal information.
- The categories of third parties with whom my personal information has been shared, sold, or disclosed for a business purpose.
- The specific pieces of personal information the business has collected about me.
3. PREFERRED FORMAT
3.1 I request that the information be provided in [Response Format].
3.2 Under the CCPA/CPRA (Cal. Civ. Code §1798.130(a)(2)), the business must deliver the information by mail or electronically, and if provided electronically, the information must be in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit it to another entity without hindrance.
4. RESPONSE DEADLINE AND YOUR OBLIGATIONS
4.1 Under the CCPA/CPRA (Cal. Civ. Code §1798.130(a)(2)), you must respond to this verifiable consumer request within 45 calendar days of receipt. You may extend the response period by an additional 45 calendar days where reasonably necessary, provided you notify me of the extension within the first 45 days. Under the VCDPA, CPA, and CTDPA, you must respond within 45 days with one possible 45-day extension.
4.2 If you decline to take action on this request, you must inform me of the reasons and of my right to appeal and file a complaint with the applicable state attorney general.
4.3 You may not charge a fee for responding to this request unless the request is manifestly unfounded, excessive, or repetitive, as provided by applicable law.
4.4 If you require verification of my identity before responding, please contact me and I will provide reasonable verification. You should not require disproportionate or unnecessary proof of identity.
I look forward to receiving your response within the statutory time limit.
Sincerely,
[Requester Name]
[Requester Address]
Email: [Requester Email]
Consumer / Data Subject
________________
Signature
Date: ________________
What Is a Data Access Request?
A Data Access Request in the United States puts a formal request before the recipient and sets out the grounds supporting it.
In the United States, the right to access personal data is established by a growing framework of state privacy laws. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code §1798.100 et seq.), was the first complete state privacy law and remains the most detailed. Under Cal. Civ. Code §1798.110, California consumers may request that a business disclose the categories of personal information collected, the categories of sources, the business purpose for collecting, the categories of third parties to whom data was disclosed, and the specific pieces of personal information collected.
Virginia's Consumer Data Protection Act (VCDPA, Va. Code §59.1-577), Colorado's Privacy Act (CPA, C.R.S. §6-1-1303), Connecticut's Data Privacy Act (CTDPA, Conn. Gen. Stat. §42-520), and numerous other state laws enacted since 2023 provide similar consumer rights of access to personal data. While each law differs in its specifics, the core right of consumers to know what personal information has been collected about them is consistent across all complete state privacy laws.
In the healthcare context, the HIPAA Privacy Rule (45 CFR §164.524) provides a separate right of access to protected health information maintained by covered entities and business associates.
When Do You Need a Data Access Request?
A Data Access Request is needed whenever an individual wants to know what personal information a business or organization has collected about them. Common situations include employees or former employees requesting access to their personnel records and personal data held by their employer; consumers requesting access to the purchasing, browsing, and behavioral data collected by online retailers, social media platforms, or data brokers; individuals investigating potential identity theft or data breaches; individuals who wish to exercise their right to deletion or correction and need to first understand the scope of data held; and attorneys or advocates preparing for litigation or regulatory complaints.
Under the CCPA/CPRA, the right to know applies to businesses that meet the Act's threshold requirements, including businesses with annual gross revenue exceeding $25 million, businesses that annually buy, sell, or share the personal information of 100,000 or more consumers, and businesses that derive 50 percent or more of their annual revenue from selling or sharing consumers' personal information. Under other state privacy laws, the thresholds vary.
The request should be submitted as early as possible because response deadlines run from the date of receipt. Under the CCPA/CPRA, the business must respond within 45 calendar days with one possible 45-day extension. Under the VCDPA, CPA, and CTDPA, the response deadline is also 45 days with one possible 45-day extension.
What to Include in Your Data Access Request
A complete Data Access Request should include several essential elements to comply with applicable state privacy laws and maximize the likelihood of a complete response.
The requester's identifying information must be provided, including full name, address, state of residence, and email address. The state of residence is important because different state laws provide different rights. Account numbers, customer IDs, or other reference information held by the business should be included to help the business locate the requester's data.
The legal basis section should identify the specific state privacy law under which the request is made. For California residents, this is the CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.). For Virginia residents, the VCDPA. For Colorado residents, the CPA. The request should invoke both the right to know the specific pieces of personal information and the right to know the categories, sources, purposes, and third-party disclosures.
The scope of the request should specify whether the requester is seeking all personal information or limiting the request to specific categories or time periods. The preferred response format should be stated, noting that the CCPA/CPRA requires delivery in a portable and readily usable format when provided electronically.
The response deadline section should cite the applicable statutory response period and the extension provisions. The request should note that no fee may be charged unless the request is manifestly unfounded, excessive, or repetitive. Finally, the requester should state their willingness to provide identity verification while noting that the business should not require disproportionate proof of identity.
Sources & Citations
Statutory citations link to official government sources.
- 45 CFR §164.524US – eCFR
- HIPAAUS – Cornell LII
- California Consumer Privacy ActCA (US) official
- Cal. Civ. Code §1798.100CA (US) official
- Cal. Civ. Code §1798.110CA (US) official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Access Request (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/personal/letters/data-access-request
"Data Access Request (United States)." Forms Legal, 2026, https://forms-legal.com/usa/personal/letters/data-access-request.
@misc{formslegal-data-access-request,
author = {{Forms Legal}},
title = {Data Access Request (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/personal/letters/data-access-request}},
note = {Free legal document template. Based on Restatement (Second) of Contracts}
}Also available for these jurisdictions:
Frequently Asked Questions
Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA, Cal. Civ. Code §1798.100 et seq.), California residents have the right to know what personal information a business has collected about them. Specifically, under Cal. Civ. Code §1798.110, consumers may request that a business disclose: the categories of personal information it has collected; the categories of sources from which the information was collected; the business or commercial purpose for collecting, selling, or sharing the information; the categories of third parties with whom the information was shared; and the specific pieces of personal information collected about the consumer. The business must respond within 45 calendar days of receiving a verifiable consumer request. The business may not charge a fee for processing the request unless it is manifestly unfounded, excessive, or repetitive.
As of 2025, several U.S. states have enacted complete consumer privacy laws that include a right of access to personal data. California's CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) was the first and remains the most complete. Virginia's Consumer Data Protection Act (VCDPA, Va. Code §59.1-577) grants consumers the right to confirm processing and access their personal data. Colorado's Privacy Act (CPA, C.R.S. §6-1-1303), Connecticut's Data Privacy Act (CTDPA, Conn. Gen. Stat. §42-520), and Utah's Consumer Privacy Act (UCPA, Utah Code §13-61) also provide access rights. Additional states including Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, and Delaware have enacted similar laws. Most of these laws require businesses to respond to access requests within 45 days.
Under the CCPA/CPRA regulations (11 CCR §7062), a business must establish a reasonable method for verifying the identity of the consumer making the request. The verification process must be proportionate to the sensitivity of the data and the risk of harm from unauthorized disclosure. For requests for specific pieces of personal information, the business must verify the consumer's identity to a reasonably high degree of certainty, which may require matching at least three pieces of personal information maintained by the business. For requests for categories of information, the business must verify identity to a reasonable degree of certainty, which may require matching at least two pieces of information. Businesses should not require consumers to provide personal information beyond what is necessary for verification.
Yes. Under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR §164.524), individuals have the right to access and obtain a copy of their protected health information (PHI) maintained by HIPAA-covered entities and their business associates. The covered entity must provide access within 30 days of the request, with one possible 30-day extension. The covered entity may charge a reasonable, cost-based fee for providing copies. The right of access under HIPAA is separate from and in addition to the consumer data access rights provided by state privacy laws such as the CCPA/CPRA. However, the CCPA/CPRA generally exempts personal information that is subject to HIPAA from its scope.
A Data Access Request does not legally require a lawyer in United States, and individuals and businesses may draft and execute the document independently. The Restatement (Second) of Contracts does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified United States lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The United States District Court has jurisdiction over disputes arising from this type of document, and Securities and Exchange Commission (SEC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy
Running a website or app that collects any user data — even just an email for a newsletter? You legally need a Privacy Policy. It's not optional; regulations like GDPR and CCPA require you to tell users what data you collect, why you collect it, and how you protect it. Without one, you risk fines and lost trust. Our free template helps you cover data collection practices, cookie usage, third-party sharing, user rights, and contact information. Fill in the details, preview your policy, and download it as PDF or Word — no account needed.
Cease and Desist Letter
Someone copying your work? Using your trademark without permission? Harassing you or spreading false information? A Cease and Desist Letter is often the first step to making it stop — without hiring a lawyer or going to court. It formally puts the offending party on notice that their behavior is illegal and demands they stop immediately, or face legal consequences. Think of it as a serious warning shot. Our free template helps you draft a clear, firm letter covering the violation, the demand to stop, a deadline for compliance, and consequences of ignoring it. Download as PDF or Word.