DSAR Response Deadlines: What You Need to Know
A concise reference for DSAR response deadlines across major privacy regulations, including extensions and what happens when you miss them.
Last updated: 2026-02-07
Deadlines Are the Compliance Metric That Matters Most
Of all the ways a DSAR response can go wrong, missing the deadline is the most visible to regulators. A late response — even if the content is complete and accurate — is still a compliance failure, and it is the easiest one for a regulator to verify.
For organizations managing privacy obligations across multiple jurisdictions, the challenge is that deadlines are not uniform. The clock starts ticking at different points, extension rules differ, and the consequences of a miss vary by regulation.
Here is the essential reference:
- EU GDPR / UK GDPR — 30 calendar days from receipt, extendable by up to 60 additional days for complex or high-volume requests (90 days total)
- CCPA / CPRA (California) — 45 calendar days from receipt, extendable by an additional 45 days with notice to the consumer (90 days total)
- PIPEDA (Canada) — 30 days from receipt, with limited extension provisions
- US state laws (Virginia, Colorado, Connecticut, etc.) — generally 45 days, extendable by 45 days
A few critical points to keep in mind: the deadline clock starts when you receive the request, not when you verify identity. Extensions require proactive notification to the requester. And "we were busy" is never a valid justification for delay.
For the complete deadline reference — including when the clock starts, how to properly invoke extensions, what happens when deadlines fall on weekends, and the real-world consequences of missing them — visit boringdsar.com.
Stay Ahead of Every Deadline
Our DSAR Compliance Guide includes timeline tracking frameworks, extension notification templates, and jurisdiction-specific checklists to help you meet every deadline with confidence.