A data subject request has a shot clock, and the buzzer is a compliance obligation in itself. Under GDPR you have one calendar month. Under the CCPA it is 45 days. Brazil's LGPD wants a first answer in 15. Miss the deadline, or take an extension without telling the person in time, and you have breached the law regardless of how good your eventual answer is. The tricky part is that every regime counts its clock differently: when it starts, whether identity verification pauses it, how long an extension buys you, and what you must say to claim one.
Here is the deadline for each major law and, more usefully, how the clock behaves. For the request-handling process itself, see DSAR handling for website owners.
The deadlines at a glance
| Law | Initial deadline | Extension |
|---|---|---|
| GDPR (EU/EEA) | 1 month | +2 months (complex or numerous) |
| UK GDPR | 1 month | +2 months (complex or numerous) |
| CCPA/CPRA (California) | 45 days | +45 days when reasonably necessary |
| Virginia (VCDPA) | 45 days | +45 days when reasonably necessary |
| Colorado (CPA) | 45 days | +45 days when reasonably necessary |
| Connecticut (CTDPA) | 45 days | +45 days when reasonably necessary |
| LGPD (Brazil) | 15 days (access, full copy) | Simplified confirmation is immediate |
| PIPEDA (Canada) | 30 days | Extendable in defined cases |
The numbers are only half the story. What trips organisations up is the mechanics behind each one.
GDPR and UK GDPR: one month, counted oddly
Article 12(3) requires a response "without undue delay and in any event within one month of receipt." The month is calendar-based, so it runs to the corresponding date in the next month (a request on 3 March is due by 3 April). If there is no corresponding date, you get the last day of the next month. If the deadline lands on a weekend or public holiday, you have until the next working day.
You can extend by up to two further months where the request is complex or you have received several from the same person, but you must tell them about the extension, and why, within the original month. Silence is not an extension. The UK ICO's guidance is the clearest walk-through of the counting, and the EU regime works the same way. See also PECR and UK cookie law after Brexit for where the UK diverges elsewhere.
California and the other US state laws: 45 days, plus 45
The CCPA gives you 45 days from receipt to respond, with one 45-day extension when reasonably necessary, provided you notify the consumer within the first 45 days. You must confirm receipt within 10 business days and describe how you will process the request. Virginia, Colorado, and Connecticut all copied the 45+45 structure almost word for word.
Two US-specific timelines sit outside the main clock and are easy to miss:
- Opt-out of sale or sharing: a different, shorter deadline. You must act as soon as feasible and no later than 15 business days. See processing opt-out requests.
- Appeals: the state opt-out laws require an internal appeal process. Colorado gives you 45 days to answer an appeal (extendable by 60); Virginia gives you 60 days.
For the full state-by-state map, see the US state privacy laws guide.
Brazil, Canada, and the shorter clocks
LGPD (Brazil). Article 19 is stricter than most on access. On request, a controller must confirm whether it processes someone's data and provide access either immediately in a simplified format, or within 15 days via a clear and complete declaration. That 15-day figure catches teams used to the 30-to-45-day norm elsewhere. See the LGPD compliance guide.
PIPEDA (Canada). An organisation must respond to an access request within 30 days of receiving it. You can extend in specific situations (for example, meeting the deadline would unreasonably interfere with your activities, or you need time to consult), but you have to notify the individual of the extension, its length, and their right to complain to the Privacy Commissioner. See PIPEDA and cookie consent and, for Quebec's stricter Law 25, the Quebec Law 25 guide.
When does the clock actually start?
This is where good intentions go wrong. The deadline runs from receipt, through any channel. A request does not have to say "DSAR", quote an article, or arrive on your form. "Send me everything you have on me" in a support chat starts the clock the moment it lands, even if the person who reads it does not recognise it. That is why routing matters: the fastest way to blow a deadline is to leave a request sitting in a sales inbox for three weeks.
Identity verification does not reset the clock, but it can pause the practical start. Under GDPR, if you have reasonable doubts about who the requester is, you can ask for information to confirm identity, and the response time effectively begins once you have what you reasonably need. You cannot weaponise this: ask only for what is proportionate, and ask promptly. See verifying a data subject's identity.
Extensions are a notification obligation, not a grace period
Under every regime that allows one, an extension only exists if you tell the person you are taking it, before the original deadline expires, and explain why. Take the extra time silently and you have simply missed the deadline. Build the extension notice into your template so it goes out automatically when a request is flagged complex, rather than being remembered on day 29.
What happens if you miss it
A missed deadline is a standalone breach of the data subject rights provisions, separate from whatever the request was about. It gives the individual grounds to complain to a supervisory authority, and regulators treat chronic lateness as evidence of a broken process rather than a one-off slip. Under GDPR, infringements of data subject rights sit in the higher fining tier (up to 20 million euro or 4 percent of global annual turnover), and while a single late response is unlikely to draw a headline fine, a pattern of them is exactly what an investigation surfaces. The practical damage is usually the complaint, the audit it triggers, and the scrutiny of everything else you do.
Make the deadline visible
The single biggest cause of missed deadlines is that nobody could see the clock. Requests scatter across inboxes and no one owns the due date. CookieBeam's privacy portal logs each request with a submission timestamp and a status, so the countdown is attached to the request from the moment it arrives rather than reconstructed later. Pair that with a named owner and a template that includes the extension notice, and the deadline becomes a routine field rather than a scramble. The privacy request intake form guide covers how to capture requests cleanly so the clock starts on time.
Deadline discipline checklist
Log every request with a receipt timestamp
The clock starts on receipt through any channel, not when you file it.
Record the applicable law and its deadline per request
GDPR is one month; most US states are 45 days; LGPD access is 15.
Acknowledge quickly, especially under CCPA
California expects confirmation of receipt within 10 business days.
Send any extension notice before the original deadline
An unannounced extension is just a missed deadline.
Treat opt-out requests on their own shorter clock
US opt-out of sale or sharing is 15 business days, not 45 days.
Verify identity promptly and proportionately
Do not use verification as a stalling tactic to run down the clock.
Authoritative sources
One process, many clocks
You do not need a separate workflow per law. You need one intake that captures the receipt date and the applicable jurisdiction, then applies the right deadline automatically. Build that once and every future request inherits the correct clock. Start with the intake form guide.