Time Limits for Responding to Privacy Requests

The time limit for responding to privacy requests varies by request type and by jurisdiction, so keeping track of it all can be a bit confusing. On top of that, some jurisdictions require businesses to offer an appeal process to consumers whose requests were denied, and those appeals also must be completed within a certain amount of time.

To help keep it straight, we’ve provided the quick reference chart below, which covers U.S. privacy laws along with PIPEDA (Canada) and the GDPR (EU).

Note: In many instances, there will be two numbers (e.g., “45 days + 45 days”). This is because some privacy laws allow businesses a one-time extension on the timeframe if they are unable to complete the request on time. So in this example, the business should complete the request within 45 days, but it may extend for another 45 days if necessary. However, the business must notify the consumer of the extension within the original time period, and explain the reason for the delay.