User data export: do's and don'ts
Updated 2026-05-07
User data export is one of the most-tested compliance features in B2C audits. Getting it right requires UX (self-service), correctness (everything the user is owed), and security (verified identity, no cross-user leak).
For broader GDPR context, see the GDPR and CIAM guide.
Do
Ship self-service data export from the user account UI
GDPR Article 15 (right of access) and Article 20 (right of data portability) require providing the user's data on request. A self-service download button satisfies both without a support ticket.
GDPR explicitly recognizes self-service mechanisms as compliant; modern B2C CIAM (Auth0, Stytch, MojoAuth, Rownd, SAP CDC) ship a 'download my data' button as standard.
Export in machine-readable format (JSON or CSV)
Article 20 specifies the data must be structured and machine-readable to enable transfer to another controller. JSON or CSV satisfy; PDF does not.
Article 20 text: 'a structured, commonly used and machine-readable format.' Major CIAM exports default to JSON.
Include all relevant categories of personal data
The export should cover everything you hold on the user, not just the immediately-visible profile, auth events history, consent records, preferences, third-party connections.
EDPB guidance on Article 15 specifies the controller must provide all personal data being processed. Selective exports that omit auth history or audit data invite regulatory complaint.
Verify identity before fulfilling the export request
Export requests are themselves an attack vector, an attacker who triggers an unverified export of someone else's data has compromised the user without taking over the account.
Standard GDPR compliance practice, verify identity (current session, MFA challenge, or out-of-band confirmation) before fulfilling any subject-rights request.
Don't
Don't include other users' data in the export
If a user requests their data and the export contains data about other users (cross-tenant references, shared resources), you've leaked third-party PII.
EDPB guidance specifies that subject access rights apply to the requestor's data only. Production export logic should explicitly filter cross-tenant or shared-resource data.
Don't charge for routine subject-rights requests
GDPR Article 15(3) explicitly forbids charging for the first copy of subject access requests except for manifestly unfounded or excessive requests.
Article 15(3) specifies the controller may charge a reasonable fee for further copies but not for the first. Charging by default is a compliance violation.
Don't take longer than 30 days for subject-rights fulfillment
Article 12(3) requires response within one month. Self-service exports complete in seconds; manual processes that exceed 30 days are non-compliant.
Article 12 text. EU supervisory authorities have fined controllers for slow subject-rights response.
Don't email the export as an attachment
Email is not secure for personal data. The export should be downloadable from the authenticated user account, with optional encrypted-link delivery if email is required.
EDPB guidance on data minimization and confidentiality of subject-rights responses. Modern CIAM expose self-service download in-product rather than email-attachment delivery.