Exported data uses standard, non-proprietary format with documented schema

Why it matters

GDPR Art. 20(1) specifies that data portability must deliver data in a structured, commonly used, and machine-readable format. CCPA §1798.110(d) requires that exports be provided in a format that allows transmission to another entity. A proprietary binary export, a JSON file with cryptic abbreviated field names, or an unversioned blob does not satisfy either requirement — users cannot interpret it, import it into another tool, or verify its completeness. This is a gap regulators check explicitly: if your export requires technical assistance to parse, it fails the portability standard. Beyond compliance, a well-structured export is also a trust signal that you built the product to serve users, not trap them.

Remediation

Structure all data exports as self-documenting JSON with a _meta block, full descriptive field names, and a format version number.

{
  "_meta": {
    "exportedAt": "2026-04-18T10:00:00Z",
    "formatVersion": "1.0",
    "schemaUrl": "https://example.com/docs/data-export-schema",
    "description": "Personal data export. All timestamps are UTC ISO 8601."
  },
  "profile": {
    "id": "usr_abc123",
    "email": "user@example.com",
    "displayName": "Alice",
    "createdAt": "2025-01-15T08:30:00Z"
  },
  "activityHistory": [
    { "eventType": "page_view", "path": "/dashboard", "occurredAt": "2026-02-20T14:22:00Z" }
  ],
  "purchases": [
    { "orderId": "ord_xyz", "amount": 2900, "currency": "usd", "createdAt": "2026-01-10T09:00:00Z" }
  ]
}

Use full descriptive field names — never abbreviations like ts, uid, or amt. Publish schema documentation at the schemaUrl and update it with the format version when the export structure changes.

Detection

ID: data-protection.user-rights-access.export-format-standard
Severity: low
What to look for: Enumerate every relevant item. If a data export feature exists, inspect the format of the exported file. Is it JSON, CSV, or another standard format? Is there documentation or a README embedded in the export explaining the schema (field names, data types, relationships between records)? Is the format stable enough that a user could import it into a spreadsheet or third-party tool without custom parsing? Check whether the export is a flat file (easier to import) or deeply nested (harder to work with). Check whether the exported file includes a format version so it can be interpreted correctly if the schema changes in the future.
Pass criteria: At least 1 of the following conditions is met. Exported data is in JSON or CSV format. A schema description is included (either embedded in the JSON as a _schema key or in a separate README inside a ZIP). The format is stable and documented enough for a user to understand their data without technical assistance.
Fail criteria: Export format is proprietary, binary, or undocumented. No schema information is provided. The export requires a specific application to parse.
Skip (N/A) when: Data export feature does not exist (in which case the previous check already flags this as a failure).
Detail on fail: Example: "Data export downloads a binary .dat file with no schema documentation." or "JSON export exists but field names are abbreviated without documentation (e.g., 'ts' for timestamp, 'uid' for userId).".

Remediation: Structure the JSON export with self-documenting field names and include a schema block:

{
  "_meta": {
    "exportedAt": "2026-02-21T10:00:00Z",
    "formatVersion": "1.0",
    "schemaUrl": "https://example.com/docs/data-export-schema",
    "description": "Personal data export. All timestamps are UTC ISO 8601."
  },
  "profile": {
    "id": "usr_abc123",
    "email": "user@example.com",
    "displayName": "Alice",
    "createdAt": "2025-01-15T08:30:00Z"
  },
  "activityHistory": [
    { "eventType": "page_view", "path": "/dashboard", "occurredAt": "2026-02-20T14:22:00Z" }
  ],
  "purchases": [
    { "orderId": "ord_xyz", "amount": 2900, "currency": "usd", "createdAt": "2026-01-10T09:00:00Z" }
  ]
}

Use full, descriptive field names (not abbreviations). Include a _meta block with export date, format version, and a link to schema documentation.

Why it matters

Remediation

Structure all data exports as self-documenting JSON with a _meta block, full descriptive field names, and a format version number.

{
  "_meta": {
    "exportedAt": "2026-04-18T10:00:00Z",
    "formatVersion": "1.0",
    "schemaUrl": "https://example.com/docs/data-export-schema",
    "description": "Personal data export. All timestamps are UTC ISO 8601."
  },
  "profile": {
    "id": "usr_abc123",
    "email": "user@example.com",
    "displayName": "Alice",
    "createdAt": "2025-01-15T08:30:00Z"
  },
  "activityHistory": [
    { "eventType": "page_view", "path": "/dashboard", "occurredAt": "2026-02-20T14:22:00Z" }
  ],
  "purchases": [
    { "orderId": "ord_xyz", "amount": 2900, "currency": "usd", "createdAt": "2026-01-10T09:00:00Z" }
  ]
}

Detection

ID: data-protection.user-rights-access.export-format-standard
Severity: low
What to look for: Enumerate every relevant item. If a data export feature exists, inspect the format of the exported file. Is it JSON, CSV, or another standard format? Is there documentation or a README embedded in the export explaining the schema (field names, data types, relationships between records)? Is the format stable enough that a user could import it into a spreadsheet or third-party tool without custom parsing? Check whether the export is a flat file (easier to import) or deeply nested (harder to work with). Check whether the exported file includes a format version so it can be interpreted correctly if the schema changes in the future.
Pass criteria: At least 1 of the following conditions is met. Exported data is in JSON or CSV format. A schema description is included (either embedded in the JSON as a _schema key or in a separate README inside a ZIP). The format is stable and documented enough for a user to understand their data without technical assistance.
Fail criteria: Export format is proprietary, binary, or undocumented. No schema information is provided. The export requires a specific application to parse.
Skip (N/A) when: Data export feature does not exist (in which case the previous check already flags this as a failure).
Detail on fail: Example: "Data export downloads a binary .dat file with no schema documentation." or "JSON export exists but field names are abbreviated without documentation (e.g., 'ts' for timestamp, 'uid' for userId).".

Remediation: Structure the JSON export with self-documenting field names and include a schema block:

{
  "_meta": {
    "exportedAt": "2026-02-21T10:00:00Z",
    "formatVersion": "1.0",
    "schemaUrl": "https://example.com/docs/data-export-schema",
    "description": "Personal data export. All timestamps are UTC ISO 8601."
  },
  "profile": {
    "id": "usr_abc123",
    "email": "user@example.com",
    "displayName": "Alice",
    "createdAt": "2025-01-15T08:30:00Z"
  },
  "activityHistory": [
    { "eventType": "page_view", "path": "/dashboard", "occurredAt": "2026-02-20T14:22:00Z" }
  ],
  "purchases": [
    { "orderId": "ord_xyz", "amount": 2900, "currency": "usd", "createdAt": "2026-01-10T09:00:00Z" }
  ]
}

Use full, descriptive field names (not abbreviations). Include a _meta block with export date, format version, and a link to schema documentation.

Exported data uses standard, non-proprietary format with documented schema

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Exported data uses standard, non-proprietary format with documented schema

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History