Second Annual Data Privacy, State of CCPA Report Reveals the Strain Placed on Businesses as More Consumers Exercise Their Privacy Rights

Volume of data subject requests nearly doubled over the past year, with the cost of processing them soaring to $400,000 per 1 million identities

Dramatic increase in the number of do-not-sell requests has massive implications for companies that share data and will be subject to more stringent laws with the upcoming CPRA

DataGrail, the modern privacy platform designed to help brands build customer trust and transparency, unveiled the results of its second annual proprietary research report that looks at consumer privacy trends. In 2022 Data Privacy Trends: A CCPA Reportthe company benchmarked the cost, volume, and challenges associated with data privacy. The report focused on the actions that consumers took in 2021 to exercise their privacy rights under the California Consumer Privacy Act (CCPA). This includes the right to access their data, delete their data, and stop the sale of their data to a third-party. The company then compared 2021 data with that from 2020, which was CCPA’s first year, in order to evaluate data privacy trend lines.

Marketing Technology News: Wealthbox Announces $31 Million Equity Investment from Frontier Growth

“Consumers have strong feelings about how they want their data used, and companies are largely unprepared to deal with this sea change,” said Daniel Barber, CEO and founder of DataGrail.

The research clearly showed that consumers are taking action to manage their personal information, and they are more than willing to go the distance to delete their data and to stop the sale of their data to third parties. This translates to a dramatic increase in costs for companies tasked with handling data subject requests (DSRs).

“Consumers have strong feelings about how they want their data used, and companies are largely unprepared to deal with this sea change,” said Daniel Barber, CEO and founder of DataGrail. “The volume of data subject requests is growing exponentially, which puts a number of stresses on businesses, particularly as many companies are still trying to figure out where all of that customer data lives. And it is only going to get worse as more legislation comes their way. For example, when the California Privacy Rights Act (CPRA) goes into effect in January 2023, hundreds of companies will need to offer consumers a say in whether or not their personal data can be shared with third parties, which is a much different question than whether their data can be sold. This alone will increase the complexity and cost of managing data privacy.”

DataGrail's 2022 Data Privacy Trends: A CCPA Report reveals consumers proactively took steps to reduce their online footprint (Graphic: Business Wire)

Consumers Take Control of Their Data

The DataGrail Platform helps companies automate the processing of data subject requests and data mapping, providing companies with unparalleled insights into how privacy is evolving and how people and businesses are adapting. For this year’s report, DataGrail analyzed how many DSRs were processed throughout 2021 across its customer base, resulting in a powerful industry benchmark of what to expect as the ripple effect of data privacy regulations takes hold. Given that it is the company’s second annual CCPA report, DataGrail researchers have been able to look at what happened across a broader data set to spot new trends taking shape.

Marketing Technology News: MarTech Interview with Mike Yan, CEO and Co-founder at ManyChat

Topline findings include:

  • Consumers proactively took steps to reduce their online footprint. The volume of DSRs nearly doubled from 2020 to 2021. The number of requests increased from 137 to 266 requests per 1 million identities, with data deletion requests also nearly doubling in 2021. Companies received about 43 deletion requests per 1 million identities in 2020. This number ballooned to 84 deletion requests per 1 million identities in 2021, despite deletion requests being much harder for consumers to complete. This indicates that people are willing to go to great lengths to delete their data and are likely to continue to do so well after CPRA goes into effect.
  • DSRs are not limited to California. In fact, by the end of 2021, companies received DSR’s from every state. D.C. and California may have the most per capita, but Washington, Colorado, Illinois, and Virginia closely follow. People are demanding to know more about how companies are handling their data, regardless of where they live.

What This Means for Businesses

Gartner research suggests that businesses spend approximately $1,524 dollars to process a single DSR, which translates to a big line item on the budget when multiplying that figure by the number of requests received (see below). Additionally, DataGrail’s research team found that on average, the team member charged with executing DSRs spends 2-4 months (60-130 hours) in a year sustaining compliance if done manually, which is a huge productivity strain.

Looking more closely, points of impact include:

  • The cost of privacy is going up and will only get more expensive for businesses. The cost of processing data subject requests doubled year-over-year. It jumped from $192,000 per 1 million identities to roughly $400,000 per 1 million identities year-over-year– and costs will continue to rise.
  • DSRs will get harder to process when CPRA goes into effect. The new law clarifies that organizations must give people the option to opt-out not only if their data is sold but also if it is shared with a third party for advertising purposes. For organizations currently required to offer DNS, this already represents 63% of their total requests. With a greater number of companies required to enable DNS for data-sharing under the CPRA, the number of privacy requests will skyrocket.
  • Companies stumble to identify all the third-party SaaS apps that contain personal data. Organizations frequently miss ~50% of shadow SaaS apps when running data mapping exercises manually. In reality, most companies don’t even know all the systems—the third-party SaaS applications—that contain personal data, let alone where personal data is. As data privacy continues to evolve, getting a handle on personal data across all systems should be a top priority if companies wish to avoid fines and consumer backlash.
  • As DSRs flow in from every state, businesses have to think long-term. Currently, only three states have privacy laws, but many others have bills in the works. Organizations must be prepared for a patchwork of requirements that differ slightly from state to state. When new laws are enacted, they will require greater resources to handle with expediency and accuracy. Companies can offset such challenges by putting sound practices and solutions in place now.

Marketing Technology News: MarTech Interview with Mike Yan, CEO and Co-founder at ManyChat

“We’ve entered a new era where a robust data privacy program is essential not only for compliance or winning customer trust, but for a business’ actual survival,” noted Barber. “The key will be leveraging automated solutions that can boost efficiency and decrease costs while eliminating errors. Systems must be flexible enough that they can adapt to rapidly evolving changes in the landscape at the state, federal, and global scale. It’s a significant challenge, but one that can be overcome with intelligent software and sound data privacy practices.”

Brought to you by
For Sales, write to:
Copyright © 2024 MarTech Series. All Rights Reserved.Privacy Policy
To repurpose or use any of the content or material on this and our sister sites, explicit written permission needs to be sought.