By using tdwi.org website you agree to our use of cookies as described in our cookie policy. Learn More

RESEARCH & RESOURCES

State of CCPA Report Reveals Strain, Rising Costs as More Consumers Exercise Privacy Rights

Volume of data subject requests nearly doubled over the past year, with the cost of processing them soaring to $400,000 per 1 million identities.

Note: TDWI’s editors carefully choose press releases related to the data and analytics industry. We have edited and/or condensed this release to highlight key information but make no claims as to its accuracy.

DataGrail, a modern privacy platform designed to help brands build customer trust and transparency, has unveiled the results of its second annual proprietary research report that looks at consumer privacy trends. In 2022 Data Privacy Trends: A CCPA Report, the company benchmarked the cost, volume, and challenges associated with data privacy.

The report focused on the actions consumers took in 2021 to exercise their privacy rights under the California Consumer Privacy Act (CCPA), including the right to access their data, delete it, and stop its sale to a third-party. The company then compared 2021 data with that from 2020 (CCPA’s first year) to evaluate data privacy trend lines.

The research clearly showed that consumers are taking action to manage their personal information, including stopping sale of their data to third parties -- and they are more than willing to go so far as to delete their data entirely. This translates to a dramatic increase in costs for companies tasked with handling data subject requests (DSRs).

“Consumers have strong feelings about how they want their data used, and companies are largely unprepared to deal with this sea change,” said Daniel Barber, CEO and founder of DataGrail. “The volume of data subject requests is growing exponentially, which puts a number of stresses on businesses, and it is only going to get worse as more legislation comes their way. For example, when the California Privacy Rights Act (CPRA) goes into effect in January 2023, companies will need to offer consumers a say in whether their personal data can be shared with third parties, which is a much different question than whether their data can be sold. This alone will increase the complexity and cost of managing data privacy.”

Consumers Take Control of Their Data

The DataGrail Platform helps companies automate the processing of data subject requests and data mapping, providing companies with insights into how privacy is evolving and how people and businesses are adapting. For this year’s report, DataGrail analyzed how many DSRs were processed throughout 2021 across its customer base, resulting in a benchmark of what to expect as the ripple effect of data privacy regulations takes hold. Given that it is the company’s second annual CCPA report, DataGrail researchers have been able to look at what happened across a broader data set to spot new trends taking shape.

Top findings include:

  • Consumers proactively took steps to reduce their online footprint. The volume of DSRs nearly doubled from 2020 to 2021. The number of requests increased from 137 to 266 requests per 1 million identities, with data deletion requests also nearly doubling in 2021. Companies received about 43 deletion requests per 1 million identities in 2020. This number ballooned to 84 deletion requests per 1 million identities in 2021, despite deletion requests being much harder for consumers to complete. This indicates that people are willing to go to great lengths to delete their data -- and are likely to continue to do so well after CPRA goes into effect. 
  • DSRs are not limited to California. By the end of 2021, companies received DSRs from every state. Washington, DC and California may have the most per capita; Washington state, Colorado, Illinois, and Virginia closely follow.

What This Means for Businesses

Gartner research estimates that businesses spend approximately $1,524 to process a single DSR, which translates to a big line item on the budget when multiplying that figure by the number of requests received (see below). Additionally, DataGrail’s research team found that on average, the team member charged with executing DSRs spends two to four months (60-130 hours) in a year sustaining compliance when done manually, which is a huge productivity strain.

Looking more closely, points of impact include:

  • The cost of privacy compliance is going up and will only get more expensive for businesses. The cost of processing DSRs doubled year-over-year. It jumped from $192,000 per 1 million identities to roughly $400,000 per 1 million identities -- and costs will continue to rise.
  • DSRs will get harder to process when CPRA goes into effect. The new law clarifies that organizations must give people the option to opt-out not only if their data is sold but also if it is shared with a third party for advertising purposes. For organizations currently required to offer DNS, this already represents 63 percent of their total requests. With a greater number of companies required to enable DNS for data-sharing under the CPRA, the number of privacy requests will skyrocket.
  • Companies stumble when identifying all the third-party SaaS apps that contain personal data. Organizations frequently miss about 50 percent of shadow SaaS apps when running data mapping exercises manually. In reality, most companies don’t even know all the systems that contain personal data, let alone where that personal data is. As data privacy continues to evolve, getting a handle on personal data across all systems should be a top priority if companies wish to avoid fines and consumer backlash.
  • As DSRs flow in from every state, businesses have to think long-term. Currently, only three states have privacy laws, but many others have bills in the works. Organizations must be prepared for a patchwork of requirements that differ slightly from state to state. New laws will require greater resources to handle with expediency and accuracy. Companies can offset such challenges by putting sound practices and solutions in place now.

“We’ve entered a new era where a robust data privacy program is essential not only for compliance or winning customer trust, but for a business’ actual survival,” noted Barber. “The key will be leveraging automated solutions that can boost efficiency and decrease costs while eliminating errors.”

Download the full report here.

TDWI Membership

Get immediate access to training discounts, video library, research, and more.

Find the right level of Membership for you.