Consumers Taking Action on Data Privacy, New Research Reveals
With data subject requests (DSRs) and associated costs increasing, research shows the impact of the California Consumer Protection Act (CCPA) on companies’ privacy practices.
Note: TDWI’s editors carefully choose vendor-issued press releases about new or upgraded products and services. We have edited and/or condensed this release to highlight key features but make no claims as to the accuracy of the vendor's statements.
DataGrail, the privacy platform vendor, released the results of its 2021 proprietary research report that looks at consumer privacy trends. This year’s report, The State of CCPA: Benchmarking CCPA Trends Across Consumer (B2C) Brands, examined how millions of California consumers are exercising their privacy rights -- to access their data, delete their data, and stop the sale of their data to a third-party -- under the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.
The research clearly shows that consumers are increasingly concerned about their personal information and how it is used. It also underscores that the number of data subject requests (DSRs) companies receive varies widely, depending on their privacy practices.
Consumers Take Control of Their Data
DataGrail is in the position of fulfilling data subject requests (DSRs) for millions of consumers, which gives it unique insights into the number of requests a company can anticipate. The company analyzed DSRs processed throughout 2020 across its business-to-consumer (B2C) customers, resulting in a powerful benchmark of what to expect as the CCPA and other privacy regulations start to have a larger impact on how business is done.
Among the findings, research showed:
- Consumers are most likely to opt-out of their data being sold to a third party by submitting a do not sell (DNS) request, rather than requesting access to a record of their data or deletion of that data. Data showed that 46 percent of DSR requests were to opt-out of data being sold.
- One-third of DSRs in 2020 were deletion requests, demonstrating that consumers have become far more active in guarding their data.
- The ease with which privacy rights could be exercised was also a factor. Consumers were twice as likely to exercise their right to opt out of data being sold versus performing an access request.
Privacy Practices Impact Business
In addition to the complexity of managing consumer DSRs, companies are being hit with increased volume and substantial costs. Research showed that the average B2C company received 137 DSRs per million identities in 2020. (DSRs were measured per one million identities to normalize data across different company sizes.) Gartner data indicates businesses that manually process data subject requests on average spend $1,406 per request. At this rate, B2C organizations who manually processed DSRs spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests.
Factors that influenced request volume included:
- Nearly half of all DSRs go unverified, which means the requester did not follow through with proving their identity. Many of these unverified requests were actually spam, costing companies time and money unnecessarily.
- Organizations that use a form and a Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) tend to have significantly fewer unverified requests than organizations that ask customers to send an email.
- Companies that updated their privacy policies frequently had a tendency to experience a surge of requests after an update.
The study concludes that businesses can offset the drain from privacy requests by becoming more proactive themselves through steps such as simplifying the language used in their privacy policies, being consistent in their approach, and adopting automated solutions that can reduce fulfilment complexity and time-consuming manual processes.
For details, visit https://www.datagrail.io/the-state-of-ccpa/.