CCPA privacy requests cost business up to $275k per million consumer records

Organizations who plan on manually processing CCPA data subject requests (DSRs) or data subject access requests will spend between $140k – $275k per million consumer records they have in their systems, according to DataGrail.

CCPA privacy requests

The CCPA went into effect on January 1, 2020, giving consumers the right to know the data collected about them, to delete data about them, and ensure their data is not sold to third-parties. The report analyzed the number of requests in Q1 2020 to understand how CCPA will impact organizations in the long-run.

The early learnings from the first few months of CCPA should help businesses plan and predict the future of privacy regulation.


  • Privacy headlines (and COVID-related emails) in March & April likely drove an increase of CCPA privacy requests.
  • B2C companies should prepare to process approximately 100 to 194 requests per million consumer records each year.
  • Processing CCPA privacy requests will likely cost B2C companies $140,000 to $275,000 per one million consumer records, if done manually.
  • January 2020 saw a surge of privacy requests, most likely due to the law going into effect and privacy policy updates.
  • Deletion requests were the most popular requests (40%) in Q1 2020, followed by DNS (33%), and access requests (27%).
  • Do Not Sell (DNS) requests will likely become the most dominant privacy request after analyzing early trending data.

CCPA privacy requests

CCPA privacy requests expected to stabilize

Looking forward to the remainder of 2020, the number of CCPA privacy requests is expected to stabilize around the February and March numbers (8 requests per million consumer records).

However, as privacy related issues make headlines or a company updates their privacy policy, organizations should expect a surge of requests. For example, in April, the number of requests has been trending higher, most likely due to the number of COVID-related emails sent, and headlines about the privacy of remote work and conferencing apps.

In July and August we may see a surge once again as CCPA enforcement begins on July 1, 2020.

DNS requests expected to dominate

DNS requests will likely dominate, with deletion requests not far behind, which means companies should prepare for the complex task of reaching out to their network of processors and sub processors to successfully perform a hard delete. New regulations cause a lot of uncertainty and anxiety – especially when they involve a lot of complexity and associated fines.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss