The impact of the CCPA on companies’ privacy practices

A new DataGrail report examined how millions of California consumers are exercising their privacy rights – to access their data, delete their data, and stop the sale of their data to a third-party – according to the CCPA, which went into effect on January 1, 2020.

Consumers are more aware of CCPA

The research clearly shows that consumers are increasingly concerned about their personal information and how it is used. It also underscores that the number of data subject requests (DSRs) companies receive varies wildly, depending on their privacy practices.

“With Apple leading a new charge on privacy and CCPA entering its enforcement stage, consumers are not only more aware of how their data is being used than ever before, they also realize, perhaps for the first time, that they have options to protect their information,” said Daniel Barber, CEO at DataGrail.

“As more and more states explore data privacy legislation, and as tech leaders take on privacy issues, we anticipate the number of DSRs to increase in the coming year.”

CCPA: Consumers take control of their privacy

DataGrail is in the position of fulfilling DSRs for millions of consumers, which gives it unique insights into the number of requests a company can anticipate.

The company analyzed DSRs processed throughout 2020 across its business-to-consumer (B2C) customers, resulting in a powerful benchmark of what to expect as the CCPA and other privacy regulations start to have a larger impact on how business is done.

Key findings

• Consumers are most likely to opt-out of their data being sold to a third party by submitting a do not sell request, rather than requesting access to a record of their data or deletion of that data. Data showed that 46% of DSR requests were to opt-out of data being sold.
• One-third of DSRs in 2020 were deletion requests, demonstrating that consumers have become aware of CCPA and far more active in guarding their data.
• The ease with which privacy rights could be exercised was also a factor. Consumers were twice as likely to exercise their right to opt out of data being sold versus performing an access request.

Privacy practices impact business

In addition to the complexity of managing consumer DSRs, companies are being hit with increased volume and substantial costs. Research showed that the average B2C company received 137 DSRs per million identities in 2020. (DSRs were measured per one million identities to normalize data across different company sizes.).

Gartner data shows businesses that manually process data subject requests on average spend $1,406 per request. At this rate, B2C organizations who manually processed DSRs spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests.

Factors that influenced request volume

• Nearly half of all DSRs go unverified, which means the requester did not follow through with proving their identity. Many of these unverified requests were actually spam, costing companies time and money unnecessarily.
• Organizations that use a form and a CAPTCHA tend to have significantly less unverified requests than organizations that ask customers to send an email.
• Companies that updated their privacy policies frequently had a tendency to experience a surge of requests after an update.

Ultimately the study concludes that businesses can offset the drain from privacy requests by becoming more proactive themselves through steps such as simplifying the language used in their privacy policies, being consistent in their approach, and adopting automated solutions that can reduce fulfilment complexity and time-consuming manual processes.

“The companies that are transparent and those that can win trust will be the big winners in the new privacy era,” noted Barber. “Proactively embracing good privacy practices doesn’t have to be a death sentence to profit margins. Forward-thinking companies have figured out how to make a strong privacy stance work for people and their business.”