Businesses under pressure as consumers exercise their privacy rights

DataGrail unveiled the results of its research report that looks at consumer data privacy trends. In the report, the company benchmarked the cost, volume, and challenges associated with data privacy.

The report focused on the actions that consumers took in 2021 to exercise their privacy rights under the CCPA. This includes the right to access their data, delete their data, and stop the sale of their data to a third-party. The company then compared 2021 data with that from 2020, which was CCPA’s first year, in order to evaluate data privacy trend lines.

The research clearly showed that consumers are taking action to manage their personal information– and they are more than willing to go the distance to delete their data and to stop the sale of their data to third parties. This translates to a dramatic increase in costs for companies tasked with handling data subject requests (DSRs).

“Consumers have strong feelings about how they want their data used, and companies are largely unprepared to deal with this sea change,” said Daniel Barber, CEO of DataGrail.

“The volume of data subject requests is growing exponentially, which puts a number of stresses on businesses, particularly as many companies are still trying to figure out where all of that customer data lives. And it is only going to get worse as more legislation comes their way. For example, when the California Privacy Rights Act (CPRA) goes into effect in January 2023, hundreds of companies will need to offer consumers a say in whether or not their personal data can be shared with third parties, which is a much different question than whether their data can be sold. This alone will increase the complexity and cost of managing data privacy.”

Data privacy trends: Consumers take control of their data

Consumers proactively took steps to reduce their online footprint

The volume of DSRs nearly doubled from 2020 to 2021. The number of requests increased from 137 to 266 requests per 1 million identities, with data deletion requests also nearly doubling in 2021.

Companies received about 43 deletion requests per 1 million identities in 2020. This number ballooned to 84 deletion requests per 1 million identities in 2021, despite deletion requests being much harder for consumers to complete. This indicates that people are willing to go to great lengths to delete their data– and are likely to continue to do so well after CPRA goes into effect.

DSRs are not limited to California

In fact, by the end of 2021, companies received DSR’s from every state. D.C. and California may have the most per capita, but Washington, Colorado, Illinois, and Virginia closely follow. People are demanding to know more about how companies are handling their data, regardless of where they live.

What this means for businesses

Gartner research suggests that businesses spend approximately $1,524 dollars to process a single DSR, which translates to a big line item on the budget when multiplying that figure by the number of requests received (see below). Additionally, DataGrail’s research team found that on average, the team member charged with executing DSRs spends 2-4 months (60-130 hours) in a year sustaining compliance if done manually, which is a huge productivity strain. Looking more closely, points of impact include:

The cost of privacy is going up and will only get more expensive for businesses. The cost of processing data subject requests doubled year-over-year. It jumped from $192,000 per 1 million identities to roughly $400,000 per 1 million identities year-over-year– and costs will continue to rise.

DSRs will get harder to process when CPRA goes into effect. The new law clarifies that organizations must give people the option to opt-out not only if their data is sold but also if it is shared with a third party for advertising purposes. For organizations currently required to offer DNS, this already represents 63% of their total requests. With a greater number of companies required to enable DNS for data-sharing under the CPRA, the number of privacy requests will skyrocket.

Companies stumble to identify all the third-party SaaS apps that contain personal data. Organizations frequently miss ~50% of shadow SaaS apps when running data mapping exercises manually. In reality, most companies don’t even know all the systems—the third-party Saas applications—that contain personal data, let alone where personal data is. As data privacy continues to evolve, getting a handle on personal data across all systems should be a top priority if companies wish to avoid fines and consumer backlash.

As DSRs flow in from every state, businesses have to think long-term. Currently, only three states have privacy laws, but many others have bills in the works. Organizations must be prepared for a patchwork of requirements that differ slightly from state to state. When new laws are enacted, they will require greater resources to handle with expediency and accuracy. Companies can offset such challenges by putting sound practices and solutions in place now.

“We’ve entered a new era where a robust data privacy program is essential not only for compliance or winning customer trust, but for a business’ actual survival,” noted Barber. “The key will be leveraging automated solutions that can boost efficiency and decrease costs while eliminating errors. Systems must be flexible enough that they can adapt to rapidly evolving changes in the landscape at the state, federal, and global scale. It’s a significant challenge, but one that can be overcome with intelligent software and sound data privacy practices.”