SAN FRANCISCO--(BUSINESS WIRE)--DataGrail, the modern privacy platform designed to help brands build customer trust and transparency, today unveiled the results of its second annual proprietary research report that looks at consumer privacy trends. In 2022 Data Privacy Trends: A CCPA Report, the company benchmarked the cost, volume, and challenges associated with data privacy. The report focused on the actions that consumers took in 2021 to exercise their privacy rights under the California Consumer Privacy Act (CCPA). This includes the right to access their data, delete their data, and stop the sale of their data to a third-party. The company then compared 2021 data with that from 2020, which was CCPA’s first year, in order to evaluate data privacy trend lines.
The research clearly showed that consumers are taking action to manage their personal information, and they are more than willing to go the distance to delete their data and to stop the sale of their data to third parties. This translates to a dramatic increase in costs for companies tasked with handling data subject requests (DSRs).
“Consumers have strong feelings about how they want their data used, and companies are largely unprepared to deal with this sea change,” said Daniel Barber, CEO and founder of DataGrail. “The volume of data subject requests is growing exponentially, which puts a number of stresses on businesses, particularly as many companies are still trying to figure out where all of that customer data lives. And it is only going to get worse as more legislation comes their way. For example, when the California Privacy Rights Act (CPRA) goes into effect in January 2023, hundreds of companies will need to offer consumers a say in whether or not their personal data can be shared with third parties, which is a much different question than whether their data can be sold. This alone will increase the complexity and cost of managing data privacy.”
Consumers Take Control of Their Data
The DataGrail Platform helps companies automate the processing of data subject requests and data mapping, providing companies with unparalleled insights into how privacy is evolving and how people and businesses are adapting. For this year’s report, DataGrail analyzed how many DSRs were processed throughout 2021 across its customer base, resulting in a powerful industry benchmark of what to expect as the ripple effect of data privacy regulations takes hold. Given that it is the company’s second annual CCPA report, DataGrail researchers have been able to look at what happened across a broader data set to spot new trends taking shape.
Topline findings include:
- Consumers proactively took steps to reduce their online footprint. The volume of DSRs nearly doubled from 2020 to 2021. The number of requests increased from 137 to 266 requests per 1 million identities, with data deletion requests also nearly doubling in 2021. Companies received about 43 deletion requests per 1 million identities in 2020. This number ballooned to 84 deletion requests per 1 million identities in 2021, despite deletion requests being much harder for consumers to complete. This indicates that people are willing to go to great lengths to delete their data and are likely to continue to do so well after CPRA goes into effect.
- DSRs are not limited to California. In fact, by the end of 2021, companies received DSR’s from every state. D.C. and California may have the most per capita, but Washington, Colorado, Illinois, and Virginia closely follow. People are demanding to know more about how companies are handling their data, regardless of where they live.
What This Means for Businesses
Gartner research suggests that businesses spend approximately $1,524 dollars to process a single DSR, which translates to a big line item on the budget when multiplying that figure by the number of requests received (see below). Additionally, DataGrail’s research team found that on average, the team member charged with executing DSRs spends 2-4 months (60-130 hours) in a year sustaining compliance if done manually, which is a huge productivity strain.
Looking more closely, points of impact include:
- The cost of privacy is going up and will only get more expensive for businesses. The cost of processing data subject requests doubled year-over-year. It jumped from $192,000 per 1 million identities to roughly $400,000 per 1 million identities year-over-year– and costs will continue to rise.
- DSRs will get harder to process when CPRA goes into effect. The new law clarifies that organizations must give people the option to opt-out not only if their data is sold but also if it is shared with a third party for advertising purposes. For organizations currently required to offer DNS, this already represents 63% of their total requests. With a greater number of companies required to enable DNS for data-sharing under the CPRA, the number of privacy requests will skyrocket.
- Companies stumble to identify all the third-party SaaS apps that contain personal data. Organizations frequently miss ~50% of shadow SaaS apps when running data mapping exercises manually. In reality, most companies don’t even know all the systems—the third-party SaaS applications—that contain personal data, let alone where personal data is. As data privacy continues to evolve, getting a handle on personal data across all systems should be a top priority if companies wish to avoid fines and consumer backlash.
- As DSRs flow in from every state, businesses have to think long-term. Currently, only three states have privacy laws, but many others have bills in the works. Organizations must be prepared for a patchwork of requirements that differ slightly from state to state. When new laws are enacted, they will require greater resources to handle with expediency and accuracy. Companies can offset such challenges by putting sound practices and solutions in place now.
“We’ve entered a new era where a robust data privacy program is essential not only for compliance or winning customer trust, but for a business’ actual survival,” noted Barber. “The key will be leveraging automated solutions that can boost efficiency and decrease costs while eliminating errors. Systems must be flexible enough that they can adapt to rapidly evolving changes in the landscape at the state, federal, and global scale. It’s a significant challenge, but one that can be overcome with intelligent software and sound data privacy practices.”
Download the full 2022 CCPA Trends report.
About DataGrail
DataGrail is the privacy platform brands rely on to build customer trust and transparency. Our easy-to-use platform enables brands to automate data subject requests and gain control of their data, so they can stay compliant with regulations like GDPR, CCPA, and CPRA. With 1000+ pre-built connections with popular apps and infrastructure, the DataGrail Integration Network is the first of its kind to detect shadow IT that may contain personal data, ensuring the most accurate data foundation. DataGrail services millions of consumers, through companies like Overstock, Dexcom, Databricks, Outreach, and has 4.8/5 stars on G2. DataGrail is backed by leading VCs and strategic investors, including Felicis, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, Next47 and American Express Ventures. Visit www.datagrail.io or follow DataGrail on Twitter and LinkedIn to learn more.