Urgent Need for Federal Data Privacy Regulation: DataGrail Finds 52% of Requests to Protect Personal Data Come from States Without Data Protection Laws as Privacy Requests Rise by 72%

DataGrail’s Privacy Trends 2023 Report shows more consumers than ever before seek greater control over their personal information in the absence of federal data privacy legislation

Privacy Requests could cost businesses upward of $648k per year, per 1 million identities

People's requests to access, modify, or delete their data jumped 72%. Over half of these requests come from places without privacy rules. (Graphic: Business Wire)

SAN FRANCISCO--()--DataGrail, the leading Privacy Control Center™, today released its Privacy Trends 2023 Report, which shows a sharp increase in consumers’ desire to protect their privacy. The findings reveal Data Subject Requests (DSRs) — formal requests made to a company by a person to access, modify, or delete the personal data that the company holds on them — increased by 72% from 2021 to 2022, driven primarily by an increase in Deletion and Access requests. In fact, the number of Deletion requests more than doubled while Access requests grew fivefold. DataGrail projects these numbers will continue to increase as new data privacy laws, like those in Virginia and Colorado, come into effect and focus attention on responsible data privacy practices. DataGrail also uncovered a surge of privacy requests – 52% of all requests – coming from states that have yet to adopt data privacy legislation. This underscores the growing public support for a federal data privacy law.

Concern over data privacy rose sharply in 2022, fueled by a constant stream of related news, including the overturning of Roe v. Wade, Sephora’s settlement with the California Attorney General, and the EU’s crackdown on Meta’s data privacy practices. As such, people are actively seeking more control over how their personal data is used. In 2022, DataGrail found that 85% of people want to know which businesses collect their data and for what purpose. In response to increasing privacy concerns, DataGrail set out to understand the impact of privacy awareness on organizations by analyzing how many privacy requests the average business can expect. The result is the Privacy Trends 2023 Report. The report analyzes the number of privacy requests DataGrail processed in 2021 versus 2022 and creates a benchmark for businesses to calibrate the status of their privacy program.

Privacy Trends 2023 Report Topline Findings

  • 2022 saw a 72% increase in the total volume of data privacy requests compared to 2021. In 2021, there was an average of 377 DSRs per million identities, compared to 2022’s 650 DSRs per million identities. Notably, the average number of Access requests per million identities grew by more than 5x from 2021 to 2022.
  • Deletion requests far outpace Access requests. Companies process 56% more Deletion requests than Access requests. On average, companies can expect 272 Deletions requests and 153 Access requests per million identities annually.
  • Requests came from every state and every country in 2022 — not just those with privacy laws designed to protect their residents. In fact, 52% of requests came from states without such laws on the books. This suggests consumers are more concerned about privacy than ever before, and businesses are stepping up to fulfill DSRs even though they are not legally required to do so.
  • Access and Deletion requests can cost companies around $648K per year, per million identities. This figure is based on Gartner’s suggestion that it costs businesses approximately $1,524 to manually process a single Access or Deletion request.
  • The number of Californian Do Not Sell requests stayed about the same compared to 2021. It is worth noting Do Not Sell requests are unique to California and fewer people around the globe have this right.

Unpacking Why Companies Get More or Fewer Privacy Requests
There are several factors that influence the volume of DSRs companies receive. For instance, DataGrail often sees a request surge when a company updates its privacy policy. Firms providing services or products catering to specific life events, like getting married, having a baby, researching colleges, etc., tend to experience more requests than average. Global companies receive an elevated volume of requests due to their large size and reach, with the European market in particular regarded as more “privacy mature.”

“Consumers’ desire for greater control over their personal information grows stronger by the day, as people recognize that privacy should be a human right, even if it is not yet federally protected,” said Daniel Barber, founder and CEO of DataGrail. “Businesses are going to have to respond in an efficient manner, if for no other reason than for the value of earning and maintaining consumer trust and reputational capital.”

What’s to Come
The privacy landscape continues to evolve at a rapid pace, with an increasing number of states adding legislation and a renewed focus on privacy at the federal level. Virginia’s privacy law went into effect this January, with Colorado and Connecticut following suit in July 2023. This will translate to a higher volume of DSRs and Do Not Sell requests businesses are required to process, and more changes that companies must account for in their privacy practices.

Further complicating matters is the widespread adoption of generative AI, which does not inherently seek a consumer’s consent to use their data. The uncertainty surrounding generative AI and its applications may spur Congress or the FTC into action to help safeguard consumer privacy.

Businesses that want to get ahead and earn customer trust are adopting best-in-class privacy practices and tools to relieve the resource strain caused by processing DSRs. Those taking a privacy-forward stance find that they are lowering their overall business risk as well.

“To take away some of the pain and cost associated with DSRs, organizations must know where their data lives — including all applications and internal systems. They should also automate where they can and minimize the amount of data saved when possible. Doing so will reduce risk to their business — not to mention save them time, resources, and headaches,” added Barber.

Methodology
DataGrail analyzed the DSRs it helped process from Jan. 1 - Dec. 31, 2022. The dataset has more than 100M records, where a “record” is defined as a single, individual record associated with a unique identifier within a customer’s database. To determine the cost of processing requests, DataGrail used Gartner’s manual processing estimate of $1,524 per DSR.

To normalize the data across various company sizes, DataGrail calculated DSRs per one million identities. To account for variability, DataGrail used a “10% trim mean” calculation to determine benchmarks. The dataset includes DSRs submitted under CCPA and GDPR, along with DSRs received in the U.S. and globally that do not fall under those regulatory umbrellas. As a United States-based company, with primarily U.S.-based customers, DataGrail’s dataset may skew toward DSRs from the U.S.

About DataGrail

DataGrail is the Privacy Control Center modern brands rely on to build customer trust and outsmart business risk. Security, legal, and executive teams use DataGrail to automate privacy workflows and support compliance with regulations like GDPR, CCPA, and CPRA. With 1,900+ pre-built connections for popular apps and infrastructure, DataGrail offers continuous system detection, responsible data discovery, guided privacy assessments, and automated data subject request (DSR) fulfillment to power the world's most trusted businesses. DataGrail services millions of consumers through companies like Amazon, Salesforce, Overstock, Instacart, and New Balance, and is a G2 leader. DataGrail is backed by leading VCs and strategic investors, including Third Point Ventures, Felicis Ventures, Next47, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, and American Express Ventures. Visit www.datagrail.io or follow DataGrail on Twitter and LinkedIn to learn more.

Contacts

Leigh Disher
leigh@gmkcommunications.com

Social Media Profiles

Contacts

Leigh Disher
leigh@gmkcommunications.com