New research from DataGrail shows that nearly half of privacy requests sent in 2020 were to stop the sale of personal data to a third-party. The 2021 The State of CCPA: Benchmarking CCPA Trends Across Consumer (B2C) Brands report examined how California consumers are exercising their privacy rights according to the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. 

The research found that consumers are increasingly concerned about their personal information and how it is used. It also underscores that the number of data subject requests (DSRs) companies receive varies wildly, depending on their privacy practices.

“With Apple leading a new charge on privacy and CCPA entering its enforcement stage, consumers are not only more aware of how their data is being used than ever before, they also realize, perhaps for the first time, that they have options to protect their information,” said Daniel Barber, CEO and founder of DataGrail. “As more and more states explore data privacy legislation, and as tech leaders take on privacy issues, we anticipate the number of DSRs to  increase in the coming year.”

DataGrail, which fulfills data subject requests (DSRs) for millions of consumers, analyzed DSRs processed throughout 2020 across its business-to-consumer (B2C) customers, resulting in a benchmark of what to expect as the CCPA and other privacy regulations start to have a larger impact on how business is done.

Among the most interesting findings, research showed:

• Consumers are most likely to opt-out of their data being sold to a third party by submitting a do not sell (DNS) request, rather than requesting access to a record of their data or deletion of that data. Data showed that 46% of DSR requests were to opt-out of data being sold. 
• One-third of DSRs in 2020 were deletion requests, demonstrating that consumers have become far more active in guarding their data.
• The ease with which privacy rights could be exercised was also a factor. Consumers were twice as likely to exercise their right to opt out of data being sold versus performing an access request.

In addition to the complexity of managing consumer DSRs, companies are being hit with increased volume and substantial costs. Research showed that the average B2C company received 137 DSRs per million identities in 2020. (DSRs were measured per one million identities to normalize data across different company sizes.) Gartner data shows businesses that manually process data subject requests on average spend $1,406 per request. At this rate, B2C organizations who manually processed DSRs spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests.

Factors that influenced request volume included:

• Nearly half of all DSRs go unverified, which means the requester did not follow through with proving their identity. Many of these unverified requests were actually spam, costing companies time and money unnecessarily.
• Organizations that use a form and a CAPTCHA tend to have significantly less unverified requests than organizations that ask customers to send an email.
• Companies that updated their privacy policies frequently had a tendency to experience a surge of requests after an update.

Ultimately the study concludes that businesses can offset the drain from privacy requests by becoming more proactive themselves through steps such as simplifying the language used in their privacy policies, being consistent in their approach, and adopting automated solutions that can reduce fulfilment complexity and time-consuming manual processes.