Follow Datanami:
March 11, 2022

Privacy Costs Rise as CCPA Requests Jump


A new study released this week by DataGrail shows that costs associated with CCPA compliance are rising quickly as more citizens exercise their rights to limit data collection by third parties.

The volume of data subject requests (DSR) nearly doubled from 2020 to 2021, going from 137 to 266 requests per 1 million identities, according to a survey conducted on behalf of DataGrail for its report, “2022 Data Privacy Trends: A CCPA Report,” which was released Wednesday. This was the second such report conducted by the San Francisco privacy company, which allows it to make direct comparisons.

Companies face three primary types of DSRs, which are backed by the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, with enforcement beginning July 1 of that year. The most basic DSR request organizations to tell citizens what information they have stored about them. Citizens can also request that they no longer sell or share their information, and they can even request that organization delete whatever information they have already collected.

Source: DataGrail 2022 Data Privacy Trends: A CCPA Report

Considering that it costs about $1,500 to process a single DSR (per Gartner), the increase in volume of DSR requests is significant. According to DataGrail, the overall cost borne by organizations for DSRs increased from $192,000 per 1 million identities in 2020 to roughly $400,000 per 1 million identities in 2021.

Costs associated with more complex data deletion requests also nearly doubled last year, going from 43 deletion requests per 1 million identities in 2020 to 84 such requests by 2021.

These costs will continue to rise, according to DataGrail. Part of that projected increase has to do with a new privacy law, the California Privacy Rights Act (CPRA), which California voters approved in November 2020 and which is more stringent in some ways than the CCPA it will replace starting in 2023.

CPRA will raise privacy costs even more because it “gives people the option to opt-out not only if their data is sold but also if it is shared with a third party for advertising purposes,” DataGrail says. For organizations that are currently required to offer these “do not share” (DNS) requests, these requests represents 63% of their total requests. “With a greater number of companies required to enable DNS for data-sharing under the CPRA, the number of privacy requests will skyrocket,” the company says.

Source: DataGrail 2022 Data Privacy Trends: A CCPA Report

The proliferation of data silos and software-as-a-service (SaaS) applicaiotns will also contribute to rising costs, DataGrail says. The company says that it’s common for organizations to miss half of all SaaS apps when running data mapping exercises, which means they’re blind to much of the personal data they contain. That puts them behind the eight-ball when it comes to complying with CCPA (and soon CPRA) DSRs.

Organizations spend an average of 60 to 130 person-hours complying with DSRs, according to DataGrail. Assuming an average salary of $50 per hour, that represents a cost in the range of about $3,000 to $10,000 per year.

The proliferation of privacy laws is another factor to consider. Today, only three states have privacy laws: California, Virginia, and Colorado. However, DSRs can come in from citizens located in any state. And as more states adopt data privacy laws, the problem will only be magnified, DataGrail says.

“Consumers have strong feelings about how they want their data used, and companies are largely unprepared to deal with this sea change,” Daniel Barber, CEO and founder of DataGrail, stated in a press release. “We’ve entered a new era where a robust data privacy program is essential not only for compliance or winning customer trust, but for a business’ actual survival.

Related Items:

Ssshhh! It’s Data Privacy Day

CPRA Poised to Replace CCPA, Bring Stricter Data Enforcement

CCPA Enforcement Begins: Are You Ready?