fbpx

By submitting this form, you consent to receive communications from DataGrail

CCPA

CCPA Disclosure Metrics: Big Box Retailer Edition

Rachel Torres July 28, 2021

People exercised their rights to privacy 782,562 times with key Big Box stores in California last year.

On July 1, 2021, the California Consumer Privacy Act required certain businesses to report specific privacy-related metrics around how many data subject requests they received last year and how long it took to address them. 

The threshold for publishing CCPA metrics currently includes businesses that have the personal information of 10 million or more California residents, which is about a quarter of the state’s population. We took a look at the top Big Box stores that did reach this threshold. The group consisted of Walmart, Home Depot, Target, Costco, BestBuy, Bed Bath & Beyond, Lowe’s, Kohl’s, and TJX Companies. The Big Box store disclosure metrics reveal a fascinating glimpse under the hood of California’s household favorites. 

What the Metrics Show

Before we get to the findings, let’s take a quick look at what the law requires companies to disclose. Companies must report on the number of people who exercised their right to:

  • Have their personal data deleted (deletion request)
  • Know what data a company has about them (access request or DSAR), and
  • Opt-out of their data being sold to a third party (do-not-sell request).

In addition to reporting on the number of different types of requests, they also have to report on how fast they were able to respond to the request—as the law requires a request to be completed within 45 days. For more on the “Why?” behind these metrics, check out our blog post, CCPA Reporting Metrics

Without further ado, here are the results.

Big Box Retailer Metrics 

Company
(with link to CCPA metrics)

Access Requests Made

Access Requests Completed

Access Response Time
(median or average days)

Deletion Requests Made

Deletion Requests Completed

Deletion Response Time
(median or average days)

Opt-Out Requests Made

Opt-Out Requests Completed

Opt-Out Response Time
(median or average days)

Bed Bath & Beyond

105

70

16

1,199

844

18

Does Not Report

Best Buy

399

126

2

930

450

7

118,063

118063

0

Costco

522

494

17

117

94

16

85,078

79,060

1

Home Depot

659

283

50

676

321

43

2,899

2,094

1

Kohl’s

32

15

36.96

520

95

9.98

3,483

2,752

6.35

Lowe’s (CA)

234

83

13.6

360

105

42.9

963 (portal) / 17,310

426 / 17,310

0.1

Target

561

316

22

650

248

41

139,000

124,576

<1 day

TJX

2

2

13.5

289

289

47

1,560

1,560

1

Walmart (CA)

47,445

22,693

28.43

6,194

2,714

19.99

354,275

352,940

7.76

The Highlights

1. Big Tech isn’t the only target for data privacy concerns — consumers are taking action to make sure Big Box stores honor their privacy rights. According to publicly available information from leading Big Box stores (Walmart, Home Depot, Target, Costco, BestBuy, Bed Bath & Beyond, Lowe’s, Kohl’s, and TJX Companies), people exercised their rights to privacy 782,562  times with these retail brands under CCPA last year. While it’s not as high as the 25 million times consumers made data subject requests with the tech giants, it’s still a sizable amount of requests.  

Most likely, Big Tech companies have larger customer bases compared to these retailers, but also a greater share of their users making privacy requests. Big Tech companies tend to drive privacy discussions– whether proactively like Apple or reactively as Facebook has in the wake of scandal– making consumers much more conscious of how tech companies use data and prompting them to take action. However, retailers should prepare for increasing volumes of requests in the near future as consumers become more knowledgeable about their privacy rights, retailers become more transparent about their practices, and more states adopt privacy legislation.

 

2. Big Box stores did not (or could not) take advantage of opt-out loopholes. In our Big Tech analysis, none of the companies we studied reported “Do Not Sell” requests. Conversely, only Bed Bath & Beyond did not report opt-out requests out of this group of Big Box stores.

Opt-outs represented the vast majority of privacy requests for Big Box stores — 721,668 opt-out requests compared to 60,894 combined requests for deletion and access. At more than 14x the number of access requests and a whopping 68x of deletion requests, it is clear that consumers do not want stores to sell their data. Bear in mind, however, these numbers are specific to this category. Our own CCPA DSR reporting is consistent in finding do-not-sell requests are by far the most common type of request across industries, but to a more modest degree.

 

3. Walmart’s California customers’ share of privacy requests was disproportionate to those of other Big Box stores. The number of access requests made to Walmart totaled 47,445. The next closest retailer was Home Depot at 659. Its deletion requests were at least within the same ballpark with others — 6,194 for Walmart CA compared to 1,199 for next-in-line Bed Bath & Beyond. Walmart also received 354,275 “Do Not Sell” requests, followed by Target’s 139,000.

The Walmart vs.Target comparison is an interesting one, as the stores vie for the same audience, but Target is generally perceived as more customer-friendly than Walmart. Consumers’ desire for their personal data not to be sold remains evident, but there is clear differentiation between access requests (Walmart’s 47,445 compared to Target’s 561) and deletion requests (Walmart’s 6,194 vs. Target’s 650). This demonstrates the power of a brand, as Target is likely paying substantially less than Walmart each year to handle privacy requests. 

 

4. Data subject requests could result in significant financial implications for Big Box stores. CCPA requests could have cost Big Box stores over a billion dollars in 2020 if they had processed them without an automated privacy solution. Gartner data shows that businesses that manually process data subject requests on average spend $1,406 per request. With 782,562 requests total, that works out to $1,100,282,172 (So, yeah, automating your data subject requests process is a great idea.)

Other Big Box CCPA Disclosure Findings

  • The most deletion requests received: Walmart. Deletion can be hard. As many a privacy program owner will tell you, deleting a requestor’s data is tricky across the tens or hundreds of apps and infrastructure typically deployed in a modern business stack. Big Box retailers had an average response time of 27.2 days when dealing with deletion requests, but Home Depot (43), Target (41), and TJX (47– which is over the 45-day limit set out by CCPA) all took greater than 40 days to resolve. This is a much longer lag. For comparison’s sake, the longest deletion response time among Big Tech companies was Amazon at 26.5 days. BestBuy was the big winner in this category with a response time of seven days.

 

  • The fastest access request response time: BestBuy. BestBuy wins the quickest response time taking just two days to process requests. By contrast, the slowest response time for access requests went to Home Depot at 50 days.

 

  • TJX was the only company not to deny any access requests, deletion requests, or opt-outs, indicating a resolve to honor customers’ requests even if it takes time to work through the process.

 

  • Lowe’s yielded near-immediate response times for opt-out requests. It’s also worth noting that Lowe’s reported both its overall opt-out request number as well as the number of requests made through its self-service portal. 

 

The 2020 disclosure metrics set a benchmark for industries to see how they compare and areas of opportunity. It’ll be intriguing to observe how other Big Box retailers incorporate self-service portals and other automation into their key processes, so that they not only answer requests but can do so quickly and efficiently. 

We’re hunting down more CCPA metrics from top brands, so sign up for our newsletter to get the next CCPA metrics blog post in your inbox.