People exercised their rights to privacy 782,562 times with key Big Box stores in California last year.
On July 1, 2021, the California Consumer Privacy Act required certain businesses to report specific privacy-related metrics around how many data subject requests they received last year and how long it took to address them.
The threshold for publishing CCPA metrics currently includes businesses that have the personal information of 10 million or more California residents, which is about a quarter of the state’s population. We took a look at the top Big Box stores that did reach this threshold. The group consisted of Walmart, Home Depot, Target, Costco, BestBuy, Bed Bath & Beyond, Lowe’s, Kohl’s, and TJX Companies. The Big Box store disclosure metrics reveal a fascinating glimpse under the hood of California’s household favorites.
What the Metrics Show
Before we get to the findings, let’s take a quick look at what the law requires companies to disclose. Companies must report on the number of people who exercised their right to:
- Have their personal data deleted (deletion request)
- Know what data a company has about them (access request or DSAR), and
- Opt-out of their data being sold to a third party (do-not-sell request).
In addition to reporting on the number of different types of requests, they also have to report on how fast they were able to respond to the request—as the law requires a request to be completed within 45 days. For more on the “Why?” behind these metrics, check out our blog post, CCPA Reporting Metrics.
Without further ado, here are the results.
Big Box Retailer Metrics
|
Company |
Access Requests Made |
Access Requests Completed |
Access Response Time |
Deletion Requests Made |
Deletion Requests Completed |
Deletion Response Time |
Opt-Out Requests Made |
Opt-Out Requests Completed |
Opt-Out Response Time |
|
105 |
70 |
16 |
1,199 |
844 |
18 |
Does Not Report |
— |
— |
|
|
399 |
126 |
2 |
930 |
450 |
7 |
118,063 |
118063 |
0 | |
|
522 |
494 |
17 |
117 |
94 |
16 |
85,078 |
79,060 |
1 |
|
|
659 |
283 |
50 |
676 |
321 |
43 |
2,899 |
2,094 |
1 |
|
|
32 |
15 |
36.96 |
520 |
95 |
9.98 |
3,483 |
2,752 |
6.35 |
|
|
234 |
83 |
13.6 |
360 |
105 |
42.9 |
963 (portal) / 17,310 |
426 / 17,310 |
0.1 |
|
|
561 |
316 |
22 |
650 |
248 |
41 |
139,000 |
124,576 |
<1 day |
|
|
2 |
2 |
13.5 |
289 |
289 |
47 |
1,560 |
1,560 |
1 |
|
|
47,445 |
22,693 |
28.43 |
6,194 |
2,714 |
19.99 |
354,275 |
352,940 |
7.76 |
The Highlights
1. Big Tech isn’t the only target for data privacy concerns — consumers are taking action to make sure Big Box stores honor their privacy rights. According to publicly available information from leading Big Box stores (Walmart, Home Depot, Target, Costco, BestBuy, Bed Bath & Beyond, Lowe’s, Kohl’s, and TJX Companies), people exercised their rights to privacy 782,562 times with these retail brands under CCPA last year. While it’s not as high as the 25 million times consumers made data subject requests with the tech giants, it’s still a sizable amount of requests.
Most likely, Big Tech companies have larger customer bases compared to these retailers, but also a greater share of their users making privacy requests. Big Tech companies tend to drive privacy discussions– whether proactively like Apple or reactively as Facebook has in the wake of scandal– making consumers much more conscious of how tech companies use data and prompting them to take action. However, retailers should prepare for increasing volumes of requests in the near future as consumers become more knowledgeable about their privacy rights, retailers become more transparent about their practices, and more states adopt privacy legislation.
2. Big Box stores did not (or could not) take advantage of opt-out loopholes. In our Big Tech analysis, none of the companies we studied reported “Do Not Sell” requests. Conversely, only Bed Bath & Beyond did not report opt-out requests out of this group of Big Box stores.
Opt-outs represented the vast majority of privacy requests for Big Box stores — 721,668 opt-out requests compared to 60,894 combined requests for deletion and access. At more than 14x the number of access requests and a whopping 68x of deletion requests, it is clear that consumers do not want stores to sell their data. Bear in mind, however, these numbers are specific to this category. Our own CCPA DSR reporting is consistent in finding do-not-sell requests are by far the most common type of request across industries, but to a more modest degree.
3. Walmart’s California customers’ share of privacy requests was disproportionate to those of other Big Box stores. The number of access requests made to Walmart totaled 47,445. The next closest retailer was Home Depot at 659. Its deletion requests were at least within the same ballpark with others — 6,194 for Walmart CA compared to 1,199 for next-in-line Bed Bath & Beyond. Walmart also received 354,275 “Do Not Sell” requests, followed by Target’s 139,000.
The Walmart vs.Target comparison is an interesting one, as the stores vie for the same audience, but Target is generally perceived as more customer-friendly than Walmart. Consumers’ desire for their personal data not to be sold remains evident, but there is clear differentiation between access requests (Walmart’s 47,445 compared to Target’s 561) and deletion requests (Walmart’s 6,194 vs. Target’s 650). This demonstrates the power of a brand, as Target is likely paying substantially less than Walmart each year to handle privacy requests.
4. Data subject requests could result in significant financial implications for Big Box stores. CCPA requests could have cost Big Box stores over a billion dollars in 2020 if they had processed them without an automated privacy solution. Gartner data shows that businesses that manually process data subject requests on average spend $1,406 per request. With 782,562 requests total, that works out to $1,100,282,172 (So, yeah, automating your data subject requests process is a great idea.)
Other Big Box CCPA Disclosure Findings
- The most deletion requests received: Walmart. Deletion can be hard. As many a privacy program owner will tell you, deleting a requestor’s data is tricky across the tens or hundreds of apps and infrastructure typically deployed in a modern business stack. Big Box retailers had an average response time of 27.2 days when dealing with deletion requests, but Home Depot (43), Target (41), and TJX (47– which is over the 45-day limit set out by CCPA) all took greater than 40 days to resolve. This is a much longer lag. For comparison’s sake, the longest deletion response time among Big Tech companies was Amazon at 26.5 days. BestBuy was the big winner in this category with a response time of seven days.
- The fastest access request response time: BestBuy. BestBuy wins the quickest response time taking just two days to process requests. By contrast, the slowest response time for access requests went to Home Depot at 50 days.
- TJX was the only company not to deny any access requests, deletion requests, or opt-outs, indicating a resolve to honor customers’ requests even if it takes time to work through the process.
- Lowe’s yielded near-immediate response times for opt-out requests. It’s also worth noting that Lowe’s reported both its overall opt-out request number as well as the number of requests made through its self-service portal.
The 2020 disclosure metrics set a benchmark for industries to see how they compare and areas of opportunity. It’ll be intriguing to observe how other Big Box retailers incorporate self-service portals and other automation into their key processes, so that they not only answer requests but can do so quickly and efficiently.
We’re hunting down more CCPA metrics from top brands, so sign up for our newsletter to get the next CCPA metrics blog post in your inbox.