Within Big Tech alone, people exercised their rights to privacy 25 million times in 2020
On July 1, 2021, certain businesses were required by the California Consumer Privacy Act to report metrics around how many data subject requests they received and how long it took to address them.
The threshold for publishing CCPA metrics includes businesses that have personal information of 10 million or more California residents. That works out to about a quarter of the state’s population, and not many companies can boast that many customers. You know who does have that many customers? Big Tech, aka Tech Giants, aka FAANGM: Facebook, Apple, Amazon, Netflix, Google (Alphabet), Microsoft.
Here Are the FAANGM CCPA Metrics
|
Company |
Access Requests Made |
Access Requests Completed |
Access Response Time |
Deletion Requests Made |
Deletion Requests Completed |
Deletion Response Time |
Opt-Out Requests Made |
|
100,960 |
83,531 |
1.5 |
589,061 |
568,805 |
26.5 |
0 |
|
|
669,030 |
645,158 |
2 |
294,764 |
286,561 |
8 |
0 |
|
|
43,677 |
43,579 |
1 |
82,050 |
81,948 |
1 |
0 |
|
|
993 |
986 |
15 |
666 |
647 |
25 |
0 |
|
|
516 |
516 |
21 |
276 |
276 |
17 |
0 |
|
|
3,000,000+ |
not specified |
1 |
15,000,000+ |
not specified |
1 |
0 |
|
|
2,951,350 |
not specified |
0-30 |
2,846,684 |
not specified |
0-30 |
0 |
|
|
Netflix |
– |
– |
– |
– |
– |
– |
– |
We decided to take a look at how those companies, and many others (results coming soon), responded to California’s newest law to protect consumer privacy rights. Before we get to the findings, a quick summary of what the law requires companies to disclose. Companies are required to report on the number of people that exercised their right to:
- Have their personal data deleted (deletion request)
- Know what data a company (access request or DSAR request), and
- Opt-out of their data being sold to a third party (do-not-sell request).
In addition to reporting on the number of different types of requests, they also have to report on how fast they were able to complete the request—as the law requires a request be completed within 45 days. For more the “Why?” behind these metrics, check out our blog post, CCPA Reporting Metrics.
The Highlights
1. Facebook’s volume of requests looks curiously low, especially compared to its peers who also have billions of users. We believe this is because Facebook did not publish the number of requests that came through its self-service tools. A quick explainer: When you log into Facebook, you can go to your account settings to delete or deactivate your account yourself, which is a different user experience flow from Facebook’s CCPA request portal.
Facebook compiled their metrics based on requests submitted “through Facebook’s privacy support channels,” not counting instances where someone deactivated their account through their account settings. After the Cambridge Analytica scandal, congressional hearings, numerous media think pieces, and general scrutiny of the role Facebook has played in our social and political fabric, we can safely assume the numbers would be much higher if they included self-service actions.
2. With Big Tech alone, people exercised their rights to privacy 25 million times in 2020. This validates the need for all these emerging regulations. People are demanding more control, not only in California, but all over the States, with new laws popping up in Virginia, Colorado, New York, and others.
From a cost perspective, CCPA requests could have cost these Tech Giants almost $36 billion in 2020, if they had processed them without an automated privacy solution. Gartner data shows that businesses that manually process data subject requests on average spend $1,406 per request. With 25,580,027 requests total, that works out to $35,965,517,962. (So, yeah, automating your data subject requests process is a great idea.)
3. All the Big Tech players are taking advantage of the do-not-sell loophole. As such, none of the FAANGM companies reported any “Do Not Sell” requests. As Facebook puts it, “Since Facebook does not sell personal information, the requirement to provide an opt-out of the ‘sale’ of data under the CCPA is not applicable.” Lawmakers quickly saw the writing on the wall after CCPA was passed in 2018, and asked Californians to pass yet another bill—the upcoming CPRA—which will tighten the rules to allow consumers to opt out of the sale or sharing of their personal data, starting 2023.
Based on our own CCPA DSR reporting, we know that do-not-sell requests are by far the most common request—by at least 2x—so when the Big Tech players are required to report on “do-not-share” requests in 2023, we expect to see them come in at a much higher rate.
Other Big Tech CCPA Disclosure Findings
- As of writing, Netflix has not published CCPA metrics. With an estimated 74 million subscribers in US and Canada, it’s hard to fathom that they haven’t gathered enough CA resident data in their home state since being founded in 1997. We will keep watch and will update this post when we have their metrics.
- The AG’s office left it open for companies to report on CA-resident-only requests or total requests. Only Google reported CA-specific metrics around their data subject requests. Google and Microsoft both reported on people who used self-service privacy and account tools to access or delete their personal data. These tools have a different user experience from the CCPA-specific requests. Per Google, “In 2020, over 3 million users in the U.S. used Google’s Download your data feature, and over 15 million users in the U.S. deleted some of their data using Google’s My Activity feature.”
- Not counting Google and Microsoft’s national data for self-service exercise of privacy rights, the most CCPA-specific access requests received goes to Apple.
- The most deletion requests received: Amazon. Deletion can be hard. As many a privacy program owner will tell you, deleting a requestor’s data is tricky across the tens or hundreds of apps and infrastructure typically deployed in a modern business stack. Amazon, What’s App (Facebook), Google in CA, and Apple all had faster response times for access requests vs. deletion requests.
- The slowest median response times go to Google (21 days for CCPA-specific access requests) and Amazon (26.5 days for deletion requests). And the fastest times to respond go to Facebook, with a median time of one day for deletion and access requests. (This is not counting Google and Microsoft’s <1 day turnaround time for self-service requests unrelated to CCPA.)
Privacy by Design + Transparency = Trust
It’s worth noting that Google and Microsoft specifically called out the broad adoption of their self-service privacy tools (whereas Facebook did not tout their account privacy portal 👀). Additionally, both companies boast near-immediate time to respond (no more than a day) for self-service requests, much faster than Google’s CCPA-specific DSR flow. The stark difference between Google’s national, self-service privacy request volume, vs. the CA-specific volume, shows that consumers are hungry to take control of their privacy, regardless of where they live, or what legislation they’re aware of. By making the self-service tools fast and easy to use, and highlighting their use even when they technically don’t have to, Google and Microsoft are using design and transparency to prove their commitment to building consumer trust. We can’t wait to see what the effect will be on 2021’s CCPA metrics.
We’re hunting down more CCPA metrics from top brands, so sign up for our newsletter to get the next CCPA metrics blog post in your inbox.