This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Introducing The State of CCPA: 2021 Consumer Privacy Report

Alicia diVittorio, April 1, 2021

2020 was the year that the California Consumer Privacy Act (CCPA) went into effect, giving Californian consumers—for the first time in the U.S.—the right to take more control over their data. That makes the start of 2021 the best year to look back at how the law impacted consumer privacy. And that’s just what we’ve done in our latest report: The State of CCPA: 2021 Consumer Privacy Report.

At DataGrail, we’re in the unique position of fulfilling data subject requests (DSRs) for millions of consumers, which gives us valuable insights into the number of requests a company can anticipate. We analyzed DSRs processed throughout 2020 across our business-to-consumer (B2C) customers, resulting in a powerful benchmark of what to expect as the privacy regulations like the CCPA / CPRA impact how businesses operate. 

This research will help organizations confidently enter the era of privacy and help them understand where they stand relative to their peers in the space. At the highest level, the research shows that people are taking action to control their privacy, with them most likely to opt-out of their data being sold to a third-party. The data also shows that brands who are actively embracing privacy— and automate elements of their privacy programs— are very likely saving money in the long-run.  


  • Consumers are most likely to opt-out of their data being sold to a third party by submitting do-not-sell (DNS) requests. 46% of total requests were DNS.
  • In 2020, consumers embraced their right to delete their data; ⅓ of DSRs were deletion requests.
  • B2C companies received approximately 137 DSRs per million identities in 2020, but the number of DSRs a company receives varies wildly depending on their privacy practices. 
    • Organizations who use a form and CAPTCHA tend to have significantly fewer unverified requests than organizations that ask customers to send an email.
    • Organizations who update their privacy policy frequently tend to see a surge of requests after an update.
  • Lack of end-to-end privacy automation will cost you—B2C companies that manually process requests should expect to incur costs around $190K per million records to fulfill requests.
  • “Hello, anyone there?” Nearly half of all DSRs go unverified, which means the requester did not follow through in proving their identity. Many unverified requests were actually veritable spam.

Consumers have embraced the CCPA, and as we look ahead we expect we’ll see an increase of DSRs in 2021 as privacy issues continue to dominate the headlines.  With Apple leading a new charge on privacy and CCPA entering its enforcement stage, consumers are not only more aware of how their data is being used than ever before, they also realize, perhaps for the first time, that they have options to protect their information. 

 Get the full breakdown of what you need to know in the State of CCPA 2021 Report.

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.