DataGrail took a look back at product activity metrics within our platform during the first quarter of the year – since the California Consumer Protection Act (CCPA) took effect on January 1, 2020 – to understand what B2C companies can expect for the remainder of 2020. Although it’s still early to understand exactly how CCPA will impact organizations in the long-run, we gathered our early learnings from the first few months of CCPA into a report to help businesses plan and predict the future of privacy regulation.
We hope this early data will help the industry at large better understand the trends so far, help businesses benchmark against peers, and provide guidance on how best to plan ahead. In our findings, you’ll see references to three types of consumer rights requests that are part of the CCPA, often referred to as data subject requests (DSR) or data subject access requests (DSAR request):
- The right to know the data collected. We refer to these as “access requests.”
- The right to deletion. We refer to these as “deletion requests.”
- The right to say no. We refer to these as “do not sell requests” (DNS).
Highlights include:
- Deletion requests were the most popular requests (40%) in Q1 2020, followed by DNS (33%), and access requests (27%).
- Privacy headlines (and COVID-related emails) in March & April likely drove an increase of CCPA privacy requests.
- Do Not Sell (DNS) requests will likely become the most dominant privacy request when looking at early trending data.
- B2C companies should prepare to process approximately 100 to 194 requests per million consumer records each year.
- B2C companies manually processing privacy requests are likely to spend anywhere from $140,000 to $275,000 per one million consumer records to process them.
- January 2020 saw a surge of privacy requests, most likely due to the law going into effect and privacy policy updates.
January 2020 saw a surge of privacy requests as companies updated their privacy policies in accordance with CCPA. The jump in requests on January 10, 2020 is due to several companies updating their policies and getting requests in return. Companies who made drastic changes to their policies saw the most requests.
Since the initial surge in January, we’ve seen the number of monthly requests stabilize around eight requests per million consumer records. However, at the time of this report’s publication, early April data shows another increase in requests, potentially due to privacy issues being in the headlines related to the security and privacy concerns with remote work apps amid COVID-19.
When analyzing privacy data from Q1 2020, deletion requests were the most popular data subject requests made at 40%. DNS requests came in at 33% and access requests came in at 27%. However, over time, we expect DNS requests to become the more dominant request. Looking at early trending data, DNS requests have stayed at a fairly consistent level since January, while access and deletion requests have decreased since the original January spike. This can potentially be attributed to consumers becoming more educated on their privacy rights under CCPA, as well as websites updating privacy policies and DNS links and banners to make the option more apparent.
Companies should expect to receive requests of all types, but in particular deletion and DNS requests. Deletion requests can be more technically challenging to complete because it requires companies to scrub all their systems in their entirety – and reach out to processors and sub processors – to ensure a “hard delete”. In addition, companies need to undertake an analysis of what data must be retained (e.g. for credit cards or tax purposes) and anonymized accordingly.
Gartner data shows that manually processing a single data subject request costs (on average) $1,406 per request. If companies are processing upwards of 100-190 requests per million consumer records, this means companies could spend upwards of $140k-$275k per million consumer records if they are not automating the data subject request process.
Looking Ahead
As we look forward to the remainder of 2020, we expect the number of CCPA data access requests to stabilize around the February and March numbers (8 requests per million consumer records). However, as privacy related issues make headlines or a company updates their privacy policy, organizations should expect a surge of requests. For example, in April, the number of requests is trending higher, most likely due to the number of COVID-related emails sent, and due to the headlines about the privacy and security of remote work and conferencing apps. In July and August we may see a surge once CCPA enforcement begins on July 1, 2020.
DNS requests will likely dominate, with deletion requests not far behind, which means companies should prepare for the complex task of reaching out to its network of processors and sub processors to successfully perform a hard delete. New regulations cause a lot of uncertainty and anxiety – especially when they involve a lot of complexity and associated fines. Amidst this uncertainty and the daily changes in our macro environment due to COVID-19, our aim with this research is to establish a simple baseline for what to expect in the realm of data privacy. With the California Attorney General confirming that CCPA enforcement will begin on July 1, this research gives guidance to B2C businesses of what to expect in the coming months so that they can take the necessary steps to ensure they are best prepared.
You can download the entire State of CCPA Q1 2020 Report here. Look forward to an updated report as we continue to monitor trends throughout the year.
Methodology
DataGrail took a look at the data subject requests it helped process on behalf of select business-to-consumer customers with a substantial volume of privacy requests in the period January 1 to March 31, 2020. This customer set had more than eleven million consumer records, where a “consumer record” is defined as a single, individual record associated with a unique email address within a customer’s database. To determine the cost of manually processing requests, we used Gartner’s estimate that manually processing a single request costs $1,406. Gartner published this statistic after releasing details from its 2019 Gartner Security and Risk Survey in February 2020.