Press Release

Consumers Take Action on Privacy: New Research Shows Nearly Half of Privacy Requests Sent in 2020 Were to Stop the Sale of Personal Data to a Third-Party

DataGrail, April 1, 2021

With data subject requests (DSRs) and associated costs increasing, research shows the impact of the California Consumer Protection Act (CCPA) on companies’ privacy practices

B2C organizations who manually processed DSRs spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests.

April 01, 2021 09:00 AM Eastern Daylight Time

SAN FRANCISCO–(BUSINESS WIRE)–DataGrail, the modern privacy platform designed to help brands build trust and transparency, today unveiled the results of its 2021 proprietary research report that looks at consumer privacy trends. This year’s report, The State of CCPA: Benchmarking CCPA Trends Across Consumer (B2C) Brandsanalyses how millions of California consumers are exercising their privacy rights– to access their data, delete their data, and stop the sale of their data to a third-party– according to the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020.

The research clearly shows that consumers are increasingly concerned about their personal information and how it is used. Further, the research underscores that the number of data subject requests (DSRs) companies receive varies wildly, depending on their privacy practices.

“With Apple leading a new charge on privacy and CCPA entering its enforcement stage, consumers are not only more aware of how their data is being used than ever before, they also realize, perhaps for the first time, that they have options to protect their information,” said Daniel Barber, CEO and founder of DataGrail. “As more and more states explore data privacy legislation, and as tech leaders take on privacy issues, we anticipate the number of DSRs to increase in the coming year.”

Consumers Take Control of Their Data

DataGrail is in the position of fulfilling data subject requests (DSRs) for millions of consumers, which gives it unique insights into the number of requests a company can anticipate. The company analyzed DSRs processed throughout 2020 across its business-to-consumer (B2C) customers, resulting in a powerful benchmark of what to expect as the CCPA and other privacy regulations start to have a larger impact on how business is done.

Among the most interesting findings, research showed:

  • Consumers are most likely to opt-out of their data being sold to a third party by submitting a do not sell (DNS) request, rather than requesting access to a record of their data or deletion of that data. Data showed that 46% of DSR requests were to opt-out of data being sold.
  • One-third of DSRs in 2020 were deletion requests, demonstrating that consumers are taking on a far more active role in guarding their data.
  • The ease with which privacy rights could be exercised was also a factor. Consumers were twice as likely to opt out of their data being sold versus performing an access request.

Privacy Practices Impact Business

In addition to the vast complexities of managing consumer DSRs, companies are being hit with an increased volume of these requests and substantial costs. Research showed the average B2C company received 137 DSRs per million identities in 2020. (DSRs were measured per one million identities to normalize data across different company sizes.) Gartner data shows businesses that manually process data subject requests on average spend $1,406 per request. At this rate, B2C organizations who manually processed DSRs spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests.

Factors that influenced request volume included:

  • Nearly half of all DSRs go unverified, which means the requester did not follow through with proving their identity. Many of these unverified requests were actually spam, costing companies time and money unnecessarily.
  • Organizations that use a form and a CAPTCHA tend to have significantly fewer unverified requests than organizations that ask customers to send an email.
  • Companies that updated their privacy policies frequently experienced a surge of requests after an update.

Ultimately, the study concludes that businesses can offset the financial and resource drain from privacy requests by following more proactive steps, such as simplifying the language used in their privacy policies, being consistent in their approach, and adopting automated solutions to reduce fulfilment complexity and time-consuming manual processes.

“The companies that are transparent and those that can win trust will be the big winners in the new privacy era,” noted Barber. “Proactively embracing good privacy practices doesn’t have to be a death sentence to profit margins. Forward-thinking companies have figured out how to make a strong privacy stance work for people and their business.”

To read the full report, please visit

About DataGrail

DataGrail is a leading data privacy platform. Brands rely on its Privacy Control Center™to build trust with customers and make privacy a competitive advantage. DataGrail’s Privacy Control Center is a hub where legal, security and executive teams can run impactful privacy programs and understand their real-time risk, creating the flywheel of brand trust that increases revenue. With 1400+ pre-built connections with popular apps and infrastructure, the DataGrail Integration Network is the first of its kind to detect shadow IT that may contain personal data, ensuring the most accurate data foundation. DataGrail services millions of consumers, through companies like Overstock, Dexcom, Databricks, Instacart, and has 4.8/5 stars on G2. DataGrail is backed by leading VCs and strategic investors, including Third Point Ventures, Felicis Ventures, Next47, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, and American Express Ventures. Visit or follow DataGrail on Twitter and LinkedIn to learn more.

Media Contact