close
View other resources
header image

Methodology

DataGrail analyzed the data subject requests (DSRs) it helped process on behalf of customers from January 1 - December 31, 2024. The 2025 report uses unique website visitors in place of unique identities (UIs) used in prior years because it is a market-relevant metric that is easy for business leaders to track and contextualize, while still strongly reflecting privacy risk insights.

To align the 2024 data with historical trends, we established a standardized conversion factor. Among the customers included in the study, the average number of UIs was five times higher than the average number of unique website visitors, resulting in a 5:1 ratio.

This ratio allows us to normalize the 2024 data by scaling requests to reflect website visitors, amplifying the relevance of privacy risk metrics for businesses. As a result, we’ve adjusted the multiplier for 2024 data to 5 million unique visitors per request - an update from the 1 million UIs multiplier used in prior years.

To determine the cost of processing requests, we used Gartner’s manual processing estimate of $1,524 per DSR.

We found the number of DSRs a business receives varies greatly due to multiple factors, including whether the company is B2B or B2C, how often company privacy policies change, and several other factors. To account for variability, we used a 10% trim mean calculation to determine our benchmarks. A 10% trim mean calculation excludes the 10% largest and 10% smallest values and takes the mean of the remaining 80%.

The dataset includes DSRs submitted under California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), along with DSRs received in the U.S. and globally that don’t fall under those regulatory umbrellas. As a U.S.-based company, with primarily U.S.-based customers, our dataset may skew toward DSRs from the U.S. To calculate the percentage of organizations not complying with the Global Privacy Control (GPC) standard, we audited more than 5,000 websites. This methodology ensures a seamless year-over-year comparison while delivering deeper, actionable insights into privacy risks in today’s privacy landscape.

icon

What’s a DSR?

A Data Subject Request (DSR) allows an individual to request that an organization takes certain action over the individual’s personal data. There are several types of DSRs, but this report focuses on requests to access personal data, requests to delete personal data, and requests that a company does not sell or share personal data (“Do Not Sell” requests).

continue reading