2025 Data Privacy Trends: Managing Rising DSR Volumes & Compliance Costs

Kendall Lovett: Hello, everyone for those of you joining us. Thank you so much for taking some time out of your Wednesday morning or afternoon to be with us. We're going to give people just a couple minutes to join here.

Kendall Lovett: and then we're excited to get started

Kendall Lovett: just to confirm panelists. You can see my slides here.

Kendall Lovett: Awesome.

Kendall Lovett: Hello! Everyone joining. Got a few more of you have come in. Give us just a minute for a few more folks to join. We'll start a little after

Kendall Lovett: 2 min after the hour.

Kendall Lovett: Thanks so much for being here.

Kendall Lovett: All right.

Kendall Lovett: let's get started. So this is a live webinar. I'm going to just give a couple of housekeeping items here

Kendall Lovett: with zoom webinars. You do have the ability at any time during this webinar to ask questions. Please use the Q&A

Kendall Lovett: option in zoom. You can also use the chat. It's a little bit harder to track questions in the chat, so we'd appreciate it if you could add them to the Q. And A. Box, and we'll do our best to address them. We will also try to save a little bit of time at the end to have a question and answer discussion session with the panelists

Kendall Lovett: without further ado. I'm going to jump into it. So this is the 2025 data privacy trends. Webinar from data. Grail datagrail is a leader in data privacy

Kendall Lovett: software. And we're thrilled to have a panel of experts from the data privacy field with us today. So my name is Kendall Lovett. I lead product marketing at data grill.

Kendall Lovett: Maybe you can tell from our headshots, which one of us is the marketer. But I did put my collared shirt on today, so pleased about that. But without further ado, I'm going to give our panelists a chance to introduce themselves. So let's start with Mark.

Mark Melnychenko: Thanks very much. Kendall. Nice to see everyone today. My name is Mark Melnichenko. I lead the privacy technology practice at Bdo, which is a large consulting company that we partner closely with the data Grail team.

Mark Melnychenko: My background is such that I've been in the privacy consulting Field for about 6 years now. And prior to that, I actually came from a software background.

Mark Melnychenko: So where many folks in the privacy field these days tend to come from legal or compliance type backgrounds. I come from a much more technical background, and as a result, have gotten pretty heavily involved with helping our clients to implement privacy technology to automate tasks.

Mark Melnychenko: integrate systems together to share data and so forth. I'm located on the east coast of the Us. Near Philadelphia

Mark Melnychenko: and looking forward to sharing some insights with you today, aligned with the findings from the data. Grail report that we'll be discussing.

Kendall Lovett: Divvia, you know.

Divya Sridhar: Yeah, absolutely. Hi, everyone. I'm Dr. Vivia Sridar. I'm the Vice President for the Global privacy division and privacy initiatives, operations at the Bbb national programs. And it says, Better business bureau. We are the sister entity to the better business bureau, and we provide a range of advertising and data privacy services. The 2 main programs which I will touch on today that

Divya Sridhar: I provide my expertise, too. And I that I lead are our digital advertising accountability program, which is a consumer complaints based program. And we resolve inquiries that come in from complaints

Divya Sridhar: about digital advertising practices and the other programs that we offer are certification based. And they really focus on the nuts and bolts of having a strong due diligence process. With regard to data, privacy and cybersecurity practices at a organization. So we provide certifications and seals

Divya Sridhar: for companies that are doing the right thing and being good faith actors in the ecosystem. My background is in public policy and data privacy. I've had about more than 15 years of experience there. As you probably noticed, I'm also a former academic. So I love research really excited to be digging into this report. And yeah, this is everything that really culminates my background and my expertise. So thanks for inviting me here today.

Kendall Lovett: Thrilled to have you.
Jacques St. Louis: All right. I guess that leaves it up to me. I'm Jacques St. Louis, Director of Cybersecurity for mammoth brands, which is the parent company of
Jacques St. Louis: 4 business units today, which is Harry's Flamingo Lumi Mando. We're a Cpg company that has been around for a little over 12 years, and prior to that. Well, currently, I work on our cybersecurity division and run the head, it and cybersecurity for all of our Us. Markets as well as our German manufacturing business where we produce all of our blades
Jacques St. Louis: in my background. I've worked for another major organization called Wheels up where we were a private aviation company. We catered to the 1% where we had a lot of critical pii and data privacy was at our highest concern. So I've been in the business for about almost 20 years now.
Jacques St. Louis: and I've been working with a lot of different team members and organizations to just really improve on the concept behind data privacy. A lot of the companies I've worked I've talked to in the past never, never really taken it as serious as they should. And now we're seeing just how important it's become and and where, the
Jacques St. Louis: we're seeing countries and different people are taking a lot of interest in what's happening with their data. So I'm happy to be on this call with everyone and to talk through how we're working with data. Grail. And yeah.
Jacques St. Louis: good morning, folks. Thank you.

Kendall Lovett: Great. Thank you all so much. I'm really excited to have this panel put together to discuss the findings from Data Grail's report. I think this is a great opportunity to get lots of different perspectives from

Kendall Lovett: various experts in the market, from, you know the private space, how this is happening. You know, boots on the ground with Jacques, and how Mark is seeing

Kendall Lovett: providers and companies implement this as well as from Divya, from the Consumer protection space, and the better business bureau. So thank you all so much for joining us with that I want to give you just a brief overview of the report. If you haven't read it yet. This is really exciting to me. This is my 1st year participating and contributing to this report. But this is our 4th year

Kendall Lovett: conducting this report. The thing I love about this, especially as a product marketer and someone who's close to our customers is that datagrill has hundreds of customers globally, and we're able to process and and analyze their actual information across. You know, Dsr data opt outs requests. So

Kendall Lovett: we're not needing to go out and issue a survey and ask people to fill it out. We're able to actually get real firmographic data, of course, anonymously, and then analyze this data for the 4th consecutive year. Because of that today, we're going to be able to discuss consent compliance trends, overall which includes scope beyond just data grow customers of businesses that we audit websites that we audit as well as changing Dsr volume makeup

Kendall Lovett: impacts across industries. And Geos, we're going to show you some interesting slices of data. And, as I said, we're going to give our expert panel a chance to discuss this. And for those of you who've joined a little late, another housekeeping reminder. This is a live webinar. You can ask questions. We have a Q&A box. Please add your questions, and we'll do our best to address them. Live.

Kendall Lovett: So without further ado, let's get started. I want to level. Set a little bit on just the state of the market today. So, and in the privacy realm. So obviously, you know, since 2023, and the last time we issued this report we've seen an increase

Kendall Lovett: and of action across the spectrum, both in us states issuing new laws. We've also seen Enforcement actions increasing. We've seen private litigation and class action increasing. I think one of the things that's really interesting is that as this has happened, we're seeing

Kendall Lovett: enforcements and legal action, not just from the traditional sort of data leaders that you would expect while those do continue. But we're also seeing

Kendall Lovett: more of a focus on smaller organizations. I've got an example here from a Enforcement action that was issued for Todd Snyder companies that may not be traditionally considered, you know, data, 1st organizations, such as retailers or e-commerce companies. But I'm interested to hear you know

Kendall Lovett: from our our panel here on the call.

Kendall Lovett: What are you seeing from the market? Maybe. Divya, let's let's start with you from your work with

Kendall Lovett: with consumer protections. How is this sort of evolving, and what are some of the trends that you're following.

Divya Sridhar: Yeah, absolutely. I think this slide really captures it well up until probably the 2,020 s. Before consumer, privacy, legislation, and omnibus, privacy, legislation was passing. We found this to be a very, you know, disparate market.

Divya Sridhar: There's just everything goes right with cookies and with opt outs, and what we're finding is that this year, in particular, there's been a ton of crackdown. Now that these privacy laws have passed, they're taking effect, there's actually enforcement action that's backing it up. Companies are being held to the practices they are supposed to be to be complying with in the laws. And so I had actually authored a piece

Divya Sridhar: in tech policy press that talks about a few specific enforcement actions this year. That are, you know, really call attention to the fact that consumer opt outs are not being appropriately addressed in a clear and concise manner and an expeditious manner, but also that opt outs are basically broken. This is a, you know, industry, wide trend. We're finding that cookies have been around since the nineties and early 2 thousands. But the fact that now they are actually under scrutiny, and they've come under the microscope is

Divya Sridhar: clear. We found with healthline, which I know we'll talk more in detail about later. In this webinar. The case against healthline was the most recent. With regard to the Cppa Enforcement action. It's the largest, most landmark case to date, and what we're finding is that all of these regulators across various states, both those that have consumer privacy laws as well as those that just have a consumer protections division in the Attorney General's office.

Divya Sridhar: They're all calling attention to this issue, and the importance of being able to honor opt outs and appropriately ensure that cookies are, you know, the flow of cookies are being controlled, and that these 3rd party providers are, you know, under the gun, but also the 1st parties are under the gun to ensure due diligence is happening across

Divya Sridhar: their entire data flow. So it's really interesting to see that these trends are now being brought to light. I will, I think at the very end you'll find that my resources there with regard to a couple of the States I pull out. But you know, just in terms of what we're finding. Cookie asymmetry is a big concern. California called that out in their advisory, and also we found this in the enforcement action against Honda, Connecticut, talks about dark patterns and reinforcing the need for

Divya Sridhar: cookie banners that present options to accept and reject tracking at the exact same time and equal visibility. They talk about the font size, the color really making it obvious to consumers what they need to do, and not expecting them to read the entire privacy policy, or to be able to find something that's buried in the privacy policy. I bring all this up because these are common complaints. We also find, as I mentioned as part of the digital advertising accountability program.

Divya Sridhar: we are held and bound to specific principles and expectations that we require the digital advertising ecosystem to follow. And we're finding that a lot of times, you know, because of all the new consumer privacy laws. There's this conflict between what's expected in the law. The appropriate consumer opt outs the use of 3rd parties for controlling the opt outs. And then, you know, finally, just

Divya Sridhar: being able to put that all together and providing consumers something that's easy to react to and and provide in a symmetrical format to to react to cookies. So I think overall, there's a lot happening here, and that makes it a challenge.

Divya Sridhar: But I think parsing some of this as we're going to do today will will help us really set the stage and define some of the most important aspects of this happening right now.

Kendall Lovett: Thanks. Divya, yeah, 100% agree.

Divya Sridhar: Start.

Kendall Lovett: No, Jacques, from your standpoint as a

Kendall Lovett: privacy and security leader at mammoth.

Kendall Lovett: what is, you know what's top of mind for you and your your organization? And has it changed or evolved in the past year?
Jacques St. Louis: I have well, top of mind is making sure that we have an
Jacques St. Louis: a really balanced program where we're looking at all of the data that's coming in from all of our different applications that we're integrated with our 3rd parties that are being put into our systems. We have a number of Gen. AI tools. Now that want to talk to different applications and pull data.
Jacques St. Louis: we have to make sure that we have, a really comprehensive system that is capable of understanding where all this data lives being pulled into or being integrated into data grill where possible, so that we can have
Jacques St. Louis: a good program that actually takes care of these requests that were come that are coming in. We're seeing around 60 requests per month
Jacques St. Louis: and we're looking at somewhere north of 3 million customers today. And that's a significant amount, just to make sure that we have good visibility on where their data lives. Because you're you're getting a a much more defined increase of users who are want to know what's happening with my data?
Jacques St. Louis: A lot. I think you know, the data will show that there's a lot more deletion requests. But we do have a number of people who just want to know. Where do you have on me? Where do you have it? Where does it exist? Because you're gonna see all over the media that there day after day. There's a lot of
Jacques St. Louis: events that are happening with 3rd party breaches. And I think customers just really wanna make sure that they know where their data lives so that they can feel like there's a sense of, you know, some kind of grasp of what's happening with their data when they integrate with one organization. And now their data lives with 10 other ones. So for us, I I think the trend will to continue where people wanna either
Jacques St. Louis: delete or know more about where their data lives, especially being processed with us. And for us, we're gonna continue to build on our program so that we're making sure that every new application is integrated properly, so that we have a good grasp of where data exists for our customers. We want to make sure we have their trust at all points. So this is this is what is always going to be top of mind for me in terms of privacy.

Kendall Lovett: Gotcha gotcha. Let's take a look at some of the 1st findings from the report. So this was a very interesting Stat.

Kendall Lovett: This has gone down slightly since last year. Not much, but essentially we do an audit of 5,000 websites.

Kendall Lovett: obviously, we anonymize this, and we cover a wide range of different types of business size, globally. And we look at, are they respecting opt outs and Gpc signals in particular, last year this number was at 74%, it's dropped to 69%. So not a dramatic drop. Many of these organizations do employ a Cnp or consent management platform, and we still find that

Kendall Lovett: the ability to be compliant with opt out expectations, and you know, respecting the Gpc. Signal, as Divya was just alluding to with Honda and healthline that this is still a big problem for organizations.

Kendall Lovett: So I'm curious, mark you, work with a lot of businesses with Bdo as a consulting, firm handling challenges like this?

Kendall Lovett: Does this resonate? Does this seem aligned with what you're seeing, and what are some of the reasons that you find as you work with businesses that are keeping organizations from. You know more of them from being in the green here.

Mark Melnychenko: It definitely resonates with my experience. Kendall. If anything, I would say that the number might be a little bit low. We do quite a bit of testing of Cmp solutions on websites for clients. And I don't believe there's been a website we've tested yet where we didn't find at least one issue either compliance related or just not working correctly related. And in most cases we find several.

Mark Melnychenko: You know, I think there's a number of reasons for that. 1st of all.

Mark Melnychenko: implementing these consent solutions can be pretty technically nuanced to get correct.

Mark Melnychenko: more so than some of the other types of privacy tech modules that one would implement for data mapping or managing Dsars, for example.

Mark Melnychenko: and this is not just with respect to the initial implementation, but with maintaining it over time.

Mark Melnychenko: So you know, 1st of all, not all of the consent solutions out there address the full spectrum of tracking technologies. We quite often use the term cookies as synonymous with tracking technologies, when, in fact, it's only one type of them.

Mark Melnychenko: It's the one that's been around the longest, and people are most familiar with, but there are many others as well, pixels, web beacons, browser fingerprinting, etc. The list goes on, and the big tech is getting ever more creative with ways to gather and leverage data about us when we interact with websites.

Mark Melnychenko: So you know, getting things initially configured correctly and deployed correctly can be a challenge. Most websites these days use a tag manager such as Google Tag manager, and so making sure that the consent solution is prop properly integrated with. That can be very important to ensuring that things get blocked when a user opts out of them correctly.

Mark Melnychenko: Because if you attempt to block something once it's already happened. You're too late to the game.

Mark Melnychenko: And because of the order in which different code executes on a website that can be a pretty common problem.

Mark Melnychenko: But even if you get the implementation right initially, it's important that everyone understand that that needs to be maintained over time.

Mark Melnychenko: Most websites are not static, right? They change over time. New pages are added, old pages are removed, new tracking technologies are launched to serve different business purposes, and so you need to continually

Mark Melnychenko: understand and update the inventory of the tracking tech on the sites. Get those things properly categorized quickly, so that users are able to exercise their choices correctly

Mark Melnychenko: and retest to ensure that, as that landscape changes, that everything is still working correctly, even though it may have been on day one.

Mark Melnychenko: So I think that maintenance aspect is perhaps one of the biggest things that organizations are not always doing a great job with.

Mark Melnychenko: and is part of why we've seen so many Enforcement actions like Divya was speaking about earlier. In fact, recently, we've had a few large clients

Mark Melnychenko: that were part of an inquiry sent by the Uk Ico. About the 1,000 most heavily trafficked websites in the Uk, where they were asked to affirm their level of compliance with certain of these requirements, and in each case there were still some outstanding issues. They were open with the regulator about it. The Regulators been understanding and working through the things

Mark Melnychenko: which is great, but they are looking, and they're looking deeper and broader than ever before. So don't assume your organization is, you know, is outside of that, just because the bullseye hasn't landed on you yet.

Kendall Lovett: Great points. Mark. Yeah, I think that the Cmp can be sometimes an inhibitor. If it's used as a sort of set it and forget it and become sort of a false safety blanket as you're describing. We deployed it. We've got a banner on the site. We're good, and, as you said, we're seeing more and more proactive, both private litigation as well as ags.

Kendall Lovett: employing privacy firm or sorry legal firms to go and actively investigate these. So yeah, seeing more and more of that, Jacques, as you know again, a practitioner in this space.

Kendall Lovett: curious to hear how this lands with you, and what your organization has done to sort of overcome some of these challenges that that Mark has described. Any other advice you would give to folks like you out out in our webinar audience today.
Jacques St. Louis: We've put together. A pretty robust program, especially working with a lot of our engineering groups. As as Mark described. There are
Jacques St. Louis: standard integrations where you have an Api key here and there that integrates with your application and and boom, you're you're integrated. You're seeing your data into into data grill. And you're capable of taking action based on the out of the box configurations that you have with some applications. Right? But we know there's many others that require engineering work that require some development time to make sure that we're getting the right information, and we're capable of doing the actions that are requested in such a in a request. So
Jacques St. Louis: we have run into scenarios where we've had to put in engineering time, which is not always easy to coordinate because we are growing business. We're a business that constantly has to change your site update pages as as mentioned before. And
Jacques St. Louis: the challenge, there is making sure that we're constantly staying on top of
Jacques St. Louis: some of the changes. I remember having a conversation with leadership and part of my roadmap was
Jacques St. Louis: updating data. Grail and I said, Well, why are we doing that? We've already implemented it? And it's integrated into these sites? And I said, Well.
Jacques St. Louis: what new applications are we putting into place this year? And like, well, do we have to stay on top of that? Well, yeah, absolutely. So. It's just part of that, you know. It has to be part of your roadmap every year to make sure that you're keeping on top of new products coming in your current products and the changing landscape. Just one more quick example is just last week shopify
Jacques St. Louis: released a new terms of service which they explain how they will be using customer data to improve their their intelligence platform.
Jacques St. Louis: and it's it's a responsibility of the of their customers to inform our own customers that shopify will be using your data in certain ways. And yes, it will be anonymized, and it shouldn't impact them. But now you have to update your privacy policy to reflect how their data is going to be using a 3rd party. And whenever you do something like that, what do we expect afterwards is, people will see this.
Jacques St. Louis: They'll immediately want to now
Jacques St. Louis: exercise their right to understand something. So we expect an increase in requests, and we want to make sure that we're on top of it. And it's it's a full cycle. It's a full cycle, especially when we talk about how we're integrated and making sure we're on top of everything. We have integrated into data. Grail.

Divya Sridhar: Yeah. And I think just to add a little bit to that Jacque, you made some really great points. I was just thinking of a case we had with ticketmaster this, I think closed last year. And so it's a public case folks can find it on our website under dap the digital advertising accountability program. Within this case we found that the Cmp tool that they were using didn't provide a 1 click option to be able to help a consumer find advertising choices. The ability to opt out of, you know, targeted advertising in one click.

Divya Sridhar: Right there on the front page of the Cmt. And you know, while it's typically in a box, and there's various tabs you got to click through bearing that somewhere in one of those you know kind of lengthy tabs makes it very difficult for the consumer to be able to find and be able to opt out of targeted advertising. So the shopify case was

Divya Sridhar: kind of interesting that you bring that or the the messaging around shopify. Very interesting, because what I found with the ticketmaster cases, very similar to the Michigan Ag's office. They came out with a suit against Roku earlier this year, and folks probably focused on sensitive data element around that case, but also in that case you'll find that you know, a Roku was found to be allegedly hiding, advertising opt out mechanisms in their broader privacy policy. And so it makes me wonder. I mean, we

Divya Sridhar: tend to silo Cmp tools, the privacy policy on the website, all these different modalities to be able to find your choices for a consumer. But it's got to be easy. It's got to be kind of very much uniform, depending, regardless of the modality that's being used. And we look for that as well as part of the dap compliance

Divya Sridhar: program. So just wanted to call attention to that for consumers. One other point I wanted to make. That's pretty important. I think that it's a new finding. We just had a conversation. I just had a chance to speak with the Connecticut Attorney General's office. And that's going to be available. Live on our website today. That's pretty exciting that on demand recording, we discussed

Divya Sridhar: the Connecticut Ag's office perspective around the Gpc. So that's been a huge topic of conversation this year, and Connecticut also put together a 2 min video for consumers

Divya Sridhar: to be able to really go step by step and figure out how to opt out of choices. And 1st of all install the extension for Gpc. But then be able to appropriately opt out, which I think is fabulous. You know, consumers need more of those resources and awareness building, but in addition to that as part of that video and that conversation that we had, we drew attention to a really important finding, which is that

Divya Sridhar: Gpc. Works on websites great, and I know that Jacques and our our other panelists, will be able to

Divya Sridhar: provide expertise on that. But what we're finding is that the apps aren't syncing, not all the apps, especially those that are bigger in the marketplace. I won't call anybody out, but they're not syncing appropriately to the web based tools. And so Gpc, there's still a huge gap for Gpc on the apps. So I'm gonna I'm just gonna allude to the fact that I think a lot of the Ag's offices are also going to be looking for compliance, you know, down the road, maybe not this year, but down the road.

Divya Sridhar: With regard to Gpc. Compliance both for businesses on the websites as well as on the app. So there's still more to come here. I think modality is also going to make a difference in consumers a lot of times. Now, everybody's mobile, right? So making sure they have ease of access regardless of what they're using, you don't have to be old school like me to use a web browser. It should be available on the app, too. So wanted to point that out. I think those are some interesting findings from recent conversations with the Attorney General.

Kendall Lovett: Very interesting. Yeah, thank you so much for sharing. That's definitely something we're seeing from a data girl standpoint with our customers as well, and making sure that, as Jacques mentioned that we're providing unified experience across the different channels through which our customers can interact right with the brand and share their privacy preferences very important. We did have a question from the

Kendall Lovett: from the

Kendall Lovett: attendees here that I think would be good to bring in. This is addressed to you, Mark, but I think you know Divya Jacque feel free to to weigh in here as well.

Kendall Lovett: We get questions about what is the level of risk between b 2 c versus B, 2 B. The specific question is, would you say B, 2 C's are at a greater risk than b 2 b's for this regulatory scrutiny, mark, just from what you're seeing in the market. I would love to hear your thoughts on this, and, as I said, anyone else feel free to weigh in.

Mark Melnychenko: And the the quick answer is, yes, definitely. I see more scrutiny on b 2 c companies. I think the primary reason for that is that of the various comprehensive privacy laws that have been put in place in the last 7 plus years since the Gdpr. Started, the dominoes falling pretty much all grant rights to consumers or customers of

Mark Melnychenko: of these different companies, but only a relative handful of them grant similar rights with respect to employees, former employees, job applicants B, 2 B contacts and other types of people whose personal information and organization may use and store.

Mark Melnychenko: I think that's probably the single biggest reason for that.

Mark Melnychenko: Also, that tends to be the group of people that are going to do the most complaining about one thing or another, an interaction that they had with a company that maybe didn't go well or something. For example, you know, while employed with a company, we rarely ever see data subject requests submitted by current employees because they pretty much know what data they supplied. They're not gonna submit a delete request if they'd like to still receive a paycheck, and so forth.

Mark Melnychenko: Whereas, you know, customers and consumers are are less tightly wed to most of the companies that they do business with. So that would be the perspective I would share on definitely increased scrutiny on b 2 c companies, mainly because there are that many more laws with which they must comply.

Kendall Lovett: Did you anything to add from your perspective on that one.

Divya Sridhar: Yeah, no, I would agree completely. I think the b 2 c space is currently more at risk with that being said. I think it's also because the expectation. And as we saw with healthline, with Marriott, with many of these cases that come out, both stateside as well as with

Divya Sridhar: the Ftc. Is that 1st party that brand that you know, Major consumer brand is taking care of its due diligence with its vendors. They have a contract even with with their advertisers. They understand what tools, what cookies or and tracking technologies are being, you know, are sweeping the site. That the 1st party is doing all the due diligence. We may see that shift, I think, over time, and we might talk. If we have time. We'll speak to some sort of the data broker landscape, and how you know there is

Divya Sridhar: more of an emphasis there with regard to b 2 b's, and ensuring that certain entities are covering their bases, and they're doing the right thing. But at present I think that the onus is really on the 1st party, the the brand or the consumer facing entity that's doing the the work, and, you know, keeping its data compliance. You know, clean and safe and responsible.

Kendall Lovett: Thank you very much. The last. The last thing I'll add there from a data girl perspective is that you know, we see this is a generalization. But in general, when organizations come to us as customers from b 2 c perspective, their main concern is scale and automation. And we're gonna actually segue into Dsar volume

Kendall Lovett: next, while that is a concern for B 2 Bs, the trend seems to be more around complexity, meaning that b 2 b organizations in general tend to adopt a wider range of tooling. They tend to have deeper sort of data engineering practices which can make it much harder to manage both from a marketing analytics and from a sort of opt out, do not sell a share

Kendall Lovett: standpoint, but also from these requests that are coming in, particularly if they're collecting sensitive data about their customers.

Kendall Lovett: So let's let's take a look at Dsrs or or data subject requests specifically

Kendall Lovett: just to level, set a little bit on on the methodology here, and we'll just do a little bit of math this morning. Nothing too crazy to help you kind of understand what we're looking at.

Kendall Lovett: The way that this is approached is, we use monthly unique visitors as the measuring stick, because it tends to be a good proxy for privacy, risk, ie. The more unique visitors you have coming to your site, the more likely they are to share data with you, or to submit an opt out request, etc, etc. So in general, we're basing the number you see here on

Kendall Lovett: 5 million unique website visitors a month. So if you in 2024 had around 5 million unique visitors visiting your website every month. The benchmark expectation is that you would have 1,215 requests

Kendall Lovett: broken out across opt-outs do not sell or share access requests and deletion requests.

Kendall Lovett: So just to take that to its logical conclusion. If you only have 1 million unique visitors a month, you can, you know, divide that number, divide this number by 5 to get a benchmark. If you have 500,000. You can divide it by 10. If you get 10 million, you can multiply it by 2 etc. But that's the measuring stick that we use to

Kendall Lovett: collect this information. If you have more questions about that. Happy to to address them offline. So as we're looking at

Kendall Lovett: this volume of requests year over year. There's a couple things that I thought were interesting. Number one. I don't think it's surprising that the total number of requests has gone up. We've seen a 43% increase from 2023 of an average of 859 requests per 5 million unique visitors versus in 2024 up to, you know, 1,215. One other interesting tidbit here is that while deletion requests in the dark blue have nearly doubled.

Kendall Lovett: we've seen access requests go down. I think that.

Kendall Lovett: you know there's a couple of potential reasons for this. This may be a finite number of people, and some maybe more folks are concerned about organizations having their data and are just going straight to the delete button instead of requesting access. But I would love to hear again from our panel here on thoughts around this increase specifically, what do you think is going on behind the scenes here? Maybe. Divya, let's let's start with you.

Divya Sridhar: Yeah. So I touched on the data broker industry. I think one aspect of this is just the increase in the number of you know standalone data broker laws as well. You know, we've seen a few crop up just this year, legislation as well. So maybe it doesn't pass into law. But an uptick in the number of proposed

Divya Sridhar: legislation and bills around the data broker industry. The fact that you know behind the scenes these b 2 b's. These entities are, you know, buying data and then buying consumers personal data, and then either reselling them or processing them. Or, you know, using those insights to share with and use those inferences to share with with other entities. So with a lot of, I think the news and the press around that industry being very public and and become. There's more of a crackdown.

Divya Sridhar: I think that naturally has resulted in just this hype around consumers just wanting to delete right? Like, let me make sure that my data is deleted that way. They can't resell that data. I'd rather not worry about what they have. I just want to, just, you know, use the nuclear button. Let me just get away from them having any access at all. Second thing I'll say is also, with regard to do, not sell or share. California has created their own definition. It's much broader than what we've seen in other States with regard to do, not sell or share

Divya Sridhar: and how they define it right? And so I think the States that have been more vocal with regard to their consumer privacy laws and how they've defined these

Divya Sridhar: concepts have also, you know, those consumers are the ones doing a lot of the complaining. For example, for our, we had a big case with the National Football League the Nfl. Earlier this year, and honestly the complaint arose from an issue that they were complaining about around Ccpa, which we, you know, can't do anything on with regard to state specific compliance. But it's interesting to see that a lot of the complaints are happening in States where consumers

Divya Sridhar: are being made made more aware. And there's just a lot more governance, you know, happening. So I think the data broker piece in particular, might be one of the reasons why we're seeing

Divya Sridhar: some of the trends you're showing on this slide the fact that there are. Now there's an expectation from the data broker laws that there has to be a registry out there, and that consumers can get their name and all their personal information deleted from the and the data brokers have to be listed on there and then they can. You know, consumers can follow up and find out more about the data broker and then get all of their information redacted, I think is

Divya Sridhar: super interesting. So that's 1 piece I think, that I'm just hypothetically guessing at. But

Divya Sridhar: other panelists. If you guys have other suggestions or reasons.
Jacques St. Louis: Mark, you wanna go or.

Mark Melnychenko: Go for it.
Jacques St. Louis: Yeah. Yeah. Well, one of you know my theories or opinion here is, I think there's been a significant increase of awareness in like social media and media.
Jacques St. Louis: You're seeing examples for, like, let's say, 23, Andme their bankruptcy that went public people start to understand that there was a major breach that occurred. That was a factor there. Millions of records were released. You've had a lot of Tiktoks and Instagram
Jacques St. Louis: videos explaining about how their data was now potentially being sold to insurance companies and insurance companies would be able to look at your history and from there decline your healthcare coverage. You're getting a huge increase of
Jacques St. Louis: protect your data information where you never really got that before in the past. You're seeing this now on social media. You're seeing this on Tiktok, you're finding a lot of young people getting this knowledge, which before was never really prevalent. So this has really educated the masses on. Hey? Really, what's happening with my data? I didn't think it was that important. I've had a lot of people in the past that have told me it's out there, anyway. So
Jacques St. Louis: they're they're gonna use it, whatever. But now that they see oh, there's there's really power to this, like having my data can really impact my future or my, my, even my current state. I think that has definitely bolstered why people want to know more about their data and also delete my data. I don't want it to exist where it doesn't need to exist. So that's I think that's just one of the areas that
Jacques St. Louis: on top of your the regulatory requirements that you're getting state by state which are now sprouting up here and there. I think that's really raising so much awareness. People just want to make sure that their data is only where it needs to exist. And and if there's the ability to exercise their right to delete. They're going to do it, and we're making it easier for them to do it. And they know it's their right. So they're going to exercise it.

Mark Melnychenko: Yeah. And I would agree with with what everyone shared so far. And then the other obvious factor is simply that there are more people with rights each year. Right? More and more of these laws go into effect. And I know we're going to touch on this later, but also folks who live in jurisdictions that don't have a law in place have not been shy about submitting requests, regardless to see whether a company will honor it for them anyway.

Mark Melnychenko: So I think all of these things play on each other into an increased level of of awareness and level of concern. With respect to you know the negative events that get a lot of press coverage. And then people thinking about, oh, wait a minute. What if that happens with my data?

Mark Melnychenko: That could be a real problem, and I think some of the sensitive cases like 23 Andme really tend to underscore that I know it did for me. I've always refused to

Mark Melnychenko: get genetic testing done, because I can't think of a more sensitive piece of personal information that I don't really want in the hands of a private company that can then go bankrupt. And who knows what happens with the assets after that? So

Mark Melnychenko: that's the only other thing I would add to what Jacques and Divvy had already shared.

Kendall Lovett: Yeah, thank you so much.

Kendall Lovett: very interesting to see the exercising of rights or exercising the

Kendall Lovett: expectation. Or maybe illusion is not the right word, but the belief in rights, and even in areas where they may not explicitly have those. And yeah, we'll have a chance to talk about that in a little bit more detail in a second. Thank you all so much for sharing lots of great input from the attendance today. So thank you all so much for submitting your questions.

Kendall Lovett: I think you know, one of the questions was around

Kendall Lovett: continuing to push. So if you're in a b 2 b organization, and

Kendall Lovett: the risk is maybe less stringent than in B, 2 C. How do you continue to push for

Kendall Lovett: organizational alignment around privacy or for prioritization of privacy?

Kendall Lovett: And so, Jacques Jacques, I'm curious from your standpoint.

Kendall Lovett: you know. Obviously your your

Kendall Lovett: coming from a consumer space. But you know, for a b 2 b organization that's saying, Hey, we want to continue to push privacy internally any sort of advice as a privacy and security leader you would give to help help promote that.
Jacques St. Louis: I think we've seen a lot of examples of where you know compromise has occurred because of, you know.
Jacques St. Louis: lack of research on 3rd party integrations. Right? You're talking to multiple different companies. And and I'll give you
Jacques St. Louis: mammoth brands is yes, is a primary b 2 c organization. But I did come from wheels, up which
Jacques St. Louis: we had a tremendous amount of integration. We had a lot of data being shared with a lot of different vendors where we had to go through a stringent
Jacques St. Louis: vetting process before we created that bond between that organization. So from that organization, I have a lot of experience there where we went through high scrutiny, making sure that we understood all the back end of what a another company or another organization was doing prior to us, integrating with them, sharing any information. Keep in mind, like I said, we cater to the 1%.
Jacques St. Louis: They never really made any Dsar requests. However, if anything was leaked for any celebrity, or our Congressman that flew with us, this would be a major incident for us, so we took that very seriously. And we were always on top of that from the very beginning.
Jacques St. Louis: We know what kind of data we have. We? And this was critical. Pii, this wasn't just email addresses and home address. This was passport, social date of birth, all you name it. We had it even your dog's name. So
Jacques St. Louis: that was all necessary for a flight.
Jacques St. Louis: So yes, this was this was really critical for us. Because we're you're thinking about.
Jacques St. Louis: you're thinking about what we had. I had to convince a lot of our leadership. Simple things like you. Your flight manifest.
Jacques St. Louis: You've had scenarios where you have Ceos on a flight with another CEO, and they don't want another CEO that they're currently in business with knowing this leaking, that information which is just a simple flight manifest which the company in the past would just email. That became a a big concern. And and we had to really figure out how we were going to share this with our
Jacques St. Louis: flight management team. We had, you know, we integrated with a 3rd party before that managed all of our pilots
Jacques St. Louis: before we ended up buying that company. We had to send them this information, but we also had to make sure. How are they processing this information. How is it being shared? How is being disposed? How long did we have to maintain it required by Faa? Because this was, you know, these were all the regulatory requirements that we needed to do to be a compliant organization.
Jacques St. Louis: But you have to take all of this into consideration when you're thinking about integrating with another organization. How are you going to put that in your privacy policy? How are you going to work with this company that can they have to stay just as compliant as you are.
Jacques St. Louis: Because your your own, you know your clients are going to trust you with a lot of critical information again. B to C,
Jacques St. Louis: not the same scrutiny. Because we don't have that critical pii.
Jacques St. Louis: but it's just a higher volume, right? How do we keep that consumer confidence. We don't end up being, you know, an Ashley Madison scenario, or a 23. And me. So these are a lot of things that you have to. Really, in my, in my opinion, you have to keep into consideration. You have to make sure that leadership is engaged in understanding. That this is important stuff. It's it. It can, you know, make or break an organization, especially with cus consumer, trust.

Divya Sridhar: Add one thing, Kendall, as well. So

Divya Sridhar: I think in the b 2 b space, I'm seeing an uptake for our certifications, especially for Sas vendors. Ai companies that are, you know, typically B, 2 B, so they're they're not getting complaints from consumers directly, but they're supporting the back end for other customer facing brands. And what we've seen is these, you know, sas vendors AI companies are interested in the privacy, recognition for processors. Certification. The prp.

Divya Sridhar: I reference it because and a lot of folks just don't know about it. This vendor, due diligence program is actually a uniform certification sort of basically benchmark requirements agreed upon by regulators all over the the world. Except for the EU. It's basically the Asia Pacific region, Us.

Divya Sridhar: Canada, Mexico, and a smattering of other countries that have agreed on these baseline requirements.

Divya Sridhar: and many of the processors that come to us, especially those that are in the b 2 b space, they find that when they complete that certification they aren't being held to a higher set of requirements. The bars kind of just moved up a little bit more, and that gives them the peace of mind that they're doing the right thing, that they're even behind the scenes, even if they're not in a consumer facing environment, they're still making sure they meet all the requirements, so that down the road, when

Divya Sridhar: this does become a bigger issue, and maybe does come under more scrutiny. They'll be covered. So we have, you know, companies ranging from Cisco, HP. Some of the largest companies to Octa and Moody's.

Divya Sridhar: which you all are well aware may not be, you know, consumer facing necessarily, but are dealing with high levels, high volumes of data, but also sensitive data. So it's interesting that we're seeing this uptick in interest in some of these privacy certification programs focused on the b 2 b space

Divya Sridhar: also thought of one other quick thing. That may be another hypothesis for this side on the deletion, so I thought I would just mention it real quick. I'm also seeing, as we fill out these complete these certification reviews, that companies are adding Dsar request pages and forms so they can be more

Divya Sridhar: time consuming processes for consumers rather than just sticking a an email address in their privacy policy and saying, You know, if you have a complaint, or if you need us to delete your data, you can access it or reach out to us at privacy at

Divya Sridhar: blankbrand.com right, whatever the brand name is, x.com, but instead of that, they're creating these

Divya Sridhar: pretty strenuous pages that require consumers to decide. Do I want to get access to my data? Do I want to make a specific request about something, or by, you know, much more complicated. So given the amount of time that it can take to complete those access requests. I think that may be another reason why consumers say, Hey, I just want it all gone, because I'm spending time and effort filling this out. So let me go ahead. And just, you know, have it just all all the way deleted. So just another thing that dawned on me. Not to not to spend too long on the slide, but

Divya Sridhar: something else that's been coming up in our research.

Kendall Lovett: No perfect. Thank you so much. Last thing I'll add, just on that question of prioritization and organization for privacy, whether you're b 2 b or b 2 c. You know, there's those 2 magic letters that we've all heard so much about this year that can be a great way to get the attention of your leaders. And that's AI, right? And so as we're thinking about AI governance, as we're thinking about utilizing AI and rolling it out throughout the business. The

Kendall Lovett: ultimate goal is to provide usable protected information and data to your organization that they can use to drive AI initiatives. And there are multiple legs to that stool. Of course, you know, security is a big part of that. We're seeing more and more movement from the AI Security side, but also delivering data that is protected and that we have applied privacy controls to

Kendall Lovett: can help ensure that we're utilizing that in a way that's going to reduce financial risk and give the business confidence that they can roll forward with those initiatives, and we could do an entire webinar on that. We probably will. Maybe we'll invite this group, some of this group back for that. But one more thing that I would add there.

Kendall Lovett: okay, one other interesting slice here. So

Kendall Lovett: this is a breakdown of some of the top

Kendall Lovett: industries that are receiving requests. So

Kendall Lovett: I wanted to show this quickly, just to demonstrate that while traditionally, we think of requests as coming to the sort of data, heavy. Or or, you know, data collecting

Kendall Lovett: types of industries. We're seeing it across the spectrum. So I don't think it's any surprise on this call that data brokers are seeing the lion's share of deletion requests as we've discussed already today on the in this panel discussion. However, you know, if we look across the other

Kendall Lovett: leading industries that are receiving requests, it's interesting to see that organizations or industries that are typically not seen as always. Data first, st are also still receiving high volumes of requests across e-commerce, right health and wellness. Real estate.

Kendall Lovett: If we continued this list down B, 2 B organizations are included in this list as well as industries, like gaming, gambling. Right? We're seeing a lot of opt out requests from industries like that

Kendall Lovett: but I just like to give our our, you know, panelists a second to react to this and anything that is

Kendall Lovett: surprising, or any sort of insights you have

Kendall Lovett: from looking at this information, Jacque. I think you know your your business would sort of fall in this area here. I'll let you start anything that that kind of comes to mind as you look at the industry, specific breakdowns.
Jacques St. Louis: This. This looks pretty much correct. I mean, especially, you know, we're in the e-commerce space. Most of our
Jacques St. Louis: transactions happen online through our websites. But
Jacques St. Louis: you do have a lot of customers who obviously continue want to want to continue to do business with you. But they want to make sure that their data remains with the company that they're
Jacques St. Louis: basically engaged with dilution requests. You know you, you have competition. You have a lot of people who are going from different vendors, and they want to make sure that they're only working with the vendor that they chose.
Jacques St. Louis: So a lot of this stuff makes sense to me on the e-commerce base data brokers. It just makes a lot of sense for for me where you have a tremendous amount of deletion requests on on just how things are being processed with those organizations. Health and wellness kind of surprises me. I'll be honest with you, just because I think the way healthcare works, and and and how
Jacques St. Louis: you know we we perceive the
Jacques St. Louis: the notion of having more information about your your well-being in in the healthcare space can help you over overall. I find it weird that they want deleted. I I would assume it's more of the do not sell kind of space. But you know that the numbers are the numbers. So yeah. For the most part, I agree with everything I see here, it does resonate well for me.

Kendall Lovett: Davio, you mentioned Healthline earlier. You alluded to that any thoughts from you on

Kendall Lovett: the health and wellness, industry, and specifically.

Divya Sridhar: Yeah, no, I think this tracks really closely. I mean, overall. This also tracks with trends. With regard to the cases we've had with our dap program. We've had cases with just this year. Lexisnexis. We've had cases with the Nfl. As I mentioned, most recent was Fedex and Shoprunner again, in that e-commerce kind of bucket. Last year we saw an uptick. The Ftc. Had a number of cases, I think, over the last in 2023 in particular, they really came after a number of

Divya Sridhar: companies in the online health space and in the mobile app space. With regard to their processing of sensitive data, especially for targeted advertising and not providing purpose, limitation, and ensuring that there was data retention policies in place and really limiting the purpose to the specific service that the consumer is expecting, or if you're not going to do that, providing the appropriate disclosures. So consumers made aware that this.

Divya Sridhar: that their information is going to be used for a separate purpose, like targeted advertising and then, you know, they can opt out. So I think just that connection makes a lot of sense here with what you've got on the slide, because all of these industries

Divya Sridhar: focus heavily on kind of the 3rd party piece and being able to sell, sell, or share with for advertising purposes. So it makes sense. And it makes the connection, I think, with healthline purpose. Limitation was one that obviously we talked about cookie consent. We talked about the Gpc. Not working, but there, I think the call out around healthline failing to appropriately limit the purpose for which it was

Divya Sridhar: using the data. That's, I think, a major consideration that companies should keep in mind. Because that's gonna be one that you know, we're finding that as well, whether it's sensitive data, which is probably the most important, requires often consent. Or it's

Divya Sridhar: more generic data about the consumer that can be found elsewhere. I think it's going to be very, very important for those disclosures to be clear, meaningful, prominent, and that consumers have the ability to opt out, or often in some cases, if it's sensitive data. So I think folks should clue in. I know we don't have time right now, but in the healthline case. The purpose limitation section in particular, is really well written, and it explains what they could have done differently, which I think should be a focus for companies in the health and wellness space.

Kendall Lovett: Thank you for that. All right, we just have about 5 min left. So one last section I wanted to cover here. I'm actually gonna breeze past this slide. We're going to talk specifically about us State laws for a second, because I want to make sure we address a question in the chat on this, too. But in general this is showing us that globally many of the requests, you know, 31, and a half percent of the requests that came in last year were from

Kendall Lovett: areas that did not have

Kendall Lovett: comprehensive. You know, Federal or national laws. When we look at the Us specifically as we mentioned, there's a smattering of laws. We're seeing that, you know, 23, and a half percent over 46% in total are coming from states that either have laws on the books, but not yet passed, or no State law in general. You know, Mark, we had a question come in earlier about

Kendall Lovett: the sometimes conflicting requirements or confused around these requirements. How are you helping organizations, or what are you seeing as an effective way for organizations to help manage the disparate nature of privacy regulations. Today.

Mark Melnychenko: Yeah, I think the most important thing that we've seen and advise clients on here is to try to be basically to distill the solution down to the least common denominators. What I mean by that is for a given right. If the nuances of what a 3 or 5 or 7 different laws say that right needs to include, differ.

Mark Melnychenko: gravitate towards the one that is the most comprehensive or the most restrictive, and fulfill that right in the same way across the board rather than, for example, trying to have multiple different flavors of how to fulfill an access request.

Mark Melnychenko: just distill it down to what will be satisfactory to the most stringent set of requirements out there rather than trying to vary things depending on the jurisdiction.

Mark Melnychenko: The second thing I would note is that you know, especially if you include the 4th bar here where it's passed, but not yet in effect, more well, more than 50% of what we see on this slide is coming from people who don't technically have the rights yet.

Mark Melnychenko: and I've seen a mix of clients across different industries take either the position of

Mark Melnychenko: broadly extending rights to people, even if they are in a jurisdiction which doesn't have the right currently versus only extending rights for people in jurisdictions which have it

Mark Melnychenko: with respect to the consumer space. I've seen a mixed bag there, and companies taking both positions. Of course there's nothing wrong with only honoring rights from those places that have those rights legally. But at the same time, does that create

Mark Melnychenko: a perception problem amongst your customer base? If you have people in many different jurisdictions. And like, okay, they get certain capabilities from you that I don't, just because of the current state of the law.

Mark Melnychenko: And I've typically seen.

Mark Melnychenko: you know, companies that are very brand and Consumer Trust focused tend towards offering the rights more broadly to jurisdictions that don't technically have those rights yet. And the most common types of companies I've seen lock things down to. Only those with rights are either those that are just kind of check the box on compliance like, do the minimum to be

Mark Melnychenko: legally compliant, or that have extremely high volumes of requests that they're dealing with. And it's just a matter of practicality that they are only processing the requests that they must rather than all that they receive.

Mark Melnychenko: So I think it's important to consider how those factors play out for your organization in terms of whether or not to honor rights from folks in jurisdictions that don't have the rights yet, but independent of that, just try to strive to make the solution as

Mark Melnychenko: as non complex as possible. Offering a lot of variety in it can get to the point very quickly where it's hard to maintain the solution, or for your your users to understand how to properly exercise their rights.

Kendall Lovett: Thanks. Mark. Yeah, we're about out of time. I'll just add that you know, from a data grow perspective, that's a key challenge that we seek to solve. And so we proactively track and update these rights, and the way that they both

Kendall Lovett: Dsar requests as well as consent and opt out requests are handled by the platform to try and make this easier for you. It will notify you and say, Hey, you know Minnesota is passing new law, etc. Here's what we're going to update. You can then choose to adjust that for your business as you see fit, or apply it as we provide it. So that is an area where privacy platforms like data grill can come in handy. With that, we're about out of time for today. So

Kendall Lovett: costs continue to go up. Manual costs continue to increase again. If that's a concern for you, recommend looking for automation of platforms like datagrill that can help. With that

Kendall Lovett: we've provided some helpful resources and additional reading. We talked about a lot of challenges. Today. We talked about a lot of bad news. The good news is there are solutions out there. There are. There's lots of help out there.

Kendall Lovett: We provided some great resources from the better business Bureau National programs from Divya as well as data grill specific resources. These are going to be available in the chat as well.

Kendall Lovett: We will share these slides with you afterwards. So you can access these links. Thank you. Everyone for joining us today. We hope this was helpful. If you'd like to have a follow-up conversation about what datagrill can do specifically to help you navigate these challenges. Please fill out the survey that was sent over the chat or visit us at datagrailio.

Kendall Lovett: Thank you for our panelists for joining us today and taking some time. This was extremely enlightening and helpful for me, and I hope it was helpful for our audience as well.

Kendall Lovett: Thank you. Everyone.

Mark Melnychenko: Thank you, Kendall.

Mark Melnychenko: Thanks for having us, Kendall.

Divya Sridhar: Bye, have a good one. Everyone.