top of page

Californians Stingy on Data - DataGrail Report

Updated: May 16, 2023

Californians Stingy on Data - DataGrail Report

If you have been following the news, you probably know that consumer privacy is a hot topic. The California Consumer Privacy Act (CCPA) was passed in June of 2018 and has seen a lot of attention.

New DataGrail report shows California consumers won't let their data fall into the hands of advertisers, and a few companies have resorted to tricks that could spell doom for their future.

The state's residents are using their right to request access to or deletion of personal information unprecedentedly; this signals how much they value protecting their privacy rights.

After CCPA Data Subject Requests Doubled Within a Year

The California Consumer Privacy Act (CCPA) was landmark legislation that granted consumers more control over their personal data in 2018. In 2020, it went into full force and effect. In the following year, the number of requests made by consumers to access or delete their information rose from 137 per million identities in 2019 to 266 requests per million identities in 2021, which is an increase of more than 100 %.

Data Subject Requests Jumped From 137 to 266 For A Million Identities, the Year 2021

Data Subject Requests (DSRs) are a growing trend that many companies face today. This is especially true for companies with large amounts of personal data, such as financial services and technology companies. In the first half of 2019, there were approximately 150 DSRs per million identities (PMI), up from 137 PMIs in 2021.

The average cost per PMI rose from $192,000 to $400,000 in 2021—a significant increase! And this trend isn't expected to slow down any time soon: analysts predict that by 2025 it could reach upwards of $1 billion annually if your company experiences more than 1 million requests per year—and that's just California alone!

CCPA Processing Costs Rose from $192,000 to $400,000 For a Million Identities

The number of California consumers who filed Data Subject Access Requests (DSARs) has risen dramatically since the state's privacy law went into effect in 2020.

The costs associated with processing a DSAR have increased by more than 200 percent over this period, from $192,000 to $400,000 for a million identities.

This increase is due to the rising number of requests and the complexity of receiving some requests.

As companies begin to process their first batch of DSARs after July 1st, 2020, they will likely see similar increases in processing costs as more Californians assert their rights under the CCPA. Companies should be prepared for this increase by planning and budgeting appropriately.

Compliance in 3rd Party SaaS Apps a Major Challenge

In addition to the compliance challenges ad companies face, there are also significant challenges for SaaS providers. First, SaaS apps such as Zoom and Shopify need reviewing for CCPA compliance.

This is because these services collect data from users when they login to their accounts and use cookies to track browsing activity when users visit websites in which they are embedded.

Second, California's CCPA requires that businesses provide consumers with notice of their information practices and how to opt out of receiving marketing materials.

Unfortunately, it is difficult for service providers like Zoom or Shopify to provide this notice because they do not control what happens on third-party websites that embed their login forms or shopping cart technology (e.g., e-commerce cart).

DSARs Expected to Double Regardless of Complexities

Consumers are expected to make many data subject requests in the coming months. There has been some discussion among companies on how they can respond to these requests in a way that discourages consumers from exercising their rights.

One strategy is to lengthen the deletion request process so that it's not as easy for people to get their data deleted. This could happen by imposing unreasonable requirements requiring individuals who want their information to fill out lengthy tiring forms.

If adopted, such practices would be contrary to GDPR principles and could result in significant fines for non-compliance with the new law.

bottom of page