When the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, many affected businesses were not completely prepared for the changes and were short of being compliant with the new regulations. With the first quarter under the new regulations done and dusted, a new report [pdf] from DataGrail looks at how B2C companies are faring so far.
The report analyzed three types of consumer rights requests outlined in the CCPA guidance: the right to delete (deletion requests); do not sell requests; and the right to know data collected (access requests). In Q1, of the data subject requests DataGrail helped to process on behalf of select B2C customers, deletion requests were the most popular, with 39.6% of total requests coming from consumers wishing to have their data deleted. This was followed by do not sell requests (33.3% share) and access requests (27.1%).
Furthermore, deletion requests were highest in January at just more than 15 requests per million customer records, compared to about 10 per million for access requests, and 5 per million for do not sell requests.
After the initial influx of requests in January, which was likely due to the law taking effect and privacy policies being updated, the number of requests per million did fall for deletion requests and access requests for the final 2 months of the quarter. However, do not sell requests remained steady throughout this time, and are anticipated to become the dominant request over time.
Although many consumers are not aware of how regulations like CCPA and GDPR impact their data security, per this recent study, DataGrail suggests that B2C companies should anticipate 194 requests per million consumer records in 2020. The report estimates this will break out to 77 per million deletion requests, 66 per million do not sell requests, and 51 per million access requests.
Using data from Gartner, the report suggests that manually processing a data subject request costs an average of $1,406 per request and could cost B2C companies $140K-$275K per million consumer records per year.
The full report can be found here.
About the Data: Results are based on an analysis of the data subject request DataGrail helped process on behalf of select B2C consumers with a substantial volume of privacy requests in Q1 2020.