Several countries around the world have data privacy laws, and in the United States, more than one-third of states have passed comprehensive privacy laws, following California’s lead. Before our next report in 2025, privacy laws will start to take effect in states like Delaware, Florida, Iowa, Montana, Oregon, and Texas.
To understand the impact of these laws, DataGrail closely monitors the number of data subject requests (DSRs), more informally known as “privacy requests,” it helps businesses process every year. This turns into our annual Data Privacy Trends Report, which helps the industry at large understand how privacy is trending, and gives businesses a way to benchmark their privacy programs compared to their peers. {CTA}
The Volume of Privacy Requests Continue to Climb, So Do the Costs
The data this year proves that—yet again—privacy awareness is growing. And, businesses are receiving more privacy requests. We saw a 246% increase in requests from 2021 to 2023. For every one million consumer identities, manually processing DSRs costs about $800K. Consumers are taking more control over their personal data by, among other things, accessing it, deleting it, or requesting businesses to not sell or share it. Privacy requests are booming year on year, with businesses facing on average 859 DSRs per one million identities in 2023 compared to 377 in 2021.
As businesses collect more data and privacy requests increase, handling DSRs becomes difficult and expensive. Companies can struggle to locate data stored in different formats across different systems, all while ensuring they do not violate the rights of other consumers. Businesses face a huge rise in costs unless they automate parts of the DSR process.
Deletion Requests are Most Common & Opting Out is Becoming Mainstream
Privacy Requests to delete personal data exceed access and ‘do not sell’ requests for the third year running, making it the most common type of DSR. Deletions account for more than 40% of requests on average across businesses. While deletion requests remain most common, access requests have increased most significantly, booming by around 50% since the previous year.
Consumers are automating “Do Not Sell” requests, and we expect more people to do so as Universal Opt-Out Mechanisms (UOOMs) that automate these requests become more mainstream. In more and more states, honoring do-not-sells will become mandatory—but our research suggests that most companies are not ready for this new landscape. DataGrail analyzed over 5,000 websites to check how businesses respond to GPC signals; DataGrail discovered around 75% of businesses are not honoring the Global Privacy Control (GPC). These businesses fired three or more cookies despite activating the Global Privacy Control. This is likely because businesses think they are compliant, but the technology they have in place isn’t configured properly—or it doesn’t support GPC. Alternatively, they are unaware this is now a requirement. Regardless, more states are requiring that businesses honor UOOMs like GPC.
Many organizations would be surprised to find out they are not compliant, despite having a consent solution. A lot of consent offerings on the market, including free and paid consent tools, are difficult to properly configure or don't support GPC. Additionally, US state privacy laws continue to grow and differ from state to state, causing confusion and potential noncompliance for businesses.
Industries like Ecommerce and MarTech Companies Receive the Most DSRs
We took a look at the volume of DSRs across various industries. Ecommerce—or brands that have a direct to consumer (D2C) online relationship —typically receive the most DSRs. They receive nearly double the overall average number of DSRs. Marketing tech (MarTech) companies come second. Both these types of companies operate mainly online and can engage in intensive marketing campaigns, meaning they collect a lot of personal data. (You can learn more about consumer sentiments about data privacy in the retail space in our Ecommerce & Privacy Report.)
Privacy Requests Can Come From Anywhere
Consumers worldwide want control over their data even if they’re not protected by privacy law; and businesses are honoring their requests. As legal demands and consumer expectations increase, take control of your privacy program with an automated platform that efficiently handles all types of privacy requests.
46% of DSRs arrived from IP addresses located outside regions with privacy laws (US, Canada, China, Brazile the UK, or the EU). As such, people making these requests might not be covered by strong privacy laws. Around 12.5% of US-based DSRs came from states with laws already on the books (CA, CO, & CT), yet 34% are coming from states without privacy protections, suggesting people from across the US are submitting requests regardless of their level of legal protection. Consumers want more control over their data even if they don’t have legally-protected privacy rights.
Legal and cultural trends mean every company should be taking privacy seriously, and this report can help you navigate this fast-developing landscape. Legal and consumer expectations will continue to increase, take control of your privacy program with an automated platform that efficiently handles all types of privacy requests. DataGrail’s Request Manager can help automate your data subject requests with fewer people in less time, creating less stress.
If you’re hungry for more details on what’s in store for privacy, download the complete 2024 Data Privacy Trends Report for a comprehensive look at privacy trends that are impacting your business.