The 2022 Data Privacy Trends Report from privacy management platform DataGrail examines the ongoing impact of the California Consumer Privacy Act (CCPA), and finds that consumers are taking full advantage of these expanded rights to protect their privacy. Among other metrics, data subject requests doubled from 2020 to 2021 and more people are asking for data deletion and to opt out of the sale of their data to third parties.
CCPA having a definite impact as Californians assert digital privacy rights
The CCPA went into effect at the start of 2020, providing two complete years of data at this point. The total number of data subject requests just about doubled from one year to the next, with state residents having the right to view stored personal data and to request corrections, ask for it to be deleted and opt out of having it transferred or sold to other companies.
The total number of data subject requests increased from 137 to 266 per one million identities in 2021. There was a corresponding increase in deletion and Do Not Sell/Share (DNS) requests, with each of those categories also nearly doubling on the year. Together, these two categories the vast majority of data subject requests as end users looking for simple access actually shrank as compared to 2020. DNS requests alone outpaced the total of all requests for the previous year.
Of course, this pickup in traffic increases costs for California businesses. The estimated cost of processing CCPA requests also doubled (actually more than doubled) in 2021, going from $192,000 per one million identities to $400,000. The study found that most organizations have somewhere between 26 to 50 employees doing some sort of work on single data subject requests when they are done manually, and that privacy employees each spend about 60 to 130 man-hours of their year dealing with these requests. The average cost of processing each DSR is estimated to be about $1,524 dollars.
Companies are also struggling to keep up with all of the third party software as a service (SaaS) apps that they use that contain information subject to CCPA data subject requests. The report found that companies are missing about half of these “shadow” SaaS apps when they run data mapping exercises manually. Some examples of these are remote conferencing apps (such as Zoom), collaboration apps (such as Slack), ecommerce platforms (such as Shopify) and customer relationship management software (such as Salesforce). Companies are often simply not aware that CCPA-regulated personal information is being stored in these places. At a current average of 190 enterprise applications of this sort in use per company, there are a lot of dark corners for personal data to get lost in.
Californians determined to get data subject requests through despite “dark patterns” and similar obstacles
Some companies have attempted to counter this increased cost (and loss of valuable data) with simple tricks, making consumers jump through hoops to get to the CCPA-required data subject requests. The report shows an example of a Disney website that requires users to click through eight steps to have their data deleted, but points out that request numbers doubled in spite of these efforts. Dark patterns designed to confuse consumers out of making a request are regulated under the CCPA, but there is still some room for companies to create an excessive amount of steps to making data subject requests.
The report also cautions that these request numbers are not going down as the CCPA shifts to the newly-adopted California Privacy Rights Act (CPRA) at the beginning of 2023. The researchers expect data subject requests to double again as the range of companies required to provide a DNS option to consumers expands and as the ability of companies to share personal information without selling it is greatly curtailed.
The CPRA is not an entirely new bill; describing it as a sort of amendment or update that shores up specific portions of the CCPA is accurate, but it will introduce some other changes for companies that could contribute to added labor and costs. It creates a new category of “sensitive personal information” that covers things like unique identification numbers, financial account information, geolocation, biometric information and health information. This comes with new opt-in and opt-out requirements as well as purpose limitation and disclosure rules, and potentially bigger penalties for not keeping pace with the new standards. A new right to data portability is also being added, minors 16 and under must be asked to opt in to data sharing, and expanded right to request correction of inaccurate personal information.
Other states are also bringing privacy bills online that have similar terms to those currently found in the CCPA. Virginia and Colorado already allow for similar data subject requests and they are coming online in Washington DC, the state of Washington and several other places.