The California Consumer Privacy Act (CCPA) went active at the start of 2020, and data from the first half of its first year indicates that state residents are primarily using it to opt out of the sale of personal information. Nearly 50% of data subject requests are made for that purpose, compared to 31% for data deletion and 21% for access to collected personal information.
Data subject requests provide an early indication of consumer preferences
Conducted by privacy management firm DataGrail, the Mid-Year CCPA Trends Report 2020 is meant to provide insights to organizations on patterns of data subject requests (DSRs) that they can expect under the new law. The firm draws this information from its position as a servicer of DSR requests to numerous companies in the state, using over 16 million consumer records for the study.
The main highlight of the study is that “do not sell” (DNS) requests to terminate the sale of personal information are at a rate almost double the combined amount of requests for deletion of or access to personal data. The firm expects this pattern to translate to a cost of about $240,000 per million records to fulfill these requests if they are processed manually, with about 170 total DSRs and 84+ DNS requests per million records for B2C companies. The average manual processing rate for one record is $1,406. DataGrail is expecting the rate of data subject requests to stabilize around 13 DSRs per million records every month based on current patterns.
The study also indicates that fraudulent requests are a serious problem thus far. It estimates that about 40% of access requests were not verified, providing evidence of a substantial amount of interest amongst fraudsters in using the new law to illicitly obtain the personal information of others. Unverified incidents are also overwhelmingly seeking data access rather than deletion requests or opting out of sale of personal information.
The report sees two general spikes in DNS requests, one at the very beginning of the timeframe in January and another in June. The authors hypothesize that these spikes are tied to updates to privacy policies triggered first when the CCPA went into effect, and then again just ahead of the July 1 enforcement start date. An update to privacy policies tends to trigger new notifications at the consumer end that remind data subjects of their right to opt out of the sale of personal information.
On the subject of enforcement, DataGrail is predicting that fines will begin sometime in October based on a similar delay seen when the GDPR’s enforcement terms first went active in the EU in 2018. Any offenses dating back to January 1, 2020 are actionable, but the actual handing out of fines was off the table until July 1. The CCPA allows for civil penalties of up to $7,500 for each intentional violation of the act and up to $2,500 for each unintentional violation.
Californians opting out of the sale of personal information
The early numbers seem to indicate that while Californians may have a slight preference for not allowing the sale of personal information, there is not necessarily strong concern about or sentiment against the collection of it for in-house purposes. Slightly fewer than one in three among these data subject requests wanted their personal information entirely removed, and only about one in five expressed interest in even monitoring what sort of data about them is on file.
Awareness may be influencing the surprisingly low number of requests. A February 2020 survey from MediaPRO found that 62% of the state’s workers were unsure if their organization was subject to the new law; a different 2019 MediaPRO survey had found that fewer than 50% of California residents were even aware of the act’s existence.
And even when state businesses are fully aware of their CCPA responsibilities as regards data subject requests, many are still struggling to implement them. Businesses tend to lack confidence in their understanding of exactly what they need to do to be in compliance, particularly in terms of requirements for notification of data subjects. The state did not help the issue with a series of late amendments approved just two months in advance of the compliance deadline, and a current ballot initiative (the CPRA) that proposes even stronger rules is threatening to upend the entire enterprise just as California organizations are beginning to adjust to it.
CCPA fraud risks
In addition to giving California organizations a better idea of the expected volume and cost of data subject requests and compliance with terms governing the sale of personal information, the study demonstrates that attempted CCPA fraud is likely to be common and that safeguards against it must be put into place.
Cal. Civ. Code § 1798.110(a) stipulates that organizations must make a valid effort to verify the identity of individuals making data subject requests under the CCPA. Some highly sensitive categories of information, such as bank account and social security numbers, are not to be disclosed in CCPA information requests under any circumstances. The California Attorney General has issued guidance on this and recommends that businesses should first attempt to use existing verification methods (i.e. having the user log in to an existing account). Failing that, they must match either at least two reliable data points or three pieces of personal information along with the receipt of a signed verification from the requester.