Picture of state capitol building in Sacramento showing the trend of data subject access requests in CCPA compliance

New Trends in Data Subject Requests Reveal a Shifting Landscape for CCPA Compliance

US privacy management firm DataGrail has released the findings of its investigation into CCPA compliance, revealing how consumer requests, known as data subject access requests, have shaped up over the course of the first quarter 2020.

The data subject access requests break up into three distinct categories—deletion requests, do-not-sell requests, and access requests. Each has been enshrined to consumers (‘data subjects’) as a result of the California Consumer Privacy Act (CCPA) passing through the state legislature back in 2018. The Act—similarly to the EU’s General Data Protection Regulation (GDPR)—was designed to enhance privacy rights and consumer protection for California residents.

DataGrail’s study revealed, among other things, that while consumers currently care most about having their data deleted at present, do-not-sell requests will likely become the most dominant privacy request based on early trending data, and play a more significant role for firms seeking to meet CCPA compliance standards.

DataGrail’s findings provide clues as to the emerging trends in CCPA compliance for data subject access requests, especially in light of the California Attorney General announcement that the statue is set to come into force later this year, on July 1.

Data subject access request findings

In order to conduct their study, DataGrail gathered product activity metrics from within their platform to come up with a group of insights relating to data subject access requests from the first few months of CCPA compliance.

The findings unveiled several key points about the changing landscape of CCPA compliance and trends in data subject access requests.

First and foremost, DataGrail found that consumers care most significantly about having their data deleted, with deletion requests rising 40% to become the most popular type of request in the first quarter of 2020. This stands in sharp contrast to do-not-sell requests, which came in at 33%, and access requests, at 27%.

The study also revealed that B2C companies that manually process privacy requests are likely to spend anywhere between $140,000 and $275,000 per million records in order to process the information. This means, in effect, that if a business were to have two million consumer records—the cost would double

The DataGrail researchers also recommends that B2C companies “should prepare to process approximately 100 to 194 requests per million consumer records each year” in light of the trends CCPA compliance trends emerging across data subject access requests studied.

Another noteworthy finding revealed that—based on early trending data—do-not-sell requests are set to become dominant among the other types of data subject access requests. According to DataGrail, such a change is likely because the current environment is a primary driver of consumer behavior with regards to data subject access requests.

A shifting environment for CCPA compliance

DataGrail’s report comes as the latest confirmation that companies around the globe are scrambling to adjust the ways in which they collect personal information in the wake of new robust privacy laws such as the GDPR and CCPA.

“We expect the number of CCPA privacy requests to stabilize around the February and March numbers (8 requests per million consumer records). However, as privacy related issues make headlines or a company updates their privacy policy, organizations should expect a surge of requests,” the DataGrail researchers write.

They go on to point out that in April, for example, the number of requests had been trending higher. While the researchers attribute the increase to the number of COVID-19 related emails being exchanged and to press coverage about the privacy and security of remote work and conferencing apps, they nevertheless foresee that the increases will remain through July and August as enforcement of the Act comes into effect, hastening the need for CCPA compliance.

Of this increase, as the findings suggested, do-not-sell requests will likely come to dominate, with deletion requests not far behind. According to the research team, this means that companies “should prepare for the complex task of reaching out to its network of processors and sub processors to successfully perform a hard delete.”

“New regulations cause a lot of uncertainty and anxiety,” the researchers acknowledge, “especially when they involve a lot of complexity and associated fines.”

They go on to point out that, as enforcement of the CCPA comes into effect, the findings of their research could provide CCPA compliance guidance among B2C business, especially concerning “what to expect in the coming months” so that such businesses can “take the necessary steps to ensure they are best prepared.”