It has been well documented that the U.S. has no federal data privacy law, despite the EU, China and many other nations enacting their own governing policies. That may be about to change. On June 3, a group of bipartisan senators introduced a draft of the American Data Privacy and Protection Act (ADPPA). The bill has since entered the markup process, where it is starting to face some pushback on both sides of the aisle. Until ADPPA or a different federal privacy bill is passed, data privacy is slowly becoming more of a states-rights issue. California got the wheels in motion with its landmark California Consumer Privacy Act (CCPA) in 2020, and it is already set to up the ante with an upgraded version – the California Privacy Rights Act (CPRA) – set to go into effect on January 1, 2023.
To understand the impact of data privacy legislation at the state level and what they could be in store for, CCPA is a useful measuring stick. It has been in place for two full years, making it possible to ascertain trend lines.
The gauge: CCPA’s impact so far
DataGrail’s research team dove into CCPA for a deeper understanding, looking at how many Data Subject Requests (DSRs) were processed across its customer base in both 2020 and 2021, and there were significant implications for businesses. For example:
The volume of requests has increased substantially year-over-year. In fact, companies processed almost double the number of requests in 2021. Looking across all access, modify, and delete requests, the numbers increased from 137 requests per 1 million identities to 266 requests per 1 million identities. This spike has already placed an enormous strain on businesses required to handle high volumes, but requests are expected to continue trending upward – both in California and in additional states as legislation is enacted.
This translates to significant costs to organizations.Gartner research estimates that it costs businesses approximately $1,524 dollars to process a single DSR. Doing the math, this means that companies manually processing DSRs spent about $400,000 per million records last year – more than 2.5x the previous year. This is largely due to the cost of employee time dedicated to data privacy. According to DataGrail’s research, approximately 26-50 employees were involved in processing a single DSR at companies using manual processes, with the day-to-day privacy employees allocating 2-4 months (60-130 man-hours) a year to sustaining compliance.
More involved data deletion requests could be partially to blame. Companies were asked to erase user information from their systems permanently and completely for 84 per 1M identities in 2021. Again, this nearly doubles the specific deletion requests of the year before; in 2020 there were 43 deletion requests per 1M identities.
Part of the processing issue stems from not knowing where all of consumers’ data lies. Companies run so many different SaaS apps today to perform business functions that it becomes a bit of a tangled mess in terms of where all the data lies. DataGrail’s research indicated that companies miss data in up to 50% of shadow SaaS apps (i.e. third-party consumer apps accessed by the Internet or software not supported by the company’s IT department that was perhaps downloaded by an employee) when processing requests. This is a lot of data that companies could be held responsible for under new legislation!
These findings show that data privacy legislation can have a significant effect on a business’ bottom line – and this is based on a sample from just one state. The business issues highlighted above will grow exponentially as more consumers become aware of their data privacy rights and as additional states pass laws to protect them.
Data privacy management will only grow more important, expensive, and complicated in the days to come
Between global regulations, like the EU’s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL), and individual state laws, companies are starting to accept that they will need to change their data privacy practices, particularly in terms of data management. But how quickly will they – or can they – adapt?
Companies need to take a step back and understand what data they have, where it resides and how to manage that data. They need to either build a way to remove personal data from several disparate systems or partner with a privacy management vendor to help automate this process. And, the organizations that will win are those that have clear data privacy policies and practices.