Privacy requests increased 246% in two years
Data Subject Requests (DSRs) — formal requests made to a company by a person to access, delete, or request not to sell/share the personal data that the company holds on them — increased by 32% from 2022 to 2023, according to DataGrail’s 2024 Privacy Trends Report.
Data deletion requests were the most common type of DSR, on average accounting for more than 40% of requests across businesses.
Data privacy requests surge
As data privacy requests increase, findings show increased financial pressures on the brands processing them. According to Gartner, a single access or deletion request costs around $1,524 to complete. DataGrail’s data suggests that a company handling one million identities receives 578 access and data deletion requests in an average year, meaning these DSRs could cost businesses nearly $1 million per year.
2023 saw a 246% increase in the total volume of data privacy requests compared to 2021. In 2021, there was an average of 248 DSRs per million identities, and 2023 reached 859 DSRs per million identities.
Access requests are on the rise, but data deletion requests continue to dominate. Accounting for more than 40% of requests on average across businesses, deletion outstripped all other types of DSR for the third year in a row. Access requests increased most significantly, booming by around 50% since 2022.
Businesses are spending 36% more to meet the influx of requests. Manual processing of DSRs were estimated to cost businesses more than $881,000 per year per million DSRs in 2023, compared to $648,000 in 2022.
Consumers are automating “Do Not Sell / Share” preferences, yet many businesses are not honoring their requests. 75% of organizations are not up-to-date with using three or more cookie trackers despite consumers not consenting to tracking via.
People seek control over personal data
In 2023, the DataGrail report estimated 80% of all DSRs came from jurisdictions that didn’t have privacy laws, evidence that people around the world want more control over their personal data.
“Control is the name of the game with data privacy right now,” said DataGrail CEO, Daniel Barber. “Consumers deserve to know where their personal data is and how it’s being used, and the increase in privacy requests shows that in action. Consequently, businesses today are faced with unprecedented responsibility – not only must they manage data responsibly and effectively, but they also need to earn consumer trust by giving them autonomy over their data.”
While privacy laws have emerged in some states and regions, data privacy requests come from virtually everywhere. 46% of DSRs arrived from IP addresses located outside of the US, Canada, the UK, or the EU, meaning the people making them were not necessarily covered by strong privacy laws. In the US, 34% of requests were made by people in states that didn’t have privacy laws in effect.
“Consumers want more control over their data even if they don’t have legally protected privacy rights,” added Barber. “No matter where you’re located, organizations need to take the proper steps to ensure people trust you with their data.”
75% of websites ignore GPC requests
The report uncovers how businesses respond to Universal Opt Out Mechanisms (UOOMs) like Global Privacy Control (GPC), which are supposed to enable consumers to automatically tell businesses not to sell or share their personal data for advertising.
DataGrail’s research suggests that 75% of websites ignore GPC requests, which means most businesses are not respecting people’s privacy requests. Some could be violating current laws or they are unprepared for upcoming legal changes. In fact, prominent law firm Gunderson & Dettmer recently reported a surge in privacy lawsuits.
Privacy requests are on the rise across all industries, but the Ecommerce industry – defined in the report as brands with a direct-to-consumer (D2C) relationship – received the most DSRs (1,577 DSRs per million identities). This is indicative of the volume of personal data collected in online marketing campaigns. The Ecommerce industry also reflects the growing “Wellness” market, which encompasses multi-level marketing (MLM) companies and consumer health companies potentially carrying a lot of sensitive data.
Marketing tech companies, typically in a B2B setting experience the second-greatest volume of privacy requests, likely linked to the data obtained through online campaigns, surveys, CRM tools and more.