Do Californians use CCPA to protect their privacy?
Californians regularly opt-out of companies selling their personal information, with “Do-not-sell” being the most common CCPA right exercised, happening nearly 50% of the time over access and deletion requests, DataGrail’s Mid-Year CCPA Trends Report shows.
Consumer rights under CCPA
The California Consumer Privacy Act gives California residents the right to:
- Know what personal data businesses have about them
- Know what businesses do with that information (to whom they sell it or disclose it)
- Access their personal data
- Refuse the sale of their personal data
- Request that a business deletes their personal data
Do-not-sell requests are almost 50% of all DSRs
When CCPA went into effect in January 2020, DataGrail saw people exercise their rights immediately, with a surge of data subject requests (DSRs) going across its platform in January 2020.
Since the initial surge, DSRs have stabilized around 13 DSRs per million records every month, which is a substantial rate and confirms that organizations need an established privacy program.
Consumers are accessing their data (21%), deleting their data (31%) and requiring that businesses do-not-sell their personal information (48%).
Processing DSRs
Gartner data shows that manually processing a single DSR costs on average $1,406. At this rate, organizations can expect to spend almost $240,000 per million records to fulfill DSRs – if they are done manually.
Additionally, organizations could be on the hook for more DSR requests from fines that will likely begin appearing in October, if CCPA follows the same timeline as GDPR.
According to the research, B2C companies should prepare to process approximately 170 total DSRs per one million consumer records each year.
DataGrail has also found that three of every ten DSRs will go unverified, confirming the need for a robust and scalable verification method to prevent fraud (i.e., detect fraudulent requests being made to steal personal data).
Access requests (DSARs) make up 70% of the unverified requests, validating the concern that nefarious characters could be submitting access requests to gain access to another person’s personal information.