Ahead of the RSA conference, DataGrail (Booth #243), a leader in data privacy, released its 2024 Data Privacy Trends Report, which illustrates consumers' growing desire to take control over their data and helps businesses understand what to expect amid the rising demands. The findings reveal that Data Subject Requests (DSRs) — formal requests made to a company by a person to access, delete or request not to sell/share the personal data that the company holds on them — increased by 32% from 2022 to 2023. Data deletion requests were the most common type of DSR, on average accounting for more than 40% of requests across businesses.
As data privacy requests increase, findings show increased financial pressures on the brands processing them. According to Gartner, a single access or deletion request costs around $1,524 to complete. DataGrail's data suggests that a company handling one million identities receives 578 access and data deletion requests in an average year, meaning these DSRs could cost businesses nearly $1 million per year.
Privacy Trends 2024 Report Key Findings
- 2023 saw a 246% increase in the total volume of data privacy requests compared to 2021. In 2021, there was an average of 248 DSRs per million identities, and 2023 reached 859 DSRs per million identities.
- Access requests are on the rise, but data deletion requests continue to dominate. Accounting for more than 40% of requests on average across businesses, deletion outstripped all other types of DSR for the third year in a row. Access requests increased most significantly, booming by around 50% since 2022.
- Businesses are spending 36% more to meet the influx of requests. Manual processing of DSRs were estimated to cost businesses more than $881,000 per year per million DSRs in 2023, compared to $648,000 in 2022.
- Consumers are automating "Do Not Sell / Share" preferences, yet many businesses are not honoring their requests. 75% of organizations are not up-to-date with using three or more cookie trackers despite consumers not consenting to tracking via.
- In 2023, the DataGrail report estimated 80% of all DSRs came from jurisdictions that didn't have privacy laws, evidence that people around the world want more control over their personal data.
"Control is the name of the game with data privacy right now," said DataGrail Co-founder and CEO, Daniel Barber. "Consumers deserve to know where their personal data is and how it's being used, and the increase in privacy requests shows that in action. Consequently, businesses today are faced with unprecedented responsibility – not only must they manage data responsibly and effectively, but they also need to earn consumer trust by giving them autonomy over their data."
Consumers expect privacy regardless of location or legislation
While privacy laws have emerged in some states and regions, data privacy requests come from virtually everywhere. Nearly half (46%) of DSRs arrived from IP addresses located outside of the U.S., Canada, the U.K., or the EU, meaning the people making them were not necessarily covered by strong privacy laws. In the U.S., 34% of requests were made by people in states that didn't have privacy laws in effect.
"Consumers want more control over their data even if they don't have legally protected privacy rights," added Barber. "No matter where you're located, organizations need to take the proper steps to ensure people trust you with their data."
Most businesses are not honoring GPC "Do Not Sell" preferences: Unraveling the underlying risks
The Data Privacy Trends 2024 Report uncovers how businesses respond to Universal Opt Out Mechanisms (UOOMs) like Global Privacy Control (GPC), which are supposed to enable consumers to automatically tell businesses not to sell or share their personal data for advertising.
DataGrail's research suggests that 75% of websites ignore GPC requests, which means most businesses are not respecting people's privacy requests. Some could be violating current laws or they are unprepared for upcoming legal changes. In fact, prominent law firm Gunderson & Dettmer recently reported a surge in privacy lawsuits.
Ecommerce and marketing industries see the most data privacy requests
Privacy requests are on the rise across all industries, but the Ecommerce industry – defined in the report as brands with a direct-to-consumer (D2C) relationship – received the most DSRs (1,577 DSRs per million identities). This is indicative of the volume of personal data collected in online marketing campaigns. The Ecommerce industry also reflects the growing "Wellness" market, which encompasses multi-level marketing (MLM) companies and consumer health companies potentially carrying a lot of sensitive data.
Marketing tech (Martech) companies, typically in a business-to-business (B2B) setting experience the second-greatest volume of privacy requests, likely linked to the data obtained through online campaigns, surveys, customer relationship management (CRM) tools and more.
Download the complete DataGrail 2024 Privacy Trends Report. DataGrail will also be at RSA, visit the team at booth #0243.
Methodology
DataGrail analyzed the Data Subject Requests (DSRs) it helped process on behalf of customers from January 1 to December 31, 2023. The customer set has more than 700 million records, where a "record" is defined as a single, individual record associated with a unique identifier within a customer's database. To determine the cost of processing requests, DataGrail used Gartner's manual processing estimate of $1,524 per DSR.
To normalize the data across various company sizes, DataGrail calculated DSRs per one million identities. To account for variability, DataGrail used a "10% trim mean" calculation to determine benchmarks. The dataset includes DSRs submitted under the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), along with DSRs received in the U.S. and globally that don't fall under those regulatory umbrellas. As a United States-based company, with primarily U.S.-based customers, DataGrail's dataset may skew toward DSRs from the U.S.
About DataGrail
DataGrail is the data privacy company for this era. We help brands minimize risk, stay a step ahead of consumer and employee expectations, and safeguard their reputation. Our complete, enterprise-grade data privacy platform is powered by patented Risk Intelligence technology that detects shadow IT and makes vulnerable data visible so brands can proactively manage risk. Leveraging responsible automation at scale and the largest integration network in data privacy, DataGrail automates privacy workflows across systems to perform risk assessments, accelerate data subject request (DSR) fulfillment, and optimize resources.
Headquartered in San Francisco, the world's most trusted brands partner with DataGrail on their data privacy journey, including Salesforce, FanDuel, Dexcom, Databricks, Instacart, amongst others. It has 4.8/5 stars on G2 and is backed by leading VCs and strategic investors, including Third Point Ventures, Felicis Ventures, Next47, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, and American Express Ventures.
Source: DataGrail
