CCPA’s Impact: Businesses Prepare for Fall Surge in Data Subject Requests

Ten months have gone by since the California Consumer Privacy Act (CCPA) went into effect. While the world has changed in many ways since January, the topic of privacy and data control remains a major concern for consumers and providers.

While there are businesses still struggling to comply with the CCPA, and to a lesser extent the European Union’s General Data Protection Regulation (GDPR), consumers are eager to take advantage of the benefits, requesting that businesses delete their data and opting-out of their personal information being sold.

In a bid to find out more about how people are taking advantage of the CCPA, the privacy management firm DataGrail recently examined the data subject requests (DSRs) it helped process on behalf of select business-to-consumer (B2C) customers.

In a customer set with more than 16 million consumer records — with consumer records being defined as a single, individual record associated with a unique email address within a database — DataGrail found that people are largely taking action to control their privacy by exercising rights provided by the CCPA.

Consumers opt-out of their personal information being sold “most” of the time, and deletion requests make up 31% of all DSRs. Twenty-one percent of consumers have accessed their data thanks to the new regulations.

What does that mean for the businesses receiving these requests, and what should businesses be doing now to prepare for future requests as they come in?

DataGrail CEO and Co-Founder Daniel Barber says it’s important for businesses to have a robust and easy-to-navigate way to authenticate whether people are who they claim to be, particularly with data showing that three out of every 10 DSRs will go unverified.

“I was shocked to see the number of unverified requests. We expected some unverified requests to come in — with consumers testing out how CCPA works — but for three in 10 requests to be unverified seems high to me,” he says.

Unverified requests are requests that can’t be verified, and as a result, they could be fraudulent attempts at accessing or deleting data. Barber says B2C companies should prepare to process upwards of 170 total DSRs per one million consumer records each year. Although the initial surge in DSRs that came through immediately after the CCPA went into effect last winter has subsided, data shows that B2C companies should still expect to process more than 84 DNS requests per million records over the coming months.

Data from Gartner shows that the cost to manually process a single DSR can top $1,400. At that rate, organizations can expect to spend almost $240,000 per million records to fulfill DSRs. But that’s only if they’re working manually. Like many in the industry, Barber promotes a more automated, systematic approach.

Regardless of whether a company opts for that approach, though, he says it’s important to remember that DSRs are frequently tied to newsworthy events. Back in the spring, when people were talking about privacy issues on Zoom and other web-conferencing platforms, for example, B2C companies saw a surge in DSRs. Upcoming events like the presidential election and a fall surge in Covid-19 cases could have a similar impact.

Barber says the best thing businesses can do is to prepare is to get a handle on their data now — before the next global event. Most businesses now are storing data in a variety of different systems, including internal databases, third-party apps like Marketo and Salesforce, and on hosted systems in the cloud, but what’s really needed is a solution that helps map where personal data resides across all these systems, and then maps it back to a person who is exercising his or her CCPA rights.

“[Businesses] need a robust data discovery solution in place to create a solid foundation for their privacy program, and this is not an easy thing to do,” Barber says.“Organizations need to find a trusted technology partner to help map their data as a foundation to their privacy program.”

Stephanie Miles is a senior editor at Street Fight.