Report: Requests to Protect Personal Data Up 72%

While Congress debates TikTok’s future, U.S. consumers are beginning to ask some uncomfortable questions about why businesses are collecting their personal data and how their information is really being used. According to the newly-released Privacy Trends 2023 Report by DataGrail, the privacy management firm, concern over data privacy is reaching a fever pitch.

Eighty-five percent of people now say they want to know which businesses collect their data and for what purpose, and formal requests to protect personal data rose 72% from 2021 to 2022. That increase has been driven largely by the growing number of “deletion and access” requests. The number of deletion requests more than doubled in the last year. 

What’s behind the surge?

The most likely culprit is the constant stream of privacy-related legal cases making headlines in 2022 and 2023. From the overturning of Roe v. Wade to Sephora’s settlement with the California Attorney General, and the E.U.’s crackdown on Meta’s data privacy practices, consumers are reading headlines that give them more reason to distrust how businesses and other organizations are using their personal information.

“The constant stream of headlines about privacy must contribute to people’s sense of urgency. After the Facebook Files and France’s Haugen’s congressional testimony in 2021, and now to have the TikTok CEO talk about privacy, it only raises awareness and levels of concerns,” says DataGrail CEO Daniel Barber. “Additionally, concerns about children’s privacy online continues to pique interest.”

Congress has yet to pass a federal data privacy law in the U.S., potentially jeopardizing the data of millions of citizens. Although states like California, Virginia, and Colorado have enacted their own regulations, DataGrail found the majority of requests to protect personal data (52%) are now coming from consumers who live in states without data protection laws in place.

“The most surprising thing for the DataGrail team was seeing the amount of privacy requests come from people outside of protected states and territories,” Barber says. “This says two things to me. One, it’s proof that people want control, and if they know how to exercise a right, they’ll do it. And two, we need a federal privacy law so all Americans are protected. From there, we’ll want to aggressively educate consumers on their privacy rights.”

Businesses are facing the brunt of this, paying an average of $648,000 per year, per 1 million identities. It costs businesses roughly $1,524 to manually process a single access or deletion request.

Several factors can influence the number of data subject requests, or DSRs, that a company receives. DataGrail has found that requests increase when a company updates its privacy policy, and that firms providing services or products catering to specific life events—like getting married or having a baby—experience more requests than average. 

State Regulations Translate to More DSRs

Virginia’s new privacy law went into effect in January, and Colorado and Connecticut will follow suit in July. Businesses can expect that the implementation of these new regulations will translate to a higher volume of DSRs, at least temporarily. 

As generative AI goes mainstream, it’s expected that more consumers will start asking questions about how that technology is seeking and using their personal data, as well. 

To stay ahead of the curve, and remain compliant with regulations, Barber says businesses will need to adopt best-in-class privacy practices and tools. He says those taking a privacy-forward stance will find they are lowering their overall business risk.

“Early data shows that brands that establish a 1:1 relationship retain customers and receive fewer Data Subject Requests,” Barber says. “We hope that brands understand that they can create a personalized experience while respecting privacy.”