Data Subject Requests (DSRs), which are formal requests made by individuals to access, modify, or delete their personal data held by a company, increased by 72% from 2021 to 2022. The increase was primarily driven by deletion and access requests, according to DataGrail.
In fact, the number of deletion requests more than doubled while access requests grew fivefold. These numbers will continue to increase as new data privacy laws, like those in Virginia and Colorado, come into effect and focus attention on responsible data privacy practices.
Researchers also uncovered a surge of privacy requests – 52% of all requests – coming from states that have yet to adopt data privacy legislation. This underscores the growing public support for a federal data privacy law.
Data privacy concerns
Concern over data privacy rose sharply in 2022, fueled by a constant stream of related news, including the overturning of Roe v. Wade, Sephora’s settlement with the California Attorney General, and the EU’s crackdown on Meta’s data privacy practices. As such, people are actively seeking more control over how their personal data is used.
In 2022, researchers found that 85% of people want to know which businesses collect their data and for what purpose. In response to increasing privacy concerns, DataGrail set out to understand the impact of privacy awareness on organizations by analyzing how many privacy requests the average business can expect.
The report analyzes the number of privacy requests DataGrail processed in 2021 versus 2022 and creates a benchmark for businesses to calibrate the status of their privacy program.
2022 saw a 72% increase in the total volume of data privacy requests compared to 2021
In 2021, there was an average of 377 DSRs per million identities, compared to 2022’s 650 DSRs per million identities. Notably, the average number of access requests per million identities grew by more than 5x from 2021 to 2022.
Deletion requests far outpace access requests
Companies process 56% more deletion requests than access requests. On average, companies can expect 272 deletions requests and 153 access requests per million identities annually.
Requests came from every state and every country in 2022 — not just those with privacy laws designed to protect their residents
In fact, 52% of requests came from states without such laws on the books. This suggests consumers are more concerned about privacy than ever before, and businesses are stepping up to fulfill DSRs even though they are not legally required to do so.
Access and deletion requests can cost companies around $648K per year, per million identities
This figure is based on Gartner’s suggestion that it costs businesses approximately $1,524 to manually process a single access or deletion request.
The number of Californian Do Not Sell requests stayed about the same compared to 2021
It is worth noting Do Not Sell requests are unique to California and fewer people around the globe have this right.
Unpacking why companies get more or fewer privacy requests
There are several factors that influence the volume of DSRs companies receive. For instance, DataGrail often sees a request surge when a company updates its privacy policy. Firms providing services or products catering to specific life events, like getting married, having a baby, researching colleges, etc., tend to experience more requests than average.
Global companies receive an elevated volume of requests due to their large size and reach, with the European market in particular regarded as more “privacy mature.”
“Consumers’ desire for greater control over their personal information grows stronger by the day, as people recognize that privacy should be a human right, even if it is not yet federally protected,” said Daniel Barber, founder and CEO of DataGrail. “Businesses are going to have to respond in an efficient manner, if for no other reason than for the value of earning and maintaining consumer trust and reputational capital.”
What’s to come
The privacy landscape continues to evolve at a rapid pace, with an increasing number of states adding legislation and a renewed focus on privacy at the federal level. Virginia’s privacy law went into effect this January, with Colorado and Connecticut following suit in July 2023. This will translate to a higher volume of DSRs and Do Not Sell requests businesses are required to process, and more changes that companies must account for in their privacy practices.
Further complicating matters is the widespread adoption of generative AI, which does not inherently seek a consumer’s consent to use their data. The uncertainty surrounding generative AI and its applications may spur Congress or the FTC into action to help safeguard consumer privacy.
Businesses that want to get ahead and earn customer trust are adopting best-in-class privacy practices and tools to relieve the resource strain caused by processing DSRs. Those taking a privacy-forward stance find that they are lowering their overall business risk as well.
“To take away some of the pain and cost associated with DSRs, organizations must know where their data lives — including all applications and internal systems. They should also automate where they can and minimize the amount of data saved when possible. Doing so will reduce risk to their business — not to mention save them time, resources, and headaches,” added Barber.