The Sway Of The CCPA: How Consumers Have Reacted To The Law

Consumers are less interested in gaining access to their data than in preventing its sale to third parties, according to The State of CCPA, a new study by privacy platform DataGrail. 

Overall, B2C brands received an average 137 data subject requests (DSRs) per million identities in 2020. 

The volume peaked in January, when the California Consumer Privacy Act (CCPA) took effect. But it rapidly declined after that, hitting a low in the summer. 

Of the DSRs reported per million identities, 63 were "do not sell" (DNSs), 43 were deletion requests and 31 were from people seeking access. 

In January, the majority of requests were for deletion, with access second and do-not-sell third. But DNS took over and remained first in December.  

The latter may be attributable to websites now featuring pop-ups that enable the consumer to opt out of having their data sold to a third party. 

In addition, consumers are more aware of how their data is being used online, and more seek ways to prevent its sale. 



The findings may have meaning beyond California as other states mull similar laws patterned on — and sometimes surpassing — the GDPR. 

“With Apple leading a new charge on privacy and CCPA entering its enforcement stage, consumers are not only more aware of how their data is being used than ever before, they also realize, perhaps for the first time, that they have options to protect their information,” states Daniel Barber, CEO and founder of DataGrail. 

What triggers DSRs? Probably a combination of factors, the study states (and we quote):

Requesting that consumers submit requests via email vs. using a form. Email requests typically result in more spam requests. 

Sending out frequent privacy policy updates.

Frequently sending email campaigns that aren’t relevant to the customer’s interests. 

But there are other dangers. For one, nearly half of all DSRs are unverified, and many are spam. The best practice is to use a form and a CAPTCHA instead of simply asking consumers to send an email.  

And as shown above, sending out too many privacy notices can confuse consumers and drive them to action. “A great first step is simplifying a privacy policy with language the average person can understand,” the study notes. 

Another obstacle is when companies try to manually process requests, a practice that costs $190,000 per million identities. 

“The companies that are transparent and those that can win trust will be the big winners in the new privacy era,” Barber concludes.  

DataGrail analyzed subject requests that it helped process for clients across over 16 million consumer identities from January 1 to December 31, 2020 a

Next story loading loading..