The Price Of Privacy: Data Subject Requests Cost $648,000 Per Million Identities

It’s an expensive proposition complying with the privacy laws that now exist. 

It cost businesses $648,000 a year per 1 million identities to process data subject (DSRs) in 2022, according to Privacy Trends 2023 Report, a study by DataGrail. That rose by $409,000 per million identities  from 2021 to 2022, and reflects a Gartner statistic suggesting that firms costs businesses approximately $1,524 to manually process a single request. 

Go figure what that will be if you've got 10 million customers.

DSRs generally fall into three categories: deletion, access and do-not-sell. Deletion requests cost $414,528 per million names and access $233,172. (Do not sell is unique to California, but some companies honor requests from non-Californians across the U.S.). 

And these expenses can be expected to rise, given the sheer number of requests and other factors.

DataGrail has seen a 72% increase in data-subject requests per 1 million identities from 2021 to 2022. 



Businesses received 650 requests per 1 million identities in 2022, up from 377 in 2021.

The 2022 total includes 153 access, 272 deletion and 225 do not sell requests. Access requests rose from 27 in 2021 and deletion from 129. Do not sell volume was relatively flat. 

What accounts for this uptick? One reason has to be the new privacy legislation now coming online.

The California Privacy Rights Act (CPRA) took effect in January. Virginia also implemented its new privacy law in January. Colorado and Connecticut will follow in July, and Utah in December. And 35+ other bills are moving through statehouses. 

In addition, the study notes that the White House is driving EU-U.S. data transfers and cybersecurity strategy, and that the Federal Trade Commission is stepping up its enforcement. Then there’s the GDPR, for companies doing business in Europe. 

Globally, 52.2% of DSRs come from the U.S. (excluding California, which accounts for 10.1% all by itself). Of course, this may be skewed by the fact that DataGrail is a U.S. company with a larger footprint in the country.  

On an anecdotal level, business-to-consumer (B2C) companies see an increase in DSRs when they post policy or service updates. Access requests show curiosity, deletion requests alarm.  

Also, firms offering products related to life changes like getting married or having a baby can expect to see more requests, while those providing lifetime services will get fewer. 

“Consumers’ desire for greater control over their personal information grows stronger by the day, as people recognize that privacy should be a human right, even if it is not yet federally protected,” says Daniel Barber, founder and CEO of DataGrail. 

Barber continues, “Businesses are going to have to respond in an efficient manner, if for no other reason than for the value of earning and maintaining consumer trust and reputational capital.”

Next story loading loading..