DataGrail recently released a mid-year report on trends related to the California Consumer Privacy Act (CCPA) and how it has affected consumers and businesses. The report indicates that consumers are regularly opting out of the sale of their personal information, with the “do not sell” right being the most exercised right, occurring 48 percent of the time, more than access rights (at 21 percent) and deletion requests (at 31 percent).

Overall, according to this report, about 83 percent of consumers expect to have control over how businesses use their data, and this research confirms that people are taking action to control their privacy by exercising rights provided by the CCPA. 

When the CCPA first went into effect in January 2020, DataGrail found that Californians began exercising those rights right away. In January 2020, there was actually a surge of individual requests to exercise their rights granted under the CCPA. Since that initial surge, such requests have leveled off at about 13 requests per million records every month. Data from a recent Gartner report show that the manual processing of one single request costs an average of $1,406. If companies continue to process these requests manually, that could be upwards of $240,000 per million records. It seems like a call for a standardized process that can be implemented by companies across the board to handle these requests more efficiently.

DataGrail also found that 3 out of 10 requests go unverified (i.e., no fraud detection for requests that might be made for purposes of stealing personal information). This again shows a need for a scalable verification process to prevent harm to consumers, which the CCPA aims to protect against.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.