Distinction in travel journalism
Is independent travel journalism important to you?
Click here to keep it independent

17 Sep, 2020

Californians Move To Protect Their Privacy, Restrict the Sale of Personal Information

As the Covid-19 pandemic triggers massive shifts to online communications, payments, education, health & wellness, meetings, and more, the issue of privacy protection is rarely mentioned. Travel & Tourism technobabble forums tend to gloss over this issue, which is not surprising, give the industry’s long-standing fondness for sweeping sensitive issues under the carpet. One day, the s*** will hit the fan for sure, along with the usual hand-wringing about why nothing was done about it earlier. This press release may help raise a few alarm bells about what is at stake.

SAN FRANCISCO, Sept. 15, 2020 /PRNewswire/ — Today, DataGrail, a leading privacy management platform, released its Mid-Year CCPA Trends Report, which uncovers how the California Consumer Privacy Act (CCPA) is affecting consumers and businesses. The proprietary research finds that people are regularly opting-out of companies who sell their personal information, with “do-not-sell” being the most commonly exercised right, occurring nearly 50% of the time over access and deletion requests. DataGrail automates the process of fulfilling data subject requests (DSRs), giving it unique insight into the number of requests processed by companies.

DataGrail’s CCPA H1 2020 Trends Report showing the breakdown of the types of CCPA requests made by Californians in H12020.


Research Highlights Include:

  • Californians are exercising their CCPA rights to access & delete their data, and opt-out of their personal information being sold
    • Consumers opt-out of their personal information being sold most of the time — by nearly 2x. (48%)
    • Deletion requests make-up 31% of DSRs
    • Access requests make-up 21% of DSRs
  • B2C companies should prepare to process approximately 170 total DSRs per one million consumer records each year.
  • In 2020, B2C companies should plan to process 84+ DNS requests per million records.
  • In 2020, companies manually processing DSRs should expect to pay $240,000 per million records to fulfill requests.
  • 3 of every 10 DSRs will go unverified, confirming the need for a robust and scalable verification method to prevent fraud.
  • Approximately 40% of access requests were not verified, suggesting that concerns around fraudulent requests being made to steal personal data are valid.

83% of consumers expect to have control over how businesses use their data, and this research confirms that people are taking action to control their privacy by exercising rights provided by the CCPA.  Consumers are accessing their data (21%), deleting their data (31%) and requiring that businesses do-not-sell their personal information (48%). When CCPA went into effect in January 2020, DataGrail saw people exercise their rights immediately, with a surge of data subject requests (DSRs) going across its platform in January 2020. 

Since the initial surge, DSRs have stabilized around 13 DSRs per million records every month, a substantial rate which confirms that organizations need an established privacy program. Gartner data shows that manually processing a single DSR costs on average $1,406. At this rate, organizations can expect to spend almost $240,000 per million records to fulfill DSRs — if they are done manually. Additionally, organizations could find themselves on the hook for fines likely to appear in October (if CCPA follows the same timeline as GDPR).

Fraud is a top concern for organizations who process DSRs— no organization wants to send personal information to the wrong person or someone who might be impersonating one of their customers. DataGrail’s Smart Verification technology tracks how many unverified (and potentially fraudulent) DSRs go through the platform. They also found that 3 out of every 10 DSRs will likely not be verified and could be fraudulent attempts at accessing or deleting data.

When breaking down unverified requests (access vs. deletion), the data shows that access requests (DSARs) make up 70% of the unverified requests. This finding offers validity to the concern that nefarious characters could be submitting access requests to gain access to another person’s personal information.


DataGrail automates the process of fulfilling data subject requests (DSRs), which provides it a unique insight into the number of requests processed by companies. DataGrail examined the data subject requests it helped process on behalf of select B2C customers, with a substantial volume of privacy requests in the period January 1 to June 30th, 2020. This customer set had more than sixteen million consumer records, where a “consumer record” is defined as a single, individual record associated with a unique email address within a customer’s database. To determine the cost of manually processing requests, DataGrail used Gartner’s estimate that manually processing a single request costs $1,406. Gartner published this statistic after releasing details from its 2019 Gartner Security and Risk Survey in February 2020.