SAN FRANCISCO, June 30, 2025 (GLOBE NEWSWIRE) — Consumers are reclaiming control of their personal data—and businesses are feeling the impact. DataGrail’s newly released 2025 Data Privacy Trends Report shows a surge in data deletion and do not share requests, skyrocketing privacy expectations globally, and a failure by companies to honor consumer consent – driving up compliance costs across the board.
DataGrail 2025 Privacy Trends Report Highlights:
- Data deletion requests are surging, rising 82% year-over-year, surpassing access and do not sell requests for the fourth consecutive year.
- Compliance costs are skyrocketing, largely due to the manual processing of Data Subject Requests (DSRs). Managing DSRs now costs businesses an estimated $1.26 million annually per 5 million unique website visitors—a 43% increase over 2023.
- “Do Not Sell” (DNS) requests are gaining significant traction, with an increase of 37% over 2023. This increase is worth noting as organizations face heightened scrutiny from bodies like the California Privacy Protection Agency (CPPA), which has focused litigation on ensuring companies honor these opt-out requests.
- New state laws are driving more action. Seven new U.S. state laws went into effect in 2024. As a result, 41% of DSRs in 2024 came from states with active privacy laws – an increase of 229% from the 12.5% of DSRs we received from states with active privacy laws in 2023.
- 69% of businesses violate consumer consent. Despite consumers setting their opt-out preferences, businesses continue to deploy tracking cookies, risking fines, lawsuits, and damage to their brand.
“Our 2025 report clearly shows that consumers are taking control over their data privacy rights and are actively exercising those rights by demanding deletion of their data,” said Daniel Barber, co-founder and CEO of DataGrail. “This surge in DSRs, particularly deletions, is making compliance more expensive for organizations. The privacy landscape, driven by stricter laws and heightened enforcement globally, means proactive data privacy management is no longer optional but mandatory for brands.”
“The trends highlighted in DataGrail’s 2025 report underscore a critical shift in the data privacy landscape,” said Ryan O’Leary, Research Director, Privacy and Legal Technology, IDC. “The significant increase in data deletion requests, coupled with rising compliance costs and continued violations of consumer consent indicates that organizations need to prioritize robust data privacy management.”
Consumers expect privacy regardless of location or legislation
Around the world, consumer demand for control over personal data is seeing momentum. Globally, 31.5% of DSRs came from countries without privacy laws. In the U.S., 46.6% of requests were made by people in states that didn’t have privacy laws in effect.
Majority of businesses not honoring do not sell preferences
As consumers automate do not sell requests, a majority of organizations are not honoring those requests, putting their organizations at risk for regulatory scrutiny, potentially leading to costly fines, lawsuits, or reputational damage to their brand. An audit of 5,000 websites reveals that 69% of organizations fire 3 or more cookie trackers despite website visitors opting out. This means organizations have not correctly implemented consent mechanisms and are tracking consumer activities to retarget them with ads without their consent.
Data brokerage industry tops list for most data privacy requests
Privacy requests in 2024 among data brokers were the highest category of requests across industries. Driven by the California Delete Act, which put renewed pressure on data brokers to honor deletion requests, combined with an uptick in companies that delete data, heightened concern over data breaches, political uncertainty and AI’s expanding use of personal data. These factors are driving a surge in consumer privacy actions and reshaping the data landscape.
Methodology
DataGrail analyzed the Data Subject Requests (DSRs) it helped process on behalf of customers from January 1 to December 31, 2023. The customer set has more than 700 million records, where a “record” is defined as a single, individual record associated with a unique identifier within a customer’s database. To determine the cost of processing requests, DataGrail used Gartner’s manual processing estimate of $1,524 per DSR.
To normalize the data across various company sizes, DataGrail calculated DSRs per one million identities. To account for variability, DataGrail used a “10% trim mean” calculation to determine benchmarks. The dataset includes DSRs submitted under the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR), along with DSRs received in the U.S. and globally that don’t fall under those regulatory umbrellas. As a United States-based company, with primarily U.S.-based customers, DataGrail’s dataset may skew toward DSRs from the U.S.
About DataGrail
DataGrail is the data privacy company for this era. We help brands minimize risk, stay a step ahead of consumer and employee expectations, and safeguard their reputation. Our complete, data privacy platform is powered by patented Risk Intelligence technology that detects shadow IT and makes vulnerable data visible so brands can proactively manage risk. Leveraging responsible automation at scale and the largest integration network in data privacy, DataGrail automates privacy workflows across systems to perform risk assessments, accelerate data subject request (DSR) fulfillment, and optimize resources.
Headquartered in San Francisco, the world’s most trusted brands partner with DataGrail on their data privacy journey, including Salesforce, FanDuel, Dexcom, Databricks, among others.
Media Contact
press@datagrail.io
