Consumers Push Back on Data Exploitation, Forcing Businesses to Rethink Privacy Compliance

In an era where digital footprints are currency, consumers are demanding to be paid in privacy. According to DataGrail’s newly published 2025 Data Privacy Trends Report, the volume of data deletion requests has surged by 82% year-over-year, a tidal wave that’s leaving businesses scrambling to keep up, and racking up millions in compliance costs.

“The privacy landscape, driven by stricter laws and heightened enforcement globally, means proactive data privacy management is no longer optional but mandatory for brands,” said Daniel Barber, co-founder and CEO of DataGrail.

The report reveals that managing Data Subject Requests (DSRs) now costs businesses an average of $1.26 million annually per 5 million unique website visitors. That’s a 43% increase from 2023, driven in part by labor-intensive manual processes and mounting consumer distrust.

Despite new laws in seven U.S. states going into effect in 2024, it’s not just regulated regions seeing action. Forty-seven percent of U.S. DSRs came from states without active privacy legislation, while globally, nearly one-third originated in countries with no formal privacy laws. The message is clear: consumers want control, regardless of legal jurisdiction.

But while consumers are signaling their expectations loudly, businesses are failing to listen.

A DataGrail audit of 5,000 websites found that 69% of businesses deployed three or more cookie trackers even after users opted out through “Do Not Sell” preferences. That figure has caught the attention of regulators like the California Privacy Protection Agency, which has sharpened its focus on companies skirting opt-out obligations.

“The significant increase in data deletion requests, coupled with rising compliance costs and continued violations of consumer consent, indicates that organizations need to prioritize robust data privacy management,” said Ryan O’Leary, Research Director for Privacy and Legal Technology at IDC.

Among industries, data brokers were hit hardest by consumer demands. The passage of California’s Delete Act and a broader pushback against AI-fueled data harvesting have made brokers a primary target. Concerns over political manipulation, identity theft, and AI’s voracious appetite for personal data are fueling what DataGrail calls a “privacy backlash.”

At the same time, “Do Not Sell” requests rose 37% year-over-year, reinforcing the broader trend of consumers opting out of opaque data sharing agreements.

The writing is on the wall for companies treating compliance as a checkbox. As privacy evolves into a competitive differentiator, brands that fail to modernize their data practices risk more than fines—they risk losing consumer trust. And once that’s gone, there’s no cookie-based retargeting strategy that can bring it back.