As consumers reclaim control over their personal data, companies that ignore this shift are paying the price.
Data privacy is no longer a future concern—it’s a present financial liability.
With deletion requests up 82% and enforcement actions gaining momentum, companies that fail to act now are burning cash and exposing themselves to serious legal and reputational risk. When compared to data deletion requests over time, we found that data deletion outpaced all other data privacy request types, revealing a trend that has grown steadily over the past four years.
The emerging dual threat: private and regulatory enforcement
Organizations today face privacy enforcement pressure from multiple fronts. A top emerging driver is plaintiff-side privacy enforcement activity as private law firms are taking action before regulators get involved. They are targeting companies that collect sensitive data, deploy AI tools, or operate in industries targeting vulnerable groups such as children. Companies should track which firms are active in privacy enforcement, monitor their evolving legal theories and industry focus areas, and work with specialized outside counsel who can help you anticipate the next enforcement wave. By proactively identifying these high-risk exposure areas, organizations can stay ahead of potential litigation risk by prioritizing compliance resources and moving vulnerable areas to the top of the governance roadmap.
The regulatory landscape is also tightening. In 2024 alone, seven additional states enacted privacy laws, bringing the total to 20 states that now have data privacy laws in place. Forty-one percent of DSRs came from states with privacy laws in 2024 – up from just 12.5% in 2023, representing an astounding 229% increase in just one year. Law or no law, consumers expect privacy: nearly 46% of requests were made by individuals from states without privacy laws in effect. This well-intentioned patchwork of regulation is creating compliance headaches for mid-market and enterprise companies operating throughout multiple states.
This trend underscores a blunt reality: the regulatory burden is only going to grow. And unlike previous eras of compliance, this time the consumer is both informed and empowered.
What does this mean for enforcement? The landscape is shifting fast. A scan of 2025 actions reveals a clear trend: enforcement is surging. While data privacy laws are still relatively new, regulators are flexing their muscle as they begin to go after violators. Consider a few higher profile actions: California’s Privacy Protection Agency (CPPA) levied landmark fines against Honda ($632,500), Todd Snyder ($345,178), Healthline Media who will pay $1.55 million in penalties for privacy violations under a pending settlement, and most recently filed a judicial action seeking to enforce an investigative subpoena against Tractor Supply Company stemming from the CPPA’s Enforcement Division investigation whether Tractor Supply violated Californians’ privacy rights including Tractor Supply’s failure to honor consumers’ right to opt-out of the sale and sharing of their personal information online – a hallmark of California’s privacy law. Connecticut announced an $85,000 settlement with online marketplace TicketNetwork for violations of the Connecticut Data Privacy Act (CTDPA). And this is likely only the beginning. Companies that are unprepared won’t just pay fines—they’ll lose consumer trust, market share, and operational control.
Privacy demands are increasing compliance costs
The shift in privacy demands is starting to create financial pain for businesses, who have seen compliance costs jump 43% since 2023. On average, companies are now spending an estimated $1.26 million annually managing data subject requests (DSRs). This is largely due to manual processing of deletion and opt-out requests, with volumes surging as consumers become increasingly aware of how extensively data brokers are collecting and selling their personal information. However, the bigger issue is that most businesses were not built with user control in mind. When you factor in an increasing number of state privacy laws and a surge of data broker networks, you have another layer of operational complexity.
The result? Companies must choose between modernizing their data infrastructure or bleed resources on reactive compliance.
Consent is being ignored, at great cost
Despite the mounting pressure from both private and regulatory sides, businesses continue to struggle with fundamental compliance requirements. When it comes to honoring consumer opt-out requests, businesses are failing to meet the most basic requirements. “Do Not Sell” requests climbed 37% as enforcement agencies continue to turn up the heat against non-compliant companies. Even with this pressure, nearly 70% of businesses continue tracking consumers who have opted out—directly violating state laws and creating significant enforcement risk. This compliance gap does not necessarily mean that organizations are ignoring laws, but rather that many are struggling to adapt their technical infrastructure so it can accurately respond to consumer preferences. This is creating a dangerous disconnect between regulatory requirements and business practices, exposing businesses to regulatory action, potential lawsuits, and reputational damage.
And privacy law enforcement is no longer being solely handled by states in-house. States are increasingly outsourcing privacy enforcement to private law firms, arming them with investigative powers and financial incentives to pursue violations aggressively. This shift expands the number of watchdogs on the front lines, raising the likelihood of legal action for non-compliant businesses. The compliance gap does not necessarily mean companies are ignoring the law—but many are struggling to meet modern privacy expectations.
Inaction is no longer optional
Manual privacy operations aren’t just inefficient – they’re unsustainable and unreliable. Human error is one of the top factors in data privacy breaches, as manual processing of data requests can lead to incomplete responses, missed deadlines, or accidentally exposing additional personal information – each requiring costly remediation and potentially triggering regulatory penalties.
Companies that continue to rely on manual processes to handle data deletion and access requests are not only burning cash, they’re also exposing themselves to business risk. Technology to automate DSR workflows exists today. So do tools to help businesses correctly implement global opt-out signals and consent preferences at scale.
Modernizing data infrastructure should be viewed as a strategic imperative, not compliance overhead. Privacy automation is an investment that not only reduces operational costs, but improves efficiency and can protect against financial risks associated with fines or lawsuits
The takeaway here: risk to your business is rising and the subsequent cost of manual compliance is only going to increase as more states enact privacy laws. The era of passive data privacy is over. With deletion requests skyrocketing, compliance costs rising, and enforcement intensifying, organizations must move from reactive to proactive privacy strategies. As you evaluate privacy technology solutions, focus on platforms that can automate DSR processing and provide visibility into data flows across your infrastructure. Privacy solutions should be able to adapt to new regulatory requirements without the need for extensive reconfiguration.
Yes, the cost of compliance is high. But the cost of inaction is even higher.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com
