With new and changing regulations, growing cybersecurity risks, and shifting consumer expectations, navigating data privacy has never been more complex. To help organizations get a read on the current landscape, we’ve compiled a comprehensive collection of data privacy statistics. 

We reviewed the latest data, surveys, and research reports from authoritative sources including McKinsey, Gartner, Forrester, Pew Research, Cisco, and ISACA to get a comprehensive view of the data privacy landscape. These facts reflect current data privacy practices, the effect of regulatory frameworks like the GDPR and CCPA, trends in consumer attitudes towards data privacy, and the impact of emerging technologies like artificial intelligence. 

Keep reading for over 100 statistics that reflect the state of digital privacy in 2024 and preview the emerging trends organizations must be prepared to navigate in the future. 

Key findings

Here are some of the most eye-opening data privacy insights and statistics pulled from the list below:

• 94% of organizations say their customers would not buy from them if they did not protect data properly. (Cisco)
• 86% of the US general population say data privacy is a growing concern for them. (KPMG)
• 72% of Americans believe there should be more government regulation on what can be done with personal data. (Pew Research Center)
• Only 29% of consumers said it is easy for them to understand how well a company protects their personal data. (International Association of Privacy Professionals)
• 48% of organizations are entering non-public company information into GenAI apps. (Cisco)
• Only 20% of privacy professionals say they are totally confident in their organization's privacy law compliance. (International Association of Privacy Professionals)
• The average cost of manually processing a single data subject request is $1,524. (Gartner)
• Large organizations’ average annual budget for privacy is projected to exceed $2.5 million by the end of 2024. (Gartner)
• 95% of organizations say the benefits of investing in data privacy exceed costs, with the average organization realizing a 1.6x return on their privacy investment. 30% of organizations estimate a 2x ROI on data privacy investment. (Cisco)

Data privacy and consumer behavior statistics

As consumers become increasingly aware of the importance of data privacy, more are taking significant steps to protect it. These statistics highlight the critical role data privacy plays in shaping consumer perceptions and behavior.

1. 71% of consumers say they would stop doing business with a company if it mishandled their sensitive data. (McKinsey)

2. 94% of organizations say their customers would not buy from them if they did not protect data properly. (Cisco)

3. Nearly 68% of consumers worldwide said they are either somewhat or very concerned about their online privacy. (International Association of Privacy Professionals)

4. 86% of the US general population say data privacy is a growing concern for them. (KPMG)

5. 40% of US consumers don’t trust companies to use their data ethically. (KPMG)

6. Only 21% of US adults are confident that those with access to their personal information will do what is right. (Pew Research Center)

7. 81% of US adults say the information companies collect about them will be used in ways they are not comfortable with (Pew Research Center)

8. 80% of US adults say their personal information will be used in ways that were not originally intended. (Pew Research Center)

9. Globally, 85% of adults want to do more to protect their online privacy. (Norton)

10. 78% of US adults trust themselves to make the right decisions about their personal information, but 61% feel skeptical that anything they do will make much difference. (Pew Research Center)

11. US consumers view the healthcare and financial services industries as the most trustworthy when it comes to protecting data privacy. Media and entertainment are among the least trusted industries. (McKinsey)

12. Half of consumers say they are more likely to trust a company that only asks for personal information that's relevant to its products or that limits the amount of personal information requested. (McKinsey)

13. 48% of the US general population say they would be more comfortable with companies collecting and using their personal data if it was made fully anonymous. (KPMG)

14. 33% of consumers would lose trust in an organization that uses their data to offer them products or services from another organization. (International Association of Privacy Professionals)

15. 61% of users agree that privacy policies are ineffective at explaining how companies use their data. 69% say they view these policies as just something to get past. (Pew Research Center)

16. 56% of Americans say they always, almost always, or often click “agree” without reading privacy policies. (Pew Research Center)

17. Globally, only 29% of consumers said it is easy for them to understand how well a company protects their personal data. (International Association of Privacy Professionals)

18. 64% of consumers say companies that provide clear information about their privacy policies enhance their trust. (International Association of Privacy Professionals.

19. 76% of the US general population say they want more transparency around how their personal data is being used by companies. (KPMG)

20. 40% of the US general population say they would willingly share personal data if they knew exactly how it would be used and by whom. Yet only 53% of business leaders say their company has taken active steps to demonstrate how consumer data will be used. (KPMG)

21. 7% of consumers say the best way for organizations to earn and maintain their trust is to be transparent about the data they collect and its use, yet just 21% of organizations say they provide customers with clear information on data use. (Cisco)  

Data privacy and artificial intelligence statistics

As businesses increasingly integrate AI into their operations, consumers are eager to understand how this technology will affect their personal data. The statistics below reflect the growing demand for clarity from businesses about the use of AI and its implications for personal privacy. 

22. 40% of organizations have experienced an AI privacy breach. (Gartner)

23. 57% of global consumers view the use of AI in collecting and processing personal data as a significant threat to their privacy. (International Association of Privacy Professionals)

24. 70% of US adults say they have little to no trust in companies to make responsible decisions about how they use AI in their products. (Pew Research Center)

25. 91% of organizations say they need to do more to reassure customers about how their data is being used with AI. (Cisco) 

26. 48% of organizations are entering non-public information about the company into GenAI apps. (Cisco)

27. 15% of employees regularly post company data into ChatGPT, and over a quarter of that data is considered sensitive information. (LayerX)

28. 4% of employees paste sensitive data into GenAI tools on a weekly basis. (LayerX)

29. The top categories of confidential information being input into the GenAI tools include:  (LayerX)

• Internal business data: 43%
• Source code: 31%
• Personally identifiable information (PII): 12%

30. 48% of respondents in enterprises with less than $50 million in revenue said they had no plans to use AI for privacy-related tasks, compared to just 24% of those in enterprises with more than $1 billion in revenue. This could indicate that small enterprises recognize that implementing AI requires proper governance and resources, which could overburden their already stretched workforce. (ISACA) 

31. 63% of organizations have limited the types of data that can be entered into GenAI tools, 61% have limits on which tools can be used, and 27% have banned GenAI tools altogether. (Cisco)

Data privacy legislation and compliance statistics

The enactment of the GDPR in 2018 set off a domino effect, inspiring numerous other governments around the world to adopt similar data privacy frameworks. These statistics highlight the global influence of data privacy regulations and the impact of compliance on organizations. 

32. By the end of 2024, it’s predicted that 75% of the global population will have its personal data covered under privacy regulations (Gartner) 

33. More than 160 privacy laws have been enacted around the globe. (ISACA)

34. More than 120 countries have international data privacy laws in 2024. (World Population Review) 

35. 72% of Americans believe there should be more government regulation on what can be done with personal data. (Pew Research Center)

36. 56% of registered voters in the US said they support federal data privacy legislation. (Morning Consult/Politico)

37. More than 4 in 5 US voters support the measures outlined in the American Data Privacy and Protection Act: (Morning Consult/Politico)

• 87% support banning the sale of data to third parties without users’ consent.
• 86% support requiring companies to minimize the types of user data they collect.
• 86% support increasing online privacy regulations for children under 17.
• 82% support giving individuals the right to sue for damages after data breaches.

38. 50% of consumers believe governments should take the lead in data privacy initiatives, while 21% said organizations should. (Cisco)

39. 66% of consumers feel data privacy laws have had a positive impact. (Cisco)

40. Organizations strongly support privacy laws around the world, with 80% indicating legislation has had a positive impact on them. (Cisco)

41. The CCPA protects over $12 billion worth of personal information each year. (Office of the California Attorney General)

42. The costs of complying with the CCPA are estimated to fall between $467 million and $1.64 billion between 2020-2030. (Office of the California Attorney General)

43. Fortune Global 500 companies spent $7.8 billion preparing for GDPR compliance by 2018. (International Association of Privacy Professionals)

44. As many as half of organizations are using temporary controls and manual processes to ensure GDPR compliance until they can implement more permanent solutions. (McKinsey)

45. Only 25% of companies surveyed said that they can meet the requirement to report a data breach to regulators no later than 72 hours after management becomes aware of it. (McKinsey)

46. Only 37% of organizations have an information governance framework that can adapt to changing data privacy regulations (Gartner)

47. 78% of survey respondents said they use a framework or law/regulation to manage privacy in their organizations. Most commonly used frameworks used to manage privacy: (ISACA)

• GDPR:  53% globally, 78% in the EU
• NIST Privacy Framework: 44% globally, 61% in the US
• ISO/IEC 27002:2013: 35%
• ISO/IEC 27701: 30%
• COBIT: 27%

48. 58% of privacy leaders rank keeping pace with a changing regulatory landscape as their top priority (Gartner)

49. Just over 96% of privacy professionals say that they are confident in their ability to stay informed about new privacy laws and policy initiatives. (International Association of Privacy Professionals)

50. 21% of privacy professionals say their top privacy risk was difficulty maintaining compliance across various regulatory environments with differing and/or evolving requirements. (International Association of Privacy Professionals)

51. Only two out of 10 of privacy professionals surveyed reported they were totally confident in their organization's privacy law compliance. (International Association of Privacy Professionals)

52. 50% of privacy professionals are only somewhat or not confident in their organization’s ability to ensure data privacy and comply with new laws and regulations. (ISACA)

53. 23% of technical privacy professionals say they either never meet with legal/compliance professionals to understand legal and regulatory requirements or only meet when new privacy laws and regulations go into effect. (ISACA)

54. 31% of privacy professionals said the number of data subject requests increased in the past year. (ISACA)

55. The number of data subject requests increased by 72% between 2021 and 2022. Access requests jumped 5x, and deletion requests jumped 2x. (HelpNet Security and DataGrail)

56. Companies process 56% more deletion requests than access requests. (HelpNet Security and DataGrail)

57. The average cost of manually processing a single data subject request is $1,524 (Gartner)

58. Access and deletion requests can cost companies around $648K per year, per million identities. (HelpNet Security and DataGrail)

59. The cost of processing deletion and access requests more than doubled from 2021 to 2022. (DataGrail)

60. 28% of consumers have exercised their data subject rights, with younger consumers most active in doing so. (Cisco)

Data privacy practices statistics

These statistics shed light on how businesses across industries and geographies are navigating the intricate landscape of data privacy.

61. 96% of organizations say data privacy is a business imperative. (Cisco)

62. 70% of business leaders say their company increased collection of consumer personal data over the last year. (KPMG)

63. 97% of organizations say they have a responsibility to use data ethically, compared to 92% in 2021. (Cisco)

64. Over the past five years, overall spending on data privacy has more than doubled. (Cisco)

65. Gartner predicts that large organizations’ average annual budget for privacy will exceed $2.5 million by the end of 2024. (Gartner)

66. 80% of organizations report increased customer loyalty and trust as a result of their investments in data privacy. 78% report increased operational efficiency, agility, and innovation. (Cisco)

67. 95% of organizations say the benefits of investing in data privacy exceed costs, with the average organization realizing a 1.6x return on their privacy investment. 30% of organizations estimate a 2x ROI on data privacy investment. (Cisco)

68. For every dollar spent on privacy, the average company receives $2.70 in associated benefits. (Cisco)

69. Over 70% of business professionals report receiving “significant” or “very significant” benefits from their data privacy efforts. (Cisco)

70. Almost 93% of organizations said privacy is a top-10 organizational risk, and 36% ranked it within the top five. (International Association of Privacy Professionals)

71. 62% of business leaders say their company should do more to strengthen existing data protection measures. (KPMG)

72. 53% of companies have more than 1,000 sensitive files open to every employee. (Varonis)

73. 25% of employees feel their workplace doesn’t prioritize data privacy and security. (Zipdo)

74. Only 50% of organizations have an established privacy risk appetite. (International Association of Privacy Professionals)

75. 17% of privacy professionals said their organizations did not practice privacy by design when building new applications and services. (ISACA)

76. A survey of privacy professionals by the International Association of Privacy Professionals reported the largest risks to data privacy are: 

• Data breaches 
• Noncompliant third-party data processing
• Ineffective privacy by design implementation
• Inappropriate personal data management
• Insufficient privacy training for employees

77. 64% of organizations have a privacy risk management program that is fully integrated into their overall enterprise risk management program. (International Association of Privacy Professionals)

78. 42% of Data Protection Officers seek more effective metrics to measure their privacy programs, and 75% lack the confidence to effectively report on program outcomes. (Gartner)

79. 98% of organizations are reporting privacy metrics to their board of directors. (Cisco)

80. Roles that are primarily responsible for data privacy within an organization: (ISACA)

• Chief Privacy Officer - 21%
• Chief Information Officer - 17%
• Executive-level Security Officer (CISO, CSO) - 15%
• Chief Executive Officer- 14%
• General Counsel/Chief Legal Officer - 10%
• Other - 5%
• Don’t know - 4%
• Board of Directors - 4%
• The organization does not have a person accountable for privacy - 2%

81. Over 50% of privacy professionals say their reporting line goes directly to their company's C-suite. (International Association of Privacy Professionals)

82. Of surveyed privacy professionals, 86% reported regularly working with three or more teams within their organization. (International Association of Privacy Professionals)

83. 33% of organizations saw their privacy teams grow in 2023. (International Association of Privacy Professionals)

84. 63% of privacy professionals agreed that limited resources within their organizations impacted their ability to deliver on privacy goals. 63% say no recruitment is currently being undertaken and 67% indicate insufficient budget. (International Association of Privacy Professionals)

85. 55% of organizations see the demand for legal/compliance privacy roles increasing in the next year. 62% see the demand for technical privacy roles increasing. (ISACA)

86. 25% of privacy professionals said their organizations had open legal/compliance privacy roles, and 31% reported open technical privacy positions. (ISACA)

87. The top five skill deficiencies among privacy professionals are: (ISACA) 

• Lack of experience with different types of technologies or applications (63%)
• Experience with frameworks and/or controls (49%)
• Technical expertise (49%)
• Understanding applicable laws and regulations (44%)
• IT operations knowledge and skills (41%)

88. In response to this skills gap, 50% of organizations have provided training to allow nonprivacy staff who are interested to move into privacy roles, while 39% have increased the use of contract employees or outside consultants. (ISACA)

89. 86% of privacy professionals say their organizations provide privacy awareness training. 9% said no privacy awareness training was conducted. 71% said privacy awareness training had a positive impact on their organizations. (ISACA)

90. Frequency of data privacy training for personnel: (ISACA)

• Annually - 66%
• As part of new hire training - 52%
• Quarterly - 18%
• After the occurrence of a significant event - 17%
• No privacy training is conducted - 6%
• Don’t know - 5%
• Other - 3%

Data privacy breach statistics

The frequency and severity of cybersecurity incidents and data breaches is escalating globally, making discussions around customer data privacy more relevant than ever. These statistics underscore this urgency and the impact of breaches on both consumers and organizations.

91. 45% of Americans have had their personal information compromised by a data breach in the last five years. (RSA)

92. 64% of Americans would blame the company—not the hacker—for the loss of personal data. (RSA)

93. 11% of privacy professionals said their organizations experienced a material privacy breach in the last 12 months. 18% did not know whether their organizations experienced a privacy breach. (ISACA)

94. 16% said it was “likely” their organization would experience a material privacy breach in the next year. (ISACA)

• 22% said neither likely or unlikely
• 28% said unlikely
• 34% didn’t know or preferred not to answer. 

95. 71% of employees globally admit to sharing sensitive and business-critical data via instant messaging and business collaboration tools. This data includes: (Veritas)

• Client information: 13% 
• Details on HR issues 10%
• Contracts 10%
• Business plans 10% 

96. More than 80% of impacted consumers said they are likely to stop doing business with a company after it is the victim of a cyberattack. (International Association of Privacy Professionals)

Data privacy software and technologies statistics

Diving into the realm of data privacy software, the following statistics reveal how technology solutions are shaping data protection and compliance. 

97. The global data privacy software market is projected to grow from $2.76 billion in 2023 to $30.31 billion by 2030 — a 40.9% CAGR. (Fortune Business Insights)

98. Data privacy technology adoption is projected to increase by 46% within the next three years. (Zipdo)

99. 24% of IT professionals say lack of visibility into sensitive data is their biggest data security challenge in 2023. (Netwrix)

100. Gartner predicts that by 2025, 60% of large organizations will use at least one privacy-enhancing computation (PEC) technique in analytics, business intelligence, and/or cloud computing to protect data in use. (Gartner)

101. Organizations with fully deployed security AI and automation report an average cost of a data breach at $3.60 million — $1.76 million less than breaches at organizations that didn't use security AI and automation capabilities. This is a 39.3% difference in average breach cost. (IBM)

5 key takeaways for organizations 

With these statistics in mind, we’ve distilled five critical insights that highlight the evolving nature of data privacy challenges and offer strategic direction for organizations navigating this complex landscape.

1. Data privacy is a business imperative

Data privacy has transcended beyond compliance with legal and regulatory frameworks to become a business imperative. Consumers are increasingly knowledgeable about their data rights and are attracted to organizations that demonstrate a genuine commitment to protecting their personal information. 

This shift in consumer behavior underscores a broader trend: data privacy is not just a legal checkbox but a core component of brand trust and customer loyalty. Organizations that recognize and act on this shift are finding that their commitment to data privacy is rewarded with stronger customer relationships that translate into long-term loyalty and competitive advantage.

2. Growing data privacy awareness is a double-edged sword

As consumers become more informed about their data privacy rights, there has been a notable spike in data subject rights requests, signaling an empowered consumer base eager to exercise more control over their personal data. 

While this growing awareness is a positive development for society at large, it presents a significant challenge for organizations. The surge in requests places additional pressure on already stretched teams responsible for processing these inquiries and maintaining regulatory compliance. 

This tension highlights the need for scalable frameworks that can accommodate the rising volume of requests without compromising on the efficiency or effectiveness of an organization's data privacy practices.

3. Navigating resource constraints and regulatory changes

Organizations face the daunting task of managing their internal resources effectively while keeping pace with an evolving regulatory landscape. Despite these challenges, privacy professionals are hesitant to fully embrace AI solutions, fueled by concerns over potential risks to data privacy and the perceived lack of control over automated processes. This caution underscores the need for more sophisticated, risk-assessed AI solutions that can address these concerns.

4. Empowering data privacy professionals

In response to these increasing demands, organizations are taking proactive steps to empower their data privacy teams, including comprehensive data privacy training for all personnel, and investing in data privacy software solutions to automate manual processes and improve operational efficiency. 

These steps represent the strategic investment organizations are making to build a sustainable and scalable data privacy posture. As the market for data privacy technologies continues to expand, these tools will become indispensable for navigating the complexities of data privacy management, offering robust solutions that can adapt to both regulatory changes and the growing volume of consumer data.

5. Tangible returns on data privacy investments

The investments organizations are making today to strengthen data privacy practices are yielding significant returns, both in terms of monetary ROI and positive consumer sentiment. Organizations that are proactive in enhancing their data privacy frameworks are discovering that these efforts not only mitigate the risk of costly data breaches and non-compliance penalties but also enhance their market position. 

Consumers are increasingly favoring brands that can demonstrate a clear, actionable commitment to data privacy, translating into deeper trust and loyalty. Prioritizing data privacy is not just about avoiding negative outcomes — it's a strategic move that positions organizations for success in a future where data privacy is a key factor in market leadership.

Earn trust and grow your business with a strong data privacy posture

Automation is fundamentally changing the security, privacy, and compliance landscape, making it faster and easier to build and maintain your data privacy program and ensure compliance with an evolving regulatory landscape.

Secureframe’s GRC automation platform empowers organizations with:

• Regulatory compliance: Secureframe helps organizations navigate complex data privacy regulations including GDPR, CCPA and CPRA, and others by ensuring that their policies and practices align with legal requirements. By streamlining compliance with other in-demand frameworks such as SOC 2, HIPAA, and PCI DSS, our platform also helps organizations build strong data privacy and security practices.
• Continuous monitoring: Secureframe continuously monitors compliance, flags misconfigurations and failing controls, and offers tailored remediation guidance. Ensure your organizations stays compliant while adapting to new regulations and evolving data privacy threats.
• Vendor risk management: Secureframe simplifies third-party risk management by automating vendor assessments and monitoring vendor compliance status. This is crucial for data privacy, as third-party vendors can often be a weak link in an organization's privacy and security posture.
• Employee training: Our platform includes proprietary training for employees to understand the importance of data privacy and security best practices. Educated employees are less likely to cause data breaches and more likely to recognize and respond to potential threats.
• Streamline documentation: Secureframe automates evidence collection, which is vital for proving data privacy compliance to auditors, regulators, and partners. Comply AI for Policies leverages generative AI to save organizations hours writing and refining policies that are compliant with data privacy regulations.

To learn more about Secureframe’s capabilities, schedule a demo with a product expert.