If you’re responsible for securing, managing, or processing personal information (e.g., customer or employee data), it’s important to stay up-to-date with current data privacy trends.
The type of knowledge worth developing includes the prevalence and risks associated with personal data breaches, awareness of relevant privacy laws, the attitudes and concerns of customers, new and emerging areas of concern surrounding privacy (e.g., linked to smart devices and the Internet-of-Things), as well as best practice for personal data protection.
To help you get a handle on all of this, here’s our rundown of recent data privacy statistics and key technical and regulatory developments shaping the privacy landscape.
Importance of Data Privacy
Data privacy is a branch of security concerned with protecting the confidentiality of, access to, and appropriate use of data. It is particularly important when it comes to safeguarding personal identifying information (PII) and other types of sensitive data.
Data privacy statistics demonstrate that it’s something that consumers increasingly care about.
Levels of Consumer / Internet User Concern Surrounding Data Privacy
1. 83% of consumers either agree or strongly agree with the statement, “These days, I think about whether I trust a company to keep my information safe before I buy something from them.”
2. 64% of consumers say they have opted not to work with a business because of concerns about whether they would keep their personal data secure.
3. 82% of consumers say they are highly concerned about how their data is collected and used.
4. More than half of consumers (57%) worry that brands use their data beyond intended purposes.
5. Companies that demonstrate responsible data practices benefit from an increase in purchase intent of 23% compared to companies that cannot demonstrate those practices.
6. In 2023, 58% of consumers say they are worried about being “hacked and tracked” through their devices, up from 41% in 2022.
7. 77% of internet users worldwide say they are worried about personal information being stolen.
8. 75% of internet users worldwide say they are worried about personal information being used by companies for marketing purposes without permission.
9. 68% of internet users worldwide say they are worried about personal information being used by the government without permission.
10. In the US, the percentage of Democrat voters who say they are worried about how the government uses their personal data fell slightly from 66% to 65% between 2019 and 2023. In the same period, the share of Republican voters who expressed this concern grew from 63% to 77%.
Changes in Laws and Corporate Attitudes
11. The vast majority (71%) of countries now have data privacy legislation in place.
12. In a 2021 survey of business leaders, 70% said their company increased the collection of consumer data over the previous year.
13. 62% of business leaders said their organization should be doing more to strengthen existing data protection measures.
14. 29% of business leaders said their company sometimes uses unethical data collection methods.
15. In a 2023 survey of business leaders, 45% of US respondents said they were ‘very prepared’ to comply with state privacy law frameworks, compared to 59% in the previous year’s survey.
16. In 2023, 40% of US businesses and 32% of UK businesses said they were very concerned about privacy laws that include specific restrictions on collecting and using data for targeted marketing. Litigation and enforcement actions were named as top concerns.
17. 58% of businesses say they conduct regular staff training on data privacy.
18. Just 34% of businesses have conducted data mapping and understand data practices across their organization. This suggests that many businesses may not have a full picture of what personal data they actually hold.
Personal Data as a “Currency” in the Digital Economy
19. An estimated 80% of apps use personal data for commercial ends. This includes activities such as serving you their own ads on other platforms, and in-app promotions for their own benefit and for third parties.
20. According to pCloud, Facebook and Instagram are the brands that are most effective at collecting personal data and leveraging it for their own benefit.
21. Google ad revenue is a useful indicator of the value of personal data as a form of currency. In 2001, each Google user generated an average ad revenue of $1.07. By 2019, this had increased by around 1800% to $36.20.
22. 53% of consumers regard their personal information as an asset for negotiating better prices and offers with companies.
Private/Personal Identifiable Information Data Breaches
Personal identifying information provides rich pickings for cybercriminals. The stats highlight that if an organization is hit by a data breach, there’s a very good chance that personal data will be compromised.
Data Privacy Statistics - Breaches
23. Number of data records exposed worldwide from Q1 2020 to Q1 2023 shows consistent flux in both directions:
Period | Number of data records exposed (in millions) |
Q1 2020 | 68.99 |
Q2 2020 | 79.52 |
Q3 2020 | 10.09 |
Q4 2020 | 125.74 |
Q1 2021 | 95.58 |
Q2 2021 | 19.42 |
Q3 2021 | 14.1 |
Q4 2021 | 19.33 |
Q1 2022 | 3.33 |
Q2 2022 | 5.54 |
Q3 2022 | 14.78 |
Q4 2022 | 10.45 |
Q1 2023 | 6.41 |
24. Check Point Research data illustrates how cyberattacks are becoming more prevalent worldwide. Cyberattacks increased by 38% in 2022 compared to 2021.
25. According to SonicWall, there were 6.3 trillion intrusion attempts in 2022.
26. 1 in 2 American internet users had their accounts breached in 2021.
27. Verizon analysis suggests that for those organizations that suffered a data breach in 2022, personal data was disclosed to an unauthorized actor in more than 50% of cases.
28. IBM found that customer PII was the most commonly breached record type in 2023 (compromised in 52% of breaches), followed by employee PII (compromised in 40% of breaches).
Most Affected Industries
29. Organizations within the financial services and insurance sector are most likely to suffer a compromise of personal data (i.e., personal identifying information) when hit with a data breach. Between November 2021 and 2022, personal data was compromised in 74% of cases where finance and insurance organizations suffered data breaches.
Cost of a Personal Data Breach
30. According to IBM, the global average data breach cost in 2023 was $4.45 million - 15% more than in 2020.
31. Customer PII is the most costliest data type for an organization to have compromised. In 2023, customer PII (e.g., names and social security numbers) cost organizations an average of $183 per-record when breached. Employee PII comes close behind at $181 per-record.
32. In August 2023, US News & World Report commissioned a survey of 2,000 US adults who had been victims of identity theft. Of these, 34% reported financial losses between $100-$500. 15% reported losses greater than $1,000.
Consumer Attitudes Towards Privacy
Consumers are generally willing to offer up their data in exchange for access to services. However, they expect organizations to take care of it.
General Attitudes to Data Privacy, Sharing, and Usage
33. Globally, 53% of consumers agree that exchanging personal information is essential for the smooth running of modern society. In China, this rises to 82%.
34. Almost three in four global consumers think that data is their property and that they should be able to trade it if they wish.
35. Two-thirds of smartphone users worry about data security and privacy on their mobile phones in 2023 - up 13 percentage points from 2022.
Attitudes to Organizations’ Use of Personal Data
36. In 2022, The Global Data & Marketing Alliance (GDMA) estimated that nearly half (47%) of consumers across ten key global markets are ‘data pragmatists’: i.e., they are concerned about online privacy but will make trade-offs on a case-by-case basis as to whether the service or enhancement of service offered is worth the information requested. This is down from 51% in 2018.
37. In 2022, GDMA estimated that 21% of consumers across 10 key global markets are data fundamentalists: i.e., they are concerned about online privacy and are unwilling to provide personal information, even in return for a better service. This is down from 23% in 2018.
38. Across 16 countries, France has the highest proportion of data fundamentalists (26% of the population). China and India have the joint lowest (6%).
39. 27% of global internet users think that companies can track them, and 17% think that hackers can access their data, no matter what actions they take.
40. Of smart home technology service users, 62% worry about security and privacy in 2023 - up 10 percentage points from 2022.
41. Younger people are more relaxed than their elders regarding trusting companies with their data. Half of Gen Zs and Millennials say they trust online services to protect their data, compared with three in 10 older consumers.
42. 60% of Gen Zs and Millennials think the benefits they generally get from online services outweigh their privacy concerns. Only four in 10 older consumers feel this way.
43. 85% of consumers think device makers should do more to protect data privacy and security on their devices.
Consumers’ Willingness to Take Action on Privacy
44. Three-quarters of consumers think they should do more to protect their data privacy.
45. 18% of consumers say they are unwilling to pay for software or services to increase their protection.
46. 9% of consumers chose to buy a connected device they thought did not track them in 2023 - up five percentage points on the previous year.
47. 9% of Americans always read privacy policies before agreeing to them. 36% never read them.
Privacy Laws
Most jurisdictions now have comprehensive privacy laws in place. On the whole, businesses and individuals tend to regard the existence of such laws as a positive.
The State of Data Privacy Law Adoption Worldwide
48. As of 2023, 137 out of 194 countries have enacted data protection and privacy legislation.
Data Protection and Privacy Legislation Worldwide
Region | Countries with legislation in place | Countries with draft legislation in progress | Countries with no legislation | Countries with no data on the state of legislation available |
Africa (54 countries) | 33 (61%) | 6 (11%) | 10 (19%) | 5 (9%) |
Americas (35 countries) | 26 (74%) | 4 (11%) | 5 (14%) | 0 (0%) |
Asia-Pacific (60 countries) | 34 (57%) | 7 (12%) | 15 (25%) | 4 (7%) |
Europe (45 countries) | 44 (98%) | 0 (0%) | 0 (0%) | 1 (2%) |
Organizational Compliance and Impact
49. In 2023, 50% of US and UK organizations say they are “very prepared” to address data privacy laws.
50. 55% of US and 45% of UK organizations say they are concerned about enforcement action surrounding the use of geolocation data.
51. 50% of US and 36% of UK organizations are concerned about possible user litigation.
52. 10% of UK organizations say data privacy regulations are a major impediment to cross-border business.
Potential Organizational Benefits of Privacy Law Compliance
- Valuable data is better safeguarded from theft and loss
- Greater trust from customers and investors
- Higher brand value
- A stronger competitive advantage
- A deeper understanding of the data organizations hold, its value, purpose, and benefits
- Improved data management and control
53. In 2023, 79% of security professionals globally said that privacy laws positively impacted their organizations. 14% were neutral, and 6% said the laws had a negative impact.
Consumer Attitudes to Data Privacy Laws
54. According to a 2023 Pew survey, 72% of US consumers say there should be more government regulation of what companies can do with their customers’ personal information. 7% say there should be less regulation. 18% say it should stay about the same.
55. In 2023, 72% of US consumers say they have little to no understanding of current data privacy laws. This is up from 63% in 2019.
Global Privacy Principles
Data privacy laws and data protection laws across the globe generally follow these five principles:
Notice Requiring organizations to advise users or customers of the procedures and policies they have in place to protect personal information. |
Choice and consent Requiring organizations to seek users consent and provide users with choices around how their data is collected, managed, and used. |
Access and participation Individuals should have the right to access the data held on them, to rectify inaccuracies, to obtain copies, and to withdraw consent where that is the legal basis of data processing. |
Integrity and security Organizations must have adequate measures in place to ensure that data is secure and that there is no unauthorized access. |
Enforcement Organizations may face regulatory intervention (e.g., enforcement notices and fines) if data privacy rights are breached. |
Influential and Recent Privacy Laws
Europe: (GDPR: General Data Protection Regulation)
GDPR came into force in 2018. It sets out the rights of European Union citizens concerning their personal data and explains what’s expected of organizations that control and process this data.
56. GDPR quickly became a model for other privacy law frameworks across the globe.
57. At least 20 countries other than EU states have adopted laws that are significantly close to GDPR.
58. Organizations across the globe are required to be GDPR-compliant if they control or process personal data relating to EU residents. Until May 2018, Fortune 500 companies spent an estimated $7.8 billion on GDPR compliance measures, with 40% spending more than $10 million.
59. In 2021, European data regulators issued EUR $1.1 billion in GDPR fines, a sevenfold year-on-year increase.
60. Between July 2018 and February 2023, a total of 1,576 GDPR fines had been issued by EU regulators.
61. The highest average GDPR fines have been levied in the media, telecoms, and broadcasting sectors. The highest number of fines has been in the industry & commerce sector.
India (DPDP: Digital Personal Data Protection Act)
India finally passed its long-awaited new data protection law - the Digital Personal Data Protection Act (DPDP) - in August 2023. Its commencement date is yet to be announced. The Act is broadly similar to GDPR, but with some notable divergences.
62. With GDPR, the level of fines is partly dependent on the turnover of the organization. Under DPDP, penalties are turnover-agnostic. Maximum penalties for specific offenses range from approx. $6 million (Rs 50 crore) to $30 million (Rs 250 crore) for each breach.
63. Unlike GDPR, DPDP does not give data subjects a right to claim compensation from an offending organization if there has been a breach of data protection obligations.
64. DPDP prescribes duties on data subjects to provide verifiably authentic information - subject to fines (GDPR does not do this). Data subjects can also be fined for bringing frivolous complaints against organizations.
California (CPRA: California Privacy Rights Act)
The new California Privacy Rights Act (CPRA) became operative on 1 January, 2023. This amends the existing California Consumer Privacy Act (CCPA) by adding new rights for data subjects.
Existing CCPA rights
- The right to know (request disclosure of personal information
- The right to delete personal information
- The right to opt out of the sale of personal information
- The right to opt in to the sale of personal information
- The right to nondiscriminatory treatment for exercising data rights
- The right to initiative a private cause of action for data breaches
Additional rights created under CPRA
- The right to correct inaccurate personal information
- The right to limit use and disclosure of sensitive personal information
China
China’s data protection and privacy framework is governed by three key pieces of legislation:
The Personal Information Protection Law (PIPL)
65. Effective as of November 1, 2021, this is China’s principal personal data protection law.
66. Modeled partly on GDPR, PIPL sets out principles linked to consent for processing, cross-border data transfer rules, and rights of data subjects.
Cybersecurity Law 2016 (CSL)
67. This is China’s law aimed at ensuring enterprises that operate computerized networks have adequate cyber security measures in place.
68. It includes personal information protection requirements, including requirements for multi-level cyber security protection, assessments, and inspection.
Data Security Law (DSL)
69. A law setting out fundamental requirements for data security.
70. It includes measures such as data categorization and classification, risk controls, and contingency responses.
Best Practices for Protecting Personal Data
Businesses and individuals now tend to take a range of measures to safeguard data privacy.
What Steps Are Consumers Taking?
71. Deloitte found that in 2023, 39% of consumers had turned off location-based services in the past year. This was the most popular measure consumers took to address privacy and security concerns.
72. In 2023, 79% of consumers had taken at least one of 14 identified data protection measures (up from 71% in 2022).
What Steps are Organizations Taking?
Privacy spending
73. After steep increases from 2019 to 2020, annual organizational spending on privacy remained steady between 2021 and 2022.
Privacy metrics
74. Security professionals report an average of 3.1 privacy metrics to their board.
75. The most commonly reported privacy metrics are data breaches (41%), data protection impact assessments (39%), and incident response reports (37%).
Importance of privacy expertise for security professionals
76. In 2023, a third of senior security professionals rank “Data privacy and governance” as one of their top three responsibilities. This highlights the value of data privacy knowledge for cyber security and infosec professionals seeking to progress into senior and leadership roles.
Specific data privacy measures adopted by organizations
77. In 2023, more than 70% of companies claim to always or frequently implement key data protection and security measures.
Future Predictions
As an increasing number of businesses roll out IoT and AI-based initiatives, extra care needs to be taken to retain customer trust regarding what data is being harvested and what it’s being used for.
Internet of Things
78. The total installed base of IoT-connected devices is expected to reach 30.9 billion units worldwide in 2025, up from 13.8 billion units in 2021.
79. Only 14% of consumers view smart devices as secure, despite 38% already using them.
Artificial Intelligence and Automated Decision-Making Using Personal Data
80. 54% of consumers say they would be willing to share their anonymized personal data to help improve AI products and decision-making.
81. 65% of consumers say they have already lost some trust in organizations as a result of their AI use.
Recent Data Privacy News
These examples highlight the financial and reputational repercussions of a failure to prioritize users online data privacy and protection.
Meta’s Record-Breaking GDPR Penalty
Meta was hit with a $1bn+ fine for transferring EU users’ data to the US for processing, in contravention of an earlier EU court ruling saying that this was unlawful.
TikTok’s Teen Privacy Dispute
Data regulators in Ireland hit TikTok with a $360m+ fine for failing to take care of the private user data of its youngest users. However, the Chinese-owned video-sharing platform is fighting back…
Conclusion
There’s a clear quid pro quo arrangement in play when it comes to data privacy.
From facial recognition-enabled door locks to personalized shopping recommendations, consumers love the type of digital innovation that makes life easier. And generally, many of us are willing to hand over large volumes of often very sensitive personal data to make all this happen.
But at the same time, we’re increasingly likely to think twice before handing over this data: Who’s asking for it? Why exactly do they need it? And are they going to take care of it? If an organization is shown to play fast and loose with data privacy and protection, a loss of user trust (and revenue) is pretty much inevitable.
For businesses, data privacy is a top priority for retaining user trust. And for information and cyber security professionals, it’s also important to remember that data privacy is not a niche concern that’s hived into very specific roles. If your work involves protecting an organization’s assets, privacy is definitely an area where it’s worth building a solid bank of knowledge.
Frequently Asked Questions
Sources
- AAG: The Latest 2023 Cyber Crime Statistics, Report, 2023
- Check Point ‘Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks’ Article, January 2023
- Cisco: Consumer Privacy Survey, 2023
- Cisco: Data Privacy Benchmark Study, 2023
- CMS: 5 Years GDPR Report, 2023
- Data Guidance: China - Data Protection Overview, October 2023
- Deloitte: Connected Consumer Survey, 2023
- Deloitte: ‘Data privacy and security worries are on the rise, while trust is down’, Article, 2023
- DLA Piper: GDPR fines and data breach survey, January 2022
- Economic Times: Data Protection Bill, Article, 2023
- Emarsys: GDPR Compliance, How it’s Affecting US Companies, Article, 2018
- GDMA: Global Consumer Attitudes Survey, 2022
- IBM: Cost of a Data Breach Report, 2023
- IBM: Survey, Consumer Attitudes Towards Data Privacy, 2019
- Infosecurity Magazine: Global IoT Trust Survey Reveals Security Concerns, Article, 2023
- Ketch: The Person Behind the Data, Report, 2022
- KPMG: Data Privacy Survey, 2021
- LR Foundation: World Risk Poll, 2021
- pCloud: Invasive Apps Report, 2021
- Pew Research Center: Americans and Privacy, Report, 2019
- Pew Research Center: How Americans View Data Privacy, Article, October 2023
- PwC: Global Digital Trust Insights Survey, 2023
- Reed Smith: The fourth anniversary of the GDPR, How the GDPR has had a domino effect, Article, 2022
- SonicWall Cyber Threat Report, 2023
- Statista: Commonly Compromised Types of Data by Industry
- Statista: Internet of Things and non-IoT active device connections worldwide from 2010 to 2025
- Statista: Number of Data Breaches Worldwide 2020-2023
- UNCTAD: Data Protection and Privacy Legislation Worldwide, Report
- US News & World, Identity Theft Survey, 2023
- Verizon: DBIR Report, 2023
- Womble, Bond, Dickinson: Growing Global, 2023 global data privacy survey report
Very informative, It is a pity Recruiters (Agencies, Private and Public Sector Employers) don’t refrain from demanding more and more P.I.I (often very intrusive and unnecessary) at the application stage.