Twenty US states now have comprehensive privacy laws on the books. Three more came online on January 1, 2026. Cure periods are expiring across multiple jurisdictions. And regulators are running coordinated enforcement sweeps.
For Chief Privacy Officers still relying on manual processes to handle privacy rights requests, the math no longer works.
The Volume Problem
The California Privacy Protection Agency (CalPrivacy) received over 8,265 consumer complaints between July 2023 and September 2025, with monthly submissions trending upward. More than half of those complaints related to the right to delete.
Industry reports indicate organizations are seeing year-over-year increases in privacy requests of around 60%. As consumer awareness grows and more states grant individuals the right to access, correct, and delete their data, this trajectory will steepen.
The challenge is that each request must be individually verified, triaged, routed to the correct systems, compiled, redacted, and responded to within a statutory deadline.
Under the CCPA, that deadline is 45 days. Under Brazil’s LGPD, it is 15 days.
As Gartner notes in its Market Guide for Privacy UX, these long-standing response obligations are becoming far more difficult to meet as request volumes and channel coverage expand.
The Cost of Doing it By Hand
Manual processing of a single privacy rights request can cost a company between $1,400 and $10,000, depending on the complexity of the organization.
Most enterprises store personal data across dozens of internal systems and SaaS platforms. Finding a specific individual’s records across all of them requires significant coordination.
Manual workflows tend to collapse beyond 50 requests per month. When privacy teams rely on spreadsheets and email chains to track deadlines, requests slip through the cracks. Missed deadlines and incomplete responses are now a primary trigger for regulatory action.
Enforcement is Accelerating
Regulators are not waiting for organizations to catch up.
- In September 2025, Tractor Supply was fined $1.35 million for CCPA violations including failures in vendor contract compliance.
- In May 2025, CalPrivacy ordered clothing retailer Todd Snyder to pay a six-figure fine and overhaul its privacy practices, citing a 40-day delay in processing consumer opt-out requests caused by a poorly configured portal.
- Meanwhile, CalPrivacy announced joint investigative privacy sweeps with Colorado and Connecticut in September 2025, specifically targeting compliance with Global Privacy Control signals.
Cure periods are expiring across several states, meaning violations are now enforceable without a grace period.
The Patchwork Multiplier
The compliance burden is not just about California. Every state law grants consumers rights to access, delete, and opt out of data sales and targeted advertising, with response timeframes typically limited to 45 days.
Each jurisdiction carries its own nuances. For example:
- Iowa allows 90 days to respond to privacy rights requests.
- Rhode Island has no cure period.
- Maryland’s Online Data Privacy Act introduces stricter data minimization standards.
A multi-state business receiving requests from consumers in a dozen jurisdictions must simultaneously track different deadlines, rights, and disclosure requirements.
Manual processes cannot reliably manage this complexity. A missed deadline in one state can trigger enforcement even if the organization is fully compliant everywhere else.
Automation As a Structural Requirement
Gartner identifies privacy rights request management as a core component of the privacy UX ecosystem. Its Market Guide for Privacy UX predicts that fulfillment will consolidate into authenticated self-service portals that automate orchestration across different systems.
This shift is gaining traction not because response timelines are new, but because rising request volumes, broader channel coverage, and increased enforcement make manual intake, routing, and fulfillment too risky and too costly at scale.
A scalable workflow must cover the entire request lifecycle: capture, logging, identity verification, triage, response collation, redaction, validation, and communication. Critically, it must connect directly to the data repositories where personal data is stored, not sit as an isolated layer on top.
Automation can reduce the cost per request from over $1,500 to between $50 and $200, while cutting processing time from weeks to days.
The Operational Reality
For privacy teams still running manual workflows, 2026 is the inflection point.
The combination of rising volumes, expiring cure periods, multi-state enforcement coordination, and tightening response deadlines makes the status quo untenable.
Investing in automated privacy rights processing is no longer a question of efficiency. It is a question of whether the organization can continue to meet its legal obligations at all.