CYTRIO has released its State of CCPA Compliance: Q1 2022 research report. It shows that just 11% of companies can fully meet California Consumer Privacy Act (CCPA) requirements, especially for Data Subject Access Requests (DSARs). A further 44% had no mechanism to allow consumers to exercise their data rights.
Vijay Basani, founder and CEO of CYTRIO, said, “The findings of our research show that companies are woefully unprepared for CCPA compliance, especially when it comes to enabling and responding to consumers’ data privacy rights.
“An overwhelming majority are manually responding to data requests with only a small number implementing DSAR management automation solutions. The reliance on manual processes exposes them to high DSAR compliance costs, long response times, errors that will erode consumer trust, and non-compliance actions by the California Privacy Protection Agency (CPPA).”
What does the CYTRIO research show?
The CYTRIO research report is short (10 pages) and to the point. It focused on the readiness of businesses to comply with CCPA and CPRA and relied on research conducted over six months. The company plans to update it quarterly.
Central to the research is the ability of companies to deal with DSARs. These are the reports individuals can file to get information on what data a company holds about them. It is the start of a process that allows an individual to request corrections to, or deletion of, data. As such, it’s a key element of consumer privacy protection.
The good news is that 10.78% of companies have a fully automated DSAR solution. IT allows individuals to request their data, finds their data and then reports on that data. That leaves 89.22% of companies either using manual processes or non-compliant. There are also differences between B2C and B2B.
45% (46.2% B2C and 44.3% B2B) are partially compliant but use manual processes
44.7% (42.5% B2C and 45.4% B2B) are completely non-compliant
There is also significant variation between different vertical industries, with some more prepared than others. The top and bottom performing industries when it comes to compliance and non-compliance are:
| Industry | Compliant (automated) | Partially Compliant (Manual) |
Non-Compliant |
| Media & Internet | 30.16% | 45.40% | 24.44% |
| Consumer Services | 25.00% | 37.50% | 37.50% |
| Software | 15.54% | 57.43% | 27.03% |
| Construction | 3.92% | 21.57% | 74.51% |
| Healthcare | 62.50% | 37.50% | |
| Energy, Utilities & Waste | 14.29% | 85.71% |
Location of business and size also makes a difference
Where a company is located and its size makes a real difference to how prepared they are. For those expecting California companies to be the most prepared, it came 4th. The top and bottom three states are:
| State | Compliant (automated) | Partially Compliant (Manual) |
Non-Compliant |
| New Hampshire | 23.53% | 47.06% | 29.41% |
| Utah | 18.07% | 57.83% | 24.10% |
| Alabama | 17.86% | 10.71% | 71.433% |
| New Mexico | 11.11% | 88.89% | |
| Montana | 10.00% | 90.00% | |
| West Virginia | 100.00% |
In terms of company size, bigger is better because they have the money and skills to deploy solutions. They are also more likely to be in regulated industries where non-compliance is seen as a business risk. The research showed that large companies (> US $100M) did better than mid-sized businesses ($25M-$100M).
It also showed that those companies who have automated the process are almost solely the large companies, leaving mid-sized businesses to rely on manual processes. This differentiation may also account for the poor showing of some states.
Enterprise Times: What does this mean?
That US companies are unprepared for CCPA and CPRA is unsurprising. Years after GDPR appeared in Europe, some companies are still non-compliant, especially when it comes to DSARs. The question now is, how quickly can those organisations get their house in order? Additionally, will it take several early prosecutions by California to speed up compliance?
What is concerning is just how poorly some states and industry sectors are doing? 25 US states have a non-compliance rate of 50% or greater, while 4 out of 18 industry sectors are just as non-compliant.
It is easy to see this as just about the money thrown at the problem, but it is more complicated than that. The process is just as important, and it takes time to understand and get that right. It is something that all those industries relying on manual processes are likely to discover when they try and automate.
One further issue here is that much of this research focuses on DSARs and the process around them. There is much more in CCPA and CCRA that companies need to address. Will we see CYTRIO widen its research to cover those areas?
