CYTRIO released findings from additional independent research it
conducted during Q1 2022 on the state of companies' readiness to comply with
the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA),
and the European Union's General Data Protection Regulation (GDPR). As of March 31, 2022, the findings
uncovered that 90% of companies are not fully compliant with CCPA and CPRA Data
Subject Access Request (DSAR) requirements. Further, 95% of companies are using
error prone and time consuming manual processes for GDPR DSAR requirements.
"Our continuous research confirms that first generation
privacy rights management solutions have not gained wide adoption due to cost
and deployment complexity, resulting in a high percentage of CCPA
non-compliance," said Vijay Basani, founder and CEO of CYTRIO. "This
problem will become more pronounced as CPRA enforcement takes effect in 2023
with the stringent 12-month lookback. Awareness of their data privacy rights by
consumers coupled with the rise of data aggregators is driving an increased
number of data requests. As the California Privacy Protection Agency (CPPA)
begins active enforcement of CCPA and CPRA, non-compliance to DSAR requests
will become cost prohibitive for both medium and large sized companies."
CYTRIO released its inaugural State of CCPA Compliance research results
in January, the largest of its kind, studying 5,175 U.S. companies with
revenues ranging from $25 million to more than $5 billion. The findings showed
that only 11% of companies were fully meeting CCPA requirements, while 89% of
companies were either non-compliant or somewhat compliant. From January to
March, CYTRIO researched an additional 1,570 companies for CCPA and GDPR DSAR
compliance, bringing the total to 6,745 companies to date.
This most recent research shows only 10% of companies
have deployed an automated CCPA DSAR management solution. Additionally, B2B and
B2C companies of all sizes are equally and poorly unprepared for CCPA
compliance, and B2B and B2C companies are also woefully unprepared for GDPR
compliance, despite the regulation going into effect in May 2018 with $1.8
billion fines levied as of March 2022.
From Q4 2021 to Q1 2022, the top three most compliant
verticals remained the same with Business Services, Retail, and Finance making
up 54% of the companies researched. While the top three most compliant states
(California, New York, and Texas) remained the same, the total number of
companies from those states as a percentage of total companies decreased from
31% to 25%, indicating other states seem to be catching up.
Last month, Utah passed the Utah Consumer Privacy Act,
moving closer to becoming the fourth state to enact privacy legislation in the
U.S., behind California, Colorado, and Virginia. Currently, 22 states,
including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington,
Wisconsin, and New Jersey, have multiple consumer privacy legislation pending.
A key observation in this research was that DSARs coming
from data aggregators are increasing in frequency and volume with the majority
of requests being Right to Delete (Erasure). To be in compliance, companies
must respond to these requests in a timely manner.
To access the full findings of CYTRIO's most recent data
privacy research, go to:
https://cytrio.com/ccpa-research-report-q1-2022/