CYTRIO released the findings of its latest research from Q3 2022 related to companies' readiness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union's General Data Protection Regulation (GDPR). The fourth research report on the state of CCPA and GDPR data rights compliance confirms that as of September 30, 2022, 92% of companies are still unprepared for CCPA and CPRA and 91% are unprepared for GDPR. The stricter and enhanced CCPA/CPRA becomes fully enforceable on January 1, 2023 and includes employees' rights to their personal data.

"Companies should be aware of numerous changes coming in the more expansive CPRA that goes into effect on January 1, 2023, including employees' right to exercise data privacy, requiring companies to deploy an effective and scalable CCPA/CPRA and GDPR compliance management solution," said Vijay Basani, founder and CEO of CYTRIO. "Further, as the new California Privacy Protection Agency (CPPA) takes on the CPRA enforcement role starting January 1 with a 12-month lookback window, there will be an increase in enforcement resources resulting in CPRA penalties. This fourth installment of research conducted by CYTRIO in Q3 confirms that companies are not prepared."

During Q3 2022, CYTRIO researched 1,557 U.S. mid to large companies with revenues from $25 million to $5+ billion, bringing the total number of companies researched to 9,827 over the last year. Of the companies researched in Q3, 52% stated they need to comply with CCPA but do not provide a mechanism for consumers to exercise their data privacy rights, while 39% of companies are using expensive and error prone manual processes. Comparatively, Q2 research indicated that as of June 30, 2022, 91% of companies that must comply with CCPA were still not prepared to meet those compliance requirements, and 94% of companies that must comply with GDPR were ill prepared.

The Q3 research shows slow improvements, including across verticals where the two most compliant industries - Business Services and Retail - remained the same from the end of Q2 2022 to the end of Q3 2022. In Q3, Hospitality made its way to the top three, pushing out Finance. The top three most compliant verticals made up 56% of the companies researched.

CYTRIO also observed slow movement in other areas:

• Only 8.2% of the companies in the Q3 cohort are using a Data Subject Access Request (DSAR) management automation solution, compared with 8.9% in Q2.
• 21% of the companies stated they need to comply with both CCPA and GDPR, consistent with Q2 2022. Of these, approximately 9% are using privacy rights management automation solutions and 91% are using manual processes.
• 3.5% of companies in the manual compliance Q2 2022 cohort moved to automation in Q3.   
• 9% of companies in the non-compliant Q2 2022 cohort moved to the manual compliance cohort in Q3. 
  

Q3 2022 saw the first enforcement action under CCPA with Sephora being fined $1.2 million for selling consumers' personal information to online tracking companies without their consent. GDPR continues to be actively enforced with fines totaling in excess of $2.4 billion as of September 2022 and the total number of fines reaching 1,304.

To access the full findings of CYTRIO's most recent data privacy research, go to: https://cytrio.com/ccpa-research-report-q3-2022/