CYTRIO’s data privacy research shows non-compliance with the CCPA from Q4 2021 to Q1 2022, despite upcoming enforcement.
Data privacy rights firm CYTRIO released the results of more independent research performed in Q1 2022 about how ready companies are to follow the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s GDPR (GDPR). As of March 31, 2022, 90% of companies aren’t meeting the requirements of the CCPA and CPRA for Data Subject Access Requests (DSAR). More than that, 95% of businesses still use manual processes to meet the GDPR DSAR requirements.
According to CYTRIO CEO Vijay Basani, this research shows that first-generation privacy rights management solutions haven’t been widely used because they are too expensive and difficult to set up. This will become more of a problem when the strict 12-month lookback starts in 2023 with CPRA enforcement. It’s because people are becoming more aware of their data privacy rights and the rise of data aggregators. Non-compliance with DSAR requests will become too costly for medium-sized, and large businesses as the California Privacy Protection Agency (CPPA) starts enforcing the new laws. This has led to a high percentage of CCPA non-compliance.
In January, CYTRIO released its first State of CCPA Compliance Report, the largest of its kind. It looks at 5,175 U.S. businesses with revenue of between $25 million and $5 billion+. From January to March, CYTRIO looked into an extra 1,570 companies for CCPA and GDPR DSAR compliance, bringing the total number of companies reviewed to 6,745. Only 11% of the companies were meeting all of the requirements for the CCPA, while 89% of the companies were either not meeting all of the requirements or were not meeting them at all.
According to this most recent research, only 10% of companies have used an automated way to manage CCPA DSARs. The same is true for businesses of all sizes. Both B2B and B2C businesses aren’t ready for CCPA and GDPR, even though the regulations came into effect in May 2018 and will cost companies $1.8 billion in fines by March 2022.
The results didn’t change much from Q4 2021 to Q1 2022. Business Services, Retail, and Finance made up 54% of the companies looked at. There were still many companies from California, New York, and Texas. But the total number of companies from those states as a percent of the total number of companies dropped from 31% to 25%, which means other states are catching up to them.
Currently, 22 states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, are working on legislation affecting how people use their personal information. Last month, Utah passed the Utah Consumer Privacy Act, which moves it closer to becoming the fourth state in the United States to pass privacy laws. California, Colorado, and Virginia are the three other states that have done this.
The key to this research was that DSARs from data aggregators are becoming more common, and most of them are for the Right to Delete (Erasure). Companies must answer these requests quickly to comply.
To download this entire report, click here.