Most companies are woefully unprepared for dealing with the California Consumer Privacy Act (CCPA), according to the State of CCPA Compliance: Q1 2022, a study by security firm Cytrio.
Only 11% overall have automated Data Subject Asset Requests (DSARs), a key element of CCPA that gives consumers the right to access their own data. On the contrary, 45% utilize “expensive and error prone home grown manual processes” like email and web forms. And 44.17% lack any mechanism whatever.
Firms within California are doing only marginally better: 15.6% had a DSAR management automation solution. And 59.3% used manual processors, the highest rate of any state. New Hampshire was the most compliant, with a 23.5% automation rate.
Companies have until January 2023 to comply with the CCPA.
Cytrio studied 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion over a six-month period. It plans to update the study every quarter.
It also found that 11.3% of B2C companies and 10.3% for B2B have automated their DSAR. Large firms are doing better -- 60% of firms with more than 10,000 workers had an automation solution. Moreover, firms with over $100 million in revenue were more likely to have one, with those with over $5 billion especially likely.
Among verticals, consumer services, media and internet, and hospitality were more likely to deploy DSAR automation. Companies in these fields collect large amounts of personal information on consumers.
Highly-regulated industries healthcare, financial services, and insurance are lagging, although healthcare providers did offer manual processes to consumers. Legal also relied heavily on manual tools.
Overall, businesses are not ready for CCPA.
“An overwhelming majority are manually responding to data requests with only a small number implementing DSAR management automation solutions,” says Viijay Basani, founder and CEO of Cytrio.
Basani adds: ”The reliance on manual processes exposes them to high DSAR compliance costs, long response times, errors that will erode consumer trust, and non-compliance actions by the California Privacy Protection Agency (CPPA).”