• by Ray Schultz , Columnist, April 26, 2022

Brands are continuing to lag in preparing for the California Consumer Privacy ACT (CCPA) and other laws. 

A full 90% are not yet compliant with the data subject asset request (DSAR) requirements in the CCPA, the CPRA and Europe’s GDPR, according to State of CCPA and GDPR , a study released Tuesday by Cytrio. And only 11% are partially or fully ready for the CCPA. 

CCPA takes effect next year — on January 1, to be exact — but the law has a lookback provision, meaning that firms who violate it even now could face penalties. Non-compliance in general will become cost-prohibitive, Cytrio warns. 

And CCPA is not the only law of its kind: Last month, Utah passed the Utah Consumer Privacy Act, following California, Colorado, and Virginia. 

What’s more, 22 other states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, have similar legislation pending. 

Another hurdle is that DSARs are coming from data aggregators with increasing frequency. The majority of requests are Right to Delete (erasure).

“This problem will become more pronounced as CPRA enforcement takes effect in 2023 with the stringent 12-month lookback,” states Vijay Basani, founder and CEO of Cytrio. “Awareness of their data privacy rights by consumers coupled with the rise of data aggregators is driving an increased number of data requests.”

One possible cause for the lack of compliance is that only 10% of companies have deployed an automated CCPA DSAR management solution.In addition, 95% are using error-prone and time consuming manual processes like email and web forms to meet their GDPR DSAR requirements.

This is the second quarterly report of its type issued by Cytrio. And it shows both improvement and minor backsliding. 

For instance, 11% had automated their DSAR processes: As indicated, that percentage has dropped by a point. 

And, while California, New York and Texas remain the most compliant states, the companies from those locals now make up only 25% of the total, versus 31% in the January report. The explanation? That other states are catching up. 

Meanwhile, B2B and B3C companies are equally sluggish in getting ready, whereas larger firms are faster to automate.

The most compliant verticals, comprising 54% of the total sample, are Business Services, Retail, and Finance.

Cytrio studied 5,175  U.S. companies with revenues of $25 million to $5 billion for its January report. For this increment, it looked at an additional 1,570, for a total of 6,745 to date. 

Basani concludes that “first generation privacy rights management solutions have not gained wide adoption due to cost and deployment complexity, resulting in a high percentage of CCPA non-compliance,”