Privacy Scofflaws: Few Firms Are Complying With CCPA And GDPR

We are literally weeks away from implementation of the California Privacy Rights Act (CPRA), a tough new law. And the California Privacy Act (CCPA) and GDPR are already online.

But few firms are prepared for any of these, judging by a study titled 4th State of CCPA & GDPR Privacy Rights Compliance Research Report, by Cytrio.  

A staggering 92% are unprepared for CCPA, and by extension CPRA — that is, they lack automated systems for handling Data Subject Access requests (DSARs) from consumers. 

Of the companies polled, only 8.2% are compliant with CCPA in that way, while 39.46% are attempting manual compliance and 52.34% are non-compliant.  

These are Q3 numbers. The percentage of the firms that are fully compliant is down from 8.83% in Q2.

Moving overseas, 91% of firms that must comply with GDPR are unprepared. They are using error-prone manual processes to handle DSARs. A total of 21% must comply with both CCPA and GDPR  



B2C companies are better prepared overall—9.53% of companies are using automation solution vs. 7.13% of B2B brands. Of the latter, 55.32% lack a mechanism for handling DSARs, versus 48.04 of those in B2C. 

The gap between the two is even more obvious when it comes to GDPR: 8.45% of B2C firms are using automation, compared to 6.18% on the B2B side. 

Not suprisingly, compliance is highest among companies in California  (the state enacting CCPA and CPRA, followed by New York and Texas: 31.94% of the affected companies are from those three states.  

Of course, it may not be fair to say over 90% of firms are non- compliant when many are at least using manual tools: The willingness is there. But manual systems are expensive and error-prone. And this still means that over half are non-compliant—by itself a shocking number. 

As the study puts it mildly, “companies are moving slowly up the CCPA/GDPR compliance maturity curve.”

Here’s the danger: “Lack of CCPA/CPRA enforcement and low numbers of DSAR requests are the #1 drivers for the slow adoption of automation solutions,” the study concludes. “With CPPA finalizing CPRA text and moving to taking on a more active CPRA enforcement role, we expect this to change meaningfully in 2023.”

Cytrio surveyed 1,557 companies in Q3. The company has polled 9,827 firms in the research series. 


Next story loading loading..