• by Ray Schultz , Columnist, December 6, 2022

We are literally weeks away from implementation of the California Privacy Rights Act (CPRA), a tough new law. And the California Privacy Act (CCPA) and GDPR are already online.

But few firms are prepared for any of these, judging by a study titled 4th State of CCPA & GDPR Privacy Rights Compliance Research Report, by Cytrio.  

A staggering 92% are unprepared for CCPA, and by extension CPRA — that is, they lack automated systems for handling Data Subject Access requests (DSARs) from consumers. 

Of the companies polled, only 8.2% are compliant with CCPA in that way, while 39.46% are attempting manual compliance and 52.34% are non-compliant.  

These are Q3 numbers. The percentage of the firms that are fully compliant is down from 8.83% in Q2.

Moving overseas, 91% of firms that must comply with GDPR are unprepared. They are using error-prone manual processes to handle DSARs. A total of 21% must comply with both CCPA and GDPR  

B2C companies are better prepared overall—9.53% of companies are using automation solution vs. 7.13% of B2B brands. Of the latter, 55.32% lack a mechanism for handling DSARs, versus 48.04 of those in B2C. 

The gap between the two is even more obvious when it comes to GDPR: 8.45% of B2C firms are using automation, compared to 6.18% on the B2B side. 

Not suprisingly, compliance is highest among companies in California  (the state enacting CCPA and CPRA, followed by New York and Texas: 31.94% of the affected companies are from those three states.  

Of course, it may not be fair to say over 90% of firms are non- compliant when many are at least using manual tools: The willingness is there. But manual systems are expensive and error-prone. And this still means that over half are non-compliant—by itself a shocking number. 

As the study puts it mildly, “companies are moving slowly up the CCPA/GDPR compliance maturity curve.”

Here’s the danger: “Lack of CCPA/CPRA enforcement and low numbers of DSAR requests are the #1 drivers for the slow adoption of automation solutions,” the study concludes. “With CPPA finalizing CPRA text and moving to taking on a more active CPRA enforcement role, we expect this to change meaningfully in 2023.”

Cytrio surveyed 1,557 companies in Q3. The company has polled 9,827 firms in the research series.