4th State of CCPA and GDPR Compliance Report Confirms Data Privacy Unpreparedness as Strict CCPA/CPRA Obligations Begin January 1

CYTRIO’s new research reveals 92% of companies are still not compliant with CCPA, while 91% remain uncompliant with GDPR

BOSTON — Dec. 6, 2022 — CYTRIO, a next-generation data privacy compliance company, released the findings of its latest research from Q3 2022 related to companies’ readiness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). The fourth research report on the state of CCPA and GDPR data rights compliance confirms that as of September 30, 2022, 92% of companies are still unprepared for CCPA and CPRA and 91% are unprepared for GDPR. The stricter and enhanced CCPA/CPRA becomes fully enforceable on January 1, 2023 and includes employees’ rights to their personal data.

“Companies should be aware of numerous changes coming in the more expansive CPRA that goes into effect on January 1, 2023, including employees’ right to exercise data privacy, requiring companies to deploy an effective and scalable CCPA/CPRA and GDPR compliance management solution,” said Vijay Basani, founder and CEO of CYTRIO. “Further, as the new California Privacy Protection Agency (CPPA) takes on the CPRA enforcement role starting January 1 with a 12-month lookback window, there will be an increase in enforcement resources resulting in CPRA penalties. This fourth installment of research conducted by CYTRIO in Q3 confirms that companies are not prepared.”

During Q3 2022, CYTRIO researched 1,557 U.S. mid to large companies with revenues from $25 million to $5+ billion, bringing the total number of companies researched to 9,827 over the last year. Of the companies researched in Q3, 52% stated they need to comply with CCPA but do not provide a mechanism for consumers to exercise their data privacy rights, while 39% of companies are using expensive and error prone manual processes. Comparatively, Q2 research indicated that as of June 30, 2022, 91% of companies that must comply with CCPA were still not prepared to meet those compliance requirements, and 94% of companies that must comply with GDPR were ill prepared.

The Q3 research shows slow improvements, including across verticals where the two most compliant industries – Business Services and Retail – remained the same from the end of Q2 2022 to the end of Q3 2022. In Q3, Hospitality made its way to the top three, pushing out Finance. The top three most compliant verticals made up 56% of the companies researched.

CYTRIO also observed slow movement in other areas:

  • Only 8.2% of the companies in the Q3 cohort are using a Data Subject Access Request (DSAR) management automation solution, compared with 8.9% in Q2.
  • 21% of the companies stated they need to comply with both CCPA and GDPR, consistent with Q2 2022. Of these, approximately 9% are using privacy rights management automation solutions and 91% are using manual processes.
  • 5% of companies in the manual compliance Q2 2022 cohort moved to automation in Q3.
  • 9% of companies in the non-compliant Q2 2022 cohort moved to the manual compliance cohort in Q3.


Q3 2022 saw the first enforcement action under CCPA with Sephora being fined $1.2 million for selling consumers’ personal information to online tracking companies without their consent. GDPR continues to be actively enforced with fines totaling in excess of $2.4 billion as of September 2022 and the total number of fines reaching 1,304.

CTYRIO is now a Statista Data Partner. Through the partnership, Statista has been using and sharing CYTRIO’s research data for CCPA and GDPR readiness. With more than one million statistics, Statista is one of the world’s leading data platforms for strategic market analysis, statistics, and editorial research results. Statista.com offers direct access to data on 80,000 topics and 170 industries from over 22,500 sources. 2.5 million registered users get access to reliable, quantitative facts, which are compiled according to scientific standards from aggregated data, exclusive secondary sources and own surveys.

To view an infographic summarizing the research findings, visit:

For a video summary of the findings, visit:

To access the full findings of CYTRIO’s most recent data privacy research, go to:


CYTRIO’s software-as-a-service (SaaS) data privacy compliance management platform helps organizations comply with data privacy regulations such as GDPR, CCPA, CPRA, VCDPA, CPA, and others. The company offers an all-in-one solution built on automation, AI-led data discovery, and automated response workflows. CYTRIO’s solutions are simple to deploy, deliver value in the first hour, and do not require dedicated privacy teams to manage. Learn more at www.cytrio.com and follow on LinkedIn and Twitter.

Tracy Wemett

All trademarks recognized.

Before you leave why don't you grab your Free Cookie Report