4 Reasons Why Only 11% of Companies Are Fully Compliant with CCPA

Let’s take a look at the results of Cytrio’s inaugural State of CCPA Compliance: Q1 2022 research, the largest study of its kind. Cytrio recently researched 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion and released the findings in the State of CCPA Compliance: Q1 2022 report.

The California Consumer Privacy Act (CCPA) went into effect in January 2020, providing California consumers who engage with businesses specific rights, including the ability to request how their private data is used. CCPA helps ensure companies protect consumer’s personal information from misuse. The landmark law has set the stage for additional regulation, including the California Privacy Rights Act (CPRA), going into effect on January 1, 2023.

The data revealed that only 11% of companies are currently able to fully meet CCPA requirements, especially when managing Data Subject Access Requests (DSARs). There are four reasons for this.

1. CCPA is a complex regulation to decipher and implement

CCPA is a complex regulation that applies to any company 1) over $25 million in revenue that is conducting business in California, 2) generating more than 50% of revenue through the sale of personal information, or 3) collecting more than 50,000 pieces of information from California citizens. To keep track of the regulation requirements and associated changes is a complex task for companies.

Most large companies researched have implemented an automated privacy rights management solution to handle the large volume of data requests they are receiving from consumers. However, according to Gartner, many organizations are not capable of promptly responding to data requests. It often takes several weeks to respond to a single request if handled manually, and the average cost is $1,400 per request. This means a company receiving 100 requests per month is incurring $140,000 each month, if they choose to respond to data request manually.

About 60% of companies with 10,000+ employees researched have deployed an automated data rights management solution to avoid these high costs.

2. Companies are in a holding pattern

CPRA was approved last year, just 11 months after CCPA went into effect. With CPRA came additional changes to CCPA, including additional rights for consumers, and is taking effect – not until January 2023. CPRA created the California Privacy Protection Agency (CPPA) with the enforcement responsibility. CPPA will have 200 CPRA enforcers when fully staffed. By comparison, CCPA enforcement was not actively enforced due to staffing shortages in the California Attorney General’s office, which resulted in slowing down prosecuting CCPA violators.

Because of the slow pace of enforcement, many companies slowed the process of implementing CCPA/CPRA compliance solutions. Some companies implemented a difficult to use manual process with email or web forms to enable consumers to exercise their rights under CCPA. However, 44% of companies that will need to comply did not deploy any solution at all – automated or manual.

3. Many companies aren’t seeing large numbers of data requests – yet

Some companies are using manual processes to address DSAR compliance, and one reason is they aren’t yet seeing a lot of data requests. However, data requests will increase several fold as consumers become more aware of their data privacy rights from continued data breaches and fines associated with non-compliance. Under GDPR, it took almost two years before the first set of fines were announced, and there has been a massive increase in the number of fines over the last two years. In 2021, total fines imposed under GDPR hit more than $1.2 billion.

4. 1st generation data rights management solutions are complex, costly, and difficult to deploy

First generation CCPA privacy rights management automation solutions are complex and cumbersome to deploy. In fact, according to G2, the average reported implementation time for data privacy management software is three months; the longest implementation is reported at just over five months. This has contributed to a low adoption rate. However, as next-generation solutions become available that are less complex and easier and faster to deploy, like Cytrio’s privacy rights management, adoption will certainly increase.

Access the full CCPA Compliance: Q1 2022 report here.

Vijay Basani is founder and Chief Executive Officer at Cytrio. Vijay is a serial entrepreneur with a track record of building successful businesses delivering enterprise-class solutions.