By using website you agree to our use of cookies as described in our cookie policy. Learn More


Most Companies Unprepared for CCPA Compliance Says New CYTRIO Research

CYTRIO’s data privacy research shows CCPA non-compliance from Q4 2021 continues into Q1 2022 despite impending enforcement.

Note: TDWI’s editors carefully choose press releases related to the data and analytics industry. We have edited and/or condensed this release to highlight key information but make no claims as to its accuracy.

CYTRIO, a next-generation data privacy rights management company, released findings from additional independent research it conducted during the first quarter of 2022 on the state of companies’ readiness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). As of March 31, 2022, findings included that 90 percent of companies are not fully compliant with CCPA and CPRA Data Subject Access Request (DSAR) requirements. Further, 95 percent of companies are using error-prone and time-consuming manual processes for GDPR DSAR requirements.

“Our continuous research confirms that first-generation privacy rights management solutions have not gained wide adoption due to cost and deployment complexity, resulting in a high percentage of CCPA noncompliance,” said Vijay Basani, founder and CEO of CYTRIO. “This problem will become more pronounced as CPRA enforcement takes effect in 2023 with the stringent 12-month lookback.”

CYTRIO released its inaugural State of CCPA Compliance research results in January, the largest of its kind, studying 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion. The findings showed that only 11 percent of companies were fully meeting CCPA requirements, while 89 percent of companies were either non-compliant or somewhat compliant. From January to March, CYTRIO researched an additional 1,570 companies for CCPA and GDPR DSAR compliance, bringing the total to 6,745 companies to date.

This most recent research shows only 10 percent of companies have deployed an automated CCPA DSAR management solution. Additionally, B2B and B2C companies of all sizes are equally unprepared for CCPA compliance, and B2B and B2C companies are also woefully unprepared for GDPR compliance, despite the regulation going into effect in May 2018 and $1.8 billion in fines being levied as of March 2022.

From Q4 2021 to Q1 2022, the top three most compliant verticals remained the same with business services, retail, and finance making up 54 percent of the companies researched. Although the top three most-compliant states (California, New York, and Texas) remained the same, the total number of companies from those states as a percentage of total companies decreased from 31 percent to 25 percent, indicating other states seem to be catching up.

Last month, Utah passed the Utah Consumer Privacy Act, moving closer to becoming the fourth state to enact privacy legislation in the U.S., behind California, Colorado, and Virginia. Currently, 22 states (including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey) have consumer privacy legislation pending.

A key observation in this research was that DSARs coming from data aggregators are increasing in frequency and volume, with the majority of requests being Right to Delete (Erasure). To be in compliance, companies must respond to these requests in a timely manner.

To view the infographic, visit

To access the full findings of CYTRIO’s most recent data privacy research (email address required), go to

TDWI Membership

Get immediate access to training discounts, video library, research, and more.

Find the right level of Membership for you.