Latest State of CCPA and GDPR Compliance Report Confirms Data Privacy Unpreparedness
Although strict CCPA/CPRA obligations begin January 1, CYTRIO’s new research reveals 92 percent of companies are still not compliant with CCPA, while 91 percent remain out of compliance with GDPR.
Note: TDWI’s editors carefully choose press releases related to the data and analytics industry. We have edited and/or condensed this release to highlight key information but make no claims as to its accuracy.
CYTRIO, a next-generation data privacy compliance company, released the findings of its latest research from Q3 2022 related to companies’ readiness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). The fourth research report on the state of CCPA and GDPR data rights compliance confirms that as of September 30, 2022, 92 percent of companies are still unprepared for CCPA and CPRA and 91 percent are unprepared for GDPR. The stricter and enhanced CCPA/CPRA becomes fully enforceable on January 1, 2023 and includes employees’ rights to their personal data.
“Companies should be aware of numerous changes coming in the more expansive CPRA that goes into effect on January 1, 2023, including employees’ right to exercise data privacy, requiring companies to deploy an effective and scalable CCPA/CPRA and GDPR compliance management solution,” said Vijay Basani, founder and CEO of CYTRIO. “Further, as the new California Privacy Protection Agency (CPPA) takes on the CPRA enforcement role starting January 1 with a 12-month lookback window, there will be an increase in enforcement resources resulting in CPRA penalties. This fourth installment of research conducted by CYTRIO in Q3 confirms that companies are not prepared.”
During Q3 2022, CYTRIO researched 1,557 U.S. companies with revenues from $25 million to $5 billion or more, bringing the total number of companies researched to 9,827 over the last year. Of the companies researched in Q3, 52 percent stated they need to comply with CCPA but do not provide a mechanism for consumers to exercise their data privacy rights; 39 percent of companies are using expensive and error-prone manual processes. By comparison, Q2 research indicated that as of June 30, 2022, 91 percent of companies that must comply with CCPA were still not prepared to meet those compliance requirements, and 94 percent of companies that must comply with GDPR were ill prepared.
The Q3 research shows slow improvements, including across verticals where the two most compliant industries -- business services and retail -- remained the same from the end of Q2 2022 to the end of Q3 2022. In Q3, hospitality made its way to the top three, pushing out finance. The top three most compliant verticals made up 56 percent of the companies researched.
CYTRIO also observed slow movement in other areas:
- Only 8.2 percent of the companies in the Q3 cohort are using a data subject access request (DSAR) management automation solution, compared with 8.9 percent in Q2.
- One in five companies (21 percent) stated they need to comply with both CCPA and GDPR, consistent with Q2 2022. Of these, approximately 9 percent are using privacy rights management automation solutions and 91 percent are using manual processes.
- Just 3.5 percent of companies in the manual compliance Q2 2022 cohort moved to automation in Q3.
- Of the companies in the noncompliant Q2 2022 cohort, 9 percent moved to the manual compliance cohort in Q3.
Q3 2022 saw the first enforcement action under CCPA with Sephora being fined $1.2 million for selling consumers’ personal information to online tracking companies without their consent. GDPR continues to be actively enforced with fines totaling in excess of $2.4 billion as of September 2022 and the total number of fines reaching 1,304.
To access the full findings of CYTRIO’s most recent data privacy research, go to https://cytrio.com/ccpa-research-report-q3-2022/. (Business email required for access.)
To view an infographic summarizing the research findings, visit https://cytrio.com/wp-content/uploads/2022/12/infographic-q3-2022.png
For a video summary of the findings, visit https://cytrio.com/videos/ccpa-gdpr-compliance-report-q3/.