IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image

Massive state of unpreparedness for CCPA compliance exposed

Wed, 2nd Feb 2022
FYI, this story is more than a year old

Only 11% of companies can fully meet California Consumer Privacy Act (CCPA) requirements, especially when managing Data Subject Access Requests (DSARs), new research from CYTRIO has revealed.

CYTRIO, a data privacy compliance company, released the findings from its inaugural State of CCPA Compliance: Q1 2022 research results as of December 31, 2021.

The research showed a disconnect in compliance, with 44% of companies not providing any mechanism for consumers to exercise their data rights despite stating they needed to comply with CCPA in their privacy policies.

"The findings of our research show that companies are woefully unprepared for CCPA compliance, especially when it comes to enabling and responding to consumers data privacy rights," says CYTRIO founder and CEO, Vijay Basani.

"An overwhelming majority are manually responding to data requests, with only a small number implementing DSAR management automation solutions. The reliance on manual processes exposes them to high DSAR compliance costs, long response times, errors that will erode consumer trust, and non-compliance actions by the California Privacy Protection Agency (CPPA)," he says.

CYTRIO's State of CCPA Compliance: Q1 2022 report is the largest of its kind, studying 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion. CYTRIO conducted the study over six months to create the baseline research and plans to update it every quarter.

The research found that less than 11% of companies use DSAR management automation solutions. Nearly half of the companies (45%) relied on inefficient and costly manual processes such as email and web forms for submitting and responding to data requests.

According to the research, California companies were not doing any better than their peers in other U.S. states, even though CCPA is a California regulation that gives its citizens control over their personal information. Only 15.6% of companies in California had a DSAR management automation solution, and nearly two-thirds of California companies (59.3%) used manual processes, higher than any other state. New Hampshire companies led their peers from other states, with 23.5% having DSAR automation management solutions.

There were significant differences across industry verticals. Consumer services, media and internet, and hospitality industries that collect substantial amounts of consumer personal information were more likely to deploy a DSAR management automation solution.

In comparison, highly-regulated industries, including healthcare, financial services, and insurance, lagged in commercial solution deployment. However, healthcare companies did provide a manual process for consumers to exercise their rights. Legal was another industry that relied heavily on manual processes.
Other key findings:

Other key findings:

  • Although B2C companies collect more consumer data, there was no statistically significant difference in the number deploying DSAR management automation solutions when compared with B2B companies (11.3% for B2C vs. 10.3% for B2B).
  • Large companies (with more than 10,000 workers) were more likely to have a commercial DSAR management automation solution. Over 60% did so, with the increasing number of DSARs and streamlining related costs as potential reasons.
  • There is a strong correlation between revenue and deploying a DSAR management automation solution. High revenue earners (companies with over $100 million) were more likely to have an automated solution, with companies over $5 billion in revenues especially eager.
     

"Overall, the results show that more needs to be done for CCPA compliance, and many lack the right resources and tools to meet the requirements," says Darshan Joshi, chief technology officer at CYTRIO.

"The prevalent reliance on manual processes and the inability to address DSAR may increase the risks of a company's operations and shows we have more work to do in building awareness."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X