Companies woefully unprepared for CCPA compliance

Only 11% of companies are able to fully meet CCPA requirements, especially when managing Data Subject Access Requests (DSARs), according to a CYTRIO research.

The research also showed a disconnect in compliance with 44% of companies not providing any mechanism for consumers to exercise their data rights despite stating they needed to comply with CCPA in their privacy policies.

“The findings of our research show that companies are woefully unprepared for CCPA compliance, especially when it comes to enabling and responding to consumers’ data privacy rights,” said Vijay Basani, CEO of CYTRIO.

“An overwhelming majority are manually responding to data requests with only a small number implementing DSAR management automation solutions. The reliance on manual processes exposes them to high DSAR compliance costs, long response times, errors that will erode consumer trust, and non-compliance actions by the California Privacy Protection Agency (CPPA).”

The research found that less than 11% of companies use DSAR management automation solutions. 45% of the companies relied on inefficient and costly manual processes such as email and web forms for submitting and responding to data requests.

California companies not meeting CCPA requirements

California companies were not doing any better than their peers in other U.S. states, even though CCPA is a California regulation that gives its citizens’ control over their personal information. Only 15.6% of companies in California had a DSAR management automation solution, and 59.3% of California companies used manual processes, higher than any other state. New Hampshire companies led their peers from other states with 23.5% having DSAR automation management solutions.

There were significant differences across industry verticals. Consumer services, media and internet, and hospitality — industries that collect substantial amounts of consumer personal information — were more likely to deploy a DSAR management automation solution.

In comparison, highly-regulated industries, including healthcare, financial services, and insurance lagged in commercial solution deployment. However, healthcare companies did provide a manual process for consumers to exercise their rights. Legal was another industry that relied heavily on manual processes.

“Overall, the survey results show that more needs to be done for CCPA compliance, and many lack the right resources and tools to meet the requirements,” said Darshan Joshi, CTO at CYTRIO. “The prevalent reliance on manual processes and the inability to address DSAR may increase the risks of a company’s operations and shows we have more work to do in building awareness.”

Other key findings

• Although B2C companies collect more consumer data, there was no statistically significant difference in the number deploying DSAR management automation solutions when compared with B2B companies (11.3% for B2C vs. 10.3% for B2B).
• Large companies (with more than 10,000 workers) were more likely to have a commercial DSAR management automation solution. Over 60% did so with the increasing number of DSARs and streamlining related costs as potential reasons.
• There is a strong correlation between revenue and deploying a DSAR management automation solution. High revenue earners (companies with over $100 million) were more likely to have an automated solution, with companies over $5 billion in revenues especially eager.