Data regulations and privacy laws will go in vain if users and organizations do not obey them. Recent research from Cytrio, a data privacy compliance company, revealed that only 11% of organizations are fully meet California Consumer Privacy Act (CCPA) requirements, especially when managing Data Subject Access Requests (DSARs). And 89% of companies are either non-compliant or somewhat compliant.
The research, State of CCPA Compliance: Q1 2022, report found that 44% of organizations did not provide any mechanism for consumers to exercise their data rights, disconnecting themselves in compliance. Most organizations failed to implement CCPA regulations despite stating they needed to comply.
What is California Consumer Privacy Act?
The California Consumer Privacy Act (CCPA) was passed in 2018 and took effect on January 1, 2020. The Act gives California citizens data and privacy rights regarding how organizations use their data. Under the CCPA, users have the right to:
- Know what personal information is being collected.
- Know whether their data is being traded.
- Say “No” to the sale of their information.
- Request an organization to delete their sensitive data.
- Not be victimized for exercising their privacy rights .
Organizations that fail to meet compliance with the CCPA may attract a penalty ranging between $2,500 to $7,500, based on the data violation type.
Companies Being Non-Compliant to CCPA
The research found that 45% relied on inefficient and costly manual processes such as email and web forms for submitting and responding to data requests. Less than 11% of companies use DSAR management automation solutions. Only 15.6% of companies in California had a DSAR management automation solution, and 59.3% of them used manual processes.
The research surveyed over 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion.
“The findings of our research show that companies are woefully unprepared for CCPA compliance, especially when it comes to enabling and responding to consumers’ data privacy rights. An overwhelming majority manually responds to data requests, with only a small number implementing DSAR management automation solutions. The reliance on manual processes exposes them to high DSAR compliance costs, long response times, errors that will erode consumer trust, and non-compliance actions by the California Privacy Protection Agency (CPPA),” said Vijay Basani, founder and CEO of CYTRIO.
Other Key Findings:
- Although B2C companies collect more consumer data, there was no statistically significant difference in the number deploying DSAR management automation solutions compared with B2B companies (11.3% for B2C vs. 10.3% for B2B)
- Large companies (with more than 10,000 workers) were more likely to have a commercial DSAR management automation solution. Over 60% did so with the increasing number of DSARs and streamlining related costs as potential reasons.
- Highly-regulated industries lagged in commercial solution deployment, including health care, financial services, and insurance.
- There is a strong correlation between revenue and deploying a DSAR management automation solution. High revenue earners (companies over $100 million) were more likely to have an automated solution, with companies over $5 billion in revenues especially eager.
“Overall, the survey results show that more needs to be done for CCPA compliance, and many lack the right resources and tools to meet the requirements. The prevalent reliance on manual processes and the inability to address DSAR may increase the risks of a company’s operations and shows we have more work to do in building awareness,” said Darshan Joshi, Chief Technology Officer at CYTRIO.