More than 90 per cent of US companies unprepared for CCPA, CPRA and GDPR – report

David Murphy

As of 31 December 2022, 92 per cent of companies across all verticals, states, and business sizes were still unprepared for the California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA), and 91 per cent were unprepared for the European Union’s General Data Protection Regulation (GDPR).

These are the key findings from data privacy compliance firm Cytrio's latest study, from Q4 2022, looking at companies’ preparedness to comply with the regulations. CPRA and employees’ rights to exercise data privacy went into effect on January 1, 2023, requiring companies to deploy a CCPA/CPRA and GDPR compliance management solution to avoid fines and penalties.

“The requirements that companies are facing today related to data privacy regulations are steadily increasing,” said Cytrio CEO and Founder, Vijay Basani. “As the California Privacy Protection Agency (CPPA) turns its attention to CPRA enforcement, we will see a significant increase in enforcement actions. Additionally, as was the case with GDPR, media coverage of increasingly higher numbers of enforcement actions will educate consumers regarding their data privacy rights, resulting in consumer requests under CPRA. Companies need to act now to implement solutions to comply with CCPA, GDPR, and other data privacy regulations.”

Cytrio notes that GDPR continues to be actively enforced, with fines to date totalling in excess of $2.5bn and total number of fines under GDPR reaching 1,462 as of the end of Q4 2022.

The study found that 53.2 per cent of companies said they need to comply with CCPA, but do not provide a mechanism for consumers to exercise their data privacy rights. In addition, 38.6 per cent of companies are using manual processes. 4 per cent of companies that were using manual processes in Q1 2022 moved to compliance automation solutions, while 11 per cent of non-compliant companies moved to a manual process to comply with CCPA by Q4 2022, indicating that companies are slowly moving up the CCPA/GDPR compliance maturity curve. 

During Q4 2022, Cytrio researched an additional 1,521 US mid-to-large companies with revenues from $25m to over $5bn, bringing the total number of companies researched to 11,358 over five quarters. Cytrio continued looking for trends among companies that were either non-compliant or partially compliant by comparing its compliance status to previous quarters.

This year, data privacy regulations go into effect in Virginia, Colorado, Utah, and Connecticut, while several other states are expected to approve a data privacy regulation.

After Q3 2022 saw the first enforcement action under CCPA with Sephora fined $1.2m for violating the ‘Do Not Sell My Information’ provision, last month, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and others that fail to comply with CCPA.

You can see an infographic summarizing the research findings hereAnd you can download the report here.