Data Privacy Compliance Report Shows Slow, Positive Movement 

Five years have passed since the California Consumer Privacy Act (CCPA) went into effect, and companies across the U.S. are still struggling with compliance. According to a new report on the state of CCPA and CPRA data privacy compliance by CYTRIO, just 13% of non-compliant companies in the first quarter of 2022 moved to manual compliance status by the second quarter of 2023, despite stringent CPRA enforcement that began this past July.

CYTRIO researchers also discovered that 6% of companies that were using manual processes in 2022 moved to compliance automation solutions by 2023, and 12% of B2C companies moved from non-compliant to manual compliance in the past year.

While the lack of active enforcement in the data privacy space appears to be resulting in slow movement toward compliance, CYTRIO CEO Vijay Basani says more changes are coming that could have a major impact. For example, in just the past year, California employers were finally required to comply with CPRA employee privacy provisions. With employees now having the right to exercise data privacy, and enforcement beginning just last month, it’s almost certain that more companies will begin deploying effective solutions to stay in compliance.

“While the lack of active enforcement in the data privacy space seems to be resulting in slow movement toward compliance, our research shows that companies have in fact moved up the CCPA/CPRA compliance maturity curve from Q1 2022 to Q2 2023,” Basani says.

To put together their report, CYTRIO researchers examined 600 mid to large-size companies with revenue from $25 million to $5+ billion, specifically looking at how well companies had improved their preparedness over the last five quarters for meeting CCPA and CPRA compliance requirements related to Data Subject Access Requests (DSAR).

Among the biggest differences Basani noticed in the sixth edition of the report was that a substantial portion of the companies in the non-compliant cohort in 2022 (14.67%) had implemented either automated or manual compliance solutions by the time this year’s analysis was conducted in 2023. Of that group, 90% implemented a manual compliance process, while 10% implemented an automated compliance solution. 

“Manual compliance approach includes providing a DSAR intake portal, with a manual process to respond to a data request, a telephone number to call, [or] an email, such as [email protected],” Basani says. “This ‘walk before you run’ approach that most companies are taking can be explained due to slow compliance enforcement, lack of consumer awareness and education on data rights resulting in low number of DSAR requests from consumers, and tightening IT budgets.”

Implementing tools and processes can also help companies comply with core essential regulatory requirements.

“These include deploying a legally compliant consent and preference management solution, an appropriate privacy policy, a cookie usage policy, consent and others, providing an easy method for consumers to exercise their data privacy rights by embedding tools such as DSAR Intake Portal, [a] privacy email or telephone; and where applicable, allowing consumers to submit Do Not Sell My Information requests, and honoring consumer requests for privacy,” Basani says.

California’s Attorney General Rob Bonta made headlines back in 2021 when he launched the Consumer Privacy Interactive Tool to make it easier for consumers to send notice of non-compliance to companies that failed to post easy-to-find Do Not Sell My Information links on their websites. 

Basani says there are plans to expand the Consumer Privacy Interactive Tool tool to cover other consumer rights under CCPA and CPRA, and that could become another major factor in next year’s edition of CYTRIO data privacy report.

“Without active enforcement, no amount of regulation will result in correct behavioral change. As well, a very small percentage of companies will adhere to a regulation voluntarily without active enforcement,” Basani says. “It is also important for agencies to not only enforce violations among large companies — yes, they get attention in the press — but they should hold companies of all sizes accountable. Until then, the privacy rights for consumers will continue to be jeopardized.”