Even though the European Union’s General Data Protection Regulation (GDPR) went into effect four years ago and a hundred other countries have adopted stringent data privacy laws, the U.S. is lagging behind without a federal data privacy rights regulation. California has taken the lead at the state level, the first to adopt the California Consumer Privacy Act (CCPA) in 2018, with Virginia and Colorado following. Currently, more than 20 states have multiple consumer privacy legislation pending. Yet, U.S. businesses are not ready.
My company recently released findings from additional research it conducted during the first quarter of 2022 on the state of companies’ readiness to comply with CCPA, California Privacy Rights Act (CPRA), and GDPR. In the largest study of its kind, we first researched 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion in the last quarter of 2021, then looked at another 1,570 companies from January to March 2022 for CCPA and GDPR Data Subject Access Request (DSAR) compliance, bringing the total to 6,745.
The research looked at many readiness factors, including the review of a company’s data privacy policy and mechanisms provided when CCPA and GDPR guidance was mentioned in the privacy policy, among other available information. Troublingly, many companies stated in their privacy policies that they needed to comply with CCPA but didn’t provide a mechanism for consumers to exercise their rights.
Findings uncovered that 90% of companies are not fully compliant with CCPA and CPRA DSAR requirements, and 95% of companies are using error-prone and time-consuming manual processes for GDPR DSAR requirements. DSARs, requests by a consumer to an organization that they are allowed to make under the law – such as right to erasure, right to not sell, and right to correct – regarding the personal data the organization is holding about them are increasing at a steady pace. To be in compliance with CCPA’s right to access or right to delete, companies need to respond within 45 days of the request being submitted. For GDPR, the response time is 30 days.
Last year, on average, companies saw almost twice the number of requests under CCPA compared to 2020, as consumers are increasingly becoming more aware of their rights and the risks associated with widespread data breaches. DSARs coming from data aggregators are also increasing in frequency and volume.
The study further indicated that B2B and B2C companies of all sizes are equally and poorly unprepared for CCPA compliance, and B2B and B2C companies are also unprepared for GDPR compliance, despite the regulation going into effect in 2018 with stiff fines totaling $1.8 billion as of March 2022.
From Q4 2021 to Q1 2022, the top three most compliant verticals remained the same with business services, retail, and finance making up 54% of the companies researched. While the top three most compliant states – California, New York, and Texas – remained the same, the total number of companies from those states as a percentage of total companies decreased from 31% to 25%, indicating other states are catching up.
Most concerning, only 10% of the companies researched have deployed a CCPA DSAR automated management solution. In a recent online poll, when asked what was holding them back from deploying an automated privacy rights management solution, 63% of respondents said cost was the number one reason, followed by deployment complexity at 22%. Clearly, the cost and complexity associated with first-generation privacy rights management solutions have impeded widespread adoption.
This problem will only become more prevalent as CPPA rolls out active CPRA enforcement in 2023 with a stringent 12-month lookback window, which started on January 1, 2022. Further, as U.S. states continue to approve data privacy regulations, the challenges for companies doing business in a variety of states in the U.S. will increase with having to comply with each individual regulation.
Enterprises should not wait for a particular state to adopt a regulation, but rather start today by complying with the most extensive regulation. This approach will be substantially less expensive for companies trying to comply with 50 individual states.