A new research report says the vast majority of companies are not prepared to comply with the California Consumer Privacy Act, with nearly 90 percent of businesses either fumbling along with manual processes or just not in compliance at all.
So says Cytrio, a privacy compliance software vendor that published the report on Wednesday, after studying the privacy practices at more than 5,100 U.S. companies with revenues ranging from $25 million to more than $5 billion. Cytrio found that only 11 percent of companies can fully meet CCPA compliance, especially when trying to manage “data subject access requests” (DSARs) from consumers who want to know what information a company has collected about them.
Cytrio also found that 44 percent of companies provided no mechanism for consumers to exercise their data rights, despite those companies saying in their privacy policies that they needed to comply with the CCPA.
“The findings of our research show that companies are woefully unprepared for CCPA compliance, especially when it comes to enabling and responding to consumers’ data privacy rights,” said Vijay Basani, founder and CEO of Cytrio. “An overwhelming majority are manually responding to data requests with only a small number implementing DSAR management automation solutions.”
Obviously we need to beware that Cytrio sells privacy compliance solutions, and therefore has a vested interest in raising alarms about the precarious state of privacy compliance. Still, the report’s broad conclusion — that lots of companies aren’t ready to address the California Consumer Privacy Act — feels right to me. Plus, the specific issues raised in the report can generate plenty of “Oh crap, do we have this under control here?” conversations with you and your team.
Why is this report useful now? Because while the state attorney general won’t start enforcing California’s consumer privacy laws until 2023, the AG’s office will measure a company’s compliance as of Jan. 1, 2022 — so you should already be in position to comply with the CCPA since the start of this year. Which, according to Cytrio, most companies are not.
Privacy Shortcomings by the Numbers
Cytrio did find that several industries generally had more mature CCPA compliance capabilities than others. Typically those industries were consumer facing, where they’d be more likely to encounter people asking about privacy; or they were in sectors such as law or software, where presumably they had a better understanding of how to implement privacy solutions. Figure 1, below, tells the tale.
Another finding was that larger firms (with $100 million or more in annual revenue) were generally better prepared for CCPA compliance than smaller firms (those with less than $100 million in annual revenue). That should surprise nobody, but I was intrigued to see that slightly more small firms at least had manual processes — although no small firms had moved to any automated solutions, where roughly 10.6 percent of larger firms had.
Cytrio also examined CCPA compliance preparedness by state. In California itself, only 15.6 percent of companies had adopted a fully automated compliance solution, which put the Golden State in the middle of the pack. The state with the best CCPA compliance posture was New Hampshire (wha?), with 25.3 percent of companies using automated solutions. Worst were Alaska, Arkansas, Idaho, Montana, New Mexico, South Dakota, and West Virginia, all of them without any firms adopting automated compliance yet.
The DSARs Process
The CCPA requires any covered business to reply to consumers’ data subject access requests (DSARs) within 45 days. Its provisions specify that when an individual — a consumer, employee, or anyone else — submits a verified access request, the company must disclose:
- The categories of personal information collected about the individual;
- The purpose the business has for collecting the data;
- The categories of third parties with which the business is sharing the person’s data;
- The sources from which the business collected the personal data, if the business didn’t collect the data directly; and
- The actual personal data the business has collected.
The tricky part is that a large business might easily have dozens or hundreds of DSARs at any one time, requiring your business to sift through potentially millions of records, scattered across multiple databases managed by multiple vendors. You’ll also need to be able to verify the identity of the subject; and identify any personal information you can’t disclose (say, material related to an ongoing law enforcement investigation).
You could try to build a self-service model to fulfill DSARs, where a consumer would visit your website, verify his or her identity, and your IT systems could then retrieve and display all the relevant data for that person. That approach automates much of the fulfillment work, which alleviates the burden from your employees.
In practice, however, a lot can go wrong with that idea if it’s implemented recklessly. For example, an impostor could pretend to be a certain individual, and without suitable verification procedures, you might share personal data with the wrong person. Result: privacy breach. Or you might disclose information that should be kept secret, like a law enforcement investigation.
So Cytrio is not wrong to say DSARs are a headache crying out for automated solutions. Managing DSARs at scale requires clear policies, procedures, sophisticated data mapping capabilities, and lots of collaboration among compliance, IT, legal, and even sales or customer service functions.
Right now, at least, most companies seem nowhere near that ideal state.