A recent survey conducted on businesses in the United States by CYTRIO found that, as of March 21, 2022, 90% of U.S. companies were not fully compliant with the Data Subject Access Request (DSAR) requirements of the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the EU’s General Data Protection Regulation (GDPR).
Even though the GDPR took effect on May 25, 2018, U.S. companies are still struggling to get to grips with access and data deletion requests, with 95% of surveyed companies saying they are still relying on manual processes for meeting those requests, and only 10% of companies had implemented an automated CCPA DSAR solution. Widespread non-compliance with the requirements of these data privacy laws is a concern, especially as enforcement of compliance with the CPRA will start in 2023. In the case of the CPRA there is also a stringent 12-month lookback.
According to the survey, only 11% of U.S. companies were fully compliant with the requirements of the CCPA, with 89% of companies saying they were somewhat compliant or non-compliant. B2B and B2C businesses of all sizes were found to be unprepared for compliance with the GDPR, even though data protection authorities in EU member states have been actively enforcing compliance. As of March 2022, data protection authorities in the EU have imposed $1.8 million in financial penalties on individuals and companies found not to be compliant with GDPR requirements.
With respect to CCPA and CPRA compliance, companies in California, New York, and Texas were most compliant; however, the number of companies in those three states as a percentage of total companies decreased from 31% to 24% between Q4 2021 ad Q1, 2022. Companies in the business services, retail, and finance sectors were the most compliant.
DSARs from data aggregators have been increasing in frequency and volume, with the majority of the requests coming from individuals who wish to exercise their right to erasure and have their personal data deleted. Individuals are increasingly aware of their rights under data privacy laws and it is now common for requests to be submitted to access data and have saved data erased. When DSARs are received, they must be processed in a timely manner, and if those processes are completed manually it will be a challenge to do so. As more states start introducing their own privacy laws, the problem will become far worse.