Massive State of Unpreparedness for CCPA Compliance Exposed in Research from CYTRIO

Massive State of Unpreparedness for Compliance Exposed in Research from CYTRIO

Only 11% of companies are fully meeting CCPA requirements, while 89% of companies are either non-compliant or somewhat compliant


BOSTON — Jan. 26, 2022 — CYTRIO, a data privacy compliance company, released the findings from its inaugural State of CCPA Compliance: Q1 2022 research results as of December 31, 2021, showing only 11% of companies are able to fully meet California Consumer Privacy Act (CCPA) requirements, especially when managing Data Subject Access Requests (DSARs). The research also showed a disconnect in compliance with 44% of companies not providing any mechanism for consumers to exercise their data rights despite stating they needed to comply with CCPA in their privacy policies.

“The findings of our research show that companies are woefully unprepared for CCPA compliance, especially when it comes to enabling and responding to consumers’ data privacy rights,” said Vijay Basani, founder and CEO of CYTRIO. “An overwhelming majority are manually responding to data requests with only a small number implementing DSAR management automation solutions. The reliance on manual processes exposes them to high DSAR compliance costs, long response times, errors that will erode consumer trust, and non-compliance actions by the California Privacy Protection Agency (CPPA).”

CYTRIO’s State of CCPA Compliance: Q1 2022 report is the largest of its kind, studying 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion. CYTRIO conducted the study over six months to create the baseline research and plans to update it every quarter.

The research found that less than 11% of companies use DSAR management automation solutions. Nearly half of the companies (45%) relied on inefficient and costly manual processes such as email and web forms for submitting and responding to data requests.

California companies were not doing any better than their peers in other U.S. states, even though CCPA is a California regulation that gives its citizens’ control over their personal information. Only 15.6% of companies in California had a DSAR management automation solution, and nearly two-thirds of California companies (59.3%) used manual processes, higher than any other state. New Hampshire companies led their peers from other states with 23.5% having DSAR automation management solutions.

There were significant differences across industry verticals. Consumer services, media and internet, and hospitality — industries that collect substantial amounts of consumer personal information — were more likely to deploy a DSAR management automation solution.

In comparison, highly-regulated industries, including healthcare, financial services, and insurance lagged in commercial solution deployment. However, healthcare companies did provide a manual process for consumers to exercise their rights. Legal was another industry that relied heavily on manual processes.

“Overall, the results show that more needs to be done for CCPA compliance, and many lack the right resources and tools to meet the requirements,” said Darshan Joshi, Chief Technology Officer at CYTRIO. “The prevalent reliance on manual processes and the inability to address DSAR may increase the risks of a company’s operations and shows we have more work to do in building awareness.”


Other key findings:


  • Although B2C companies collect more consumer data, there was no statistically significant difference in the number deploying DSAR management automation solutions when compared with B2B companies (11.3% for B2C vs. 10.3% for B2B).
  • Large companies (with more than 10,000 workers) were more likely to have a commercial DSAR management automation solution. Over 60% did so with the increasing number of DSARs and streamlining related costs as potential reasons.
  • There is a strong correlation between revenue and deploying a DSAR management automation solution. High revenue earners (companies with over $100 million) were more likely to have an automated solution, with companies over $5 billion in revenues especially eager.


To access the full findings, go to:

To view the infographic, go to:


CYTRIO’s software-as-a-service (SaaS) data privacy rights management platform helps organizations comply with data privacy regulations such as CCPA, CPRA, VCDPA, CPA, and others. The company offers an all-in-one solution built on automation, AI-led data discovery, and automated response workflows. CYTRIO’s solutions are simple to deploy, deliver value on day one, and do not require dedicated privacy teams to manage. Learn more at, and follow on LinkedIn and Twitter.


All trademarks recognized.