Only 11% of US businesses fully meet California Consumer Privacy Act (CCPA) requirements, according to a new study. This is actually higher than the 6% fully compliant with the EU’s General Data Protection Regulation (GDPR).
The rest of the companies are either non-compliant (44%) or partially compliant (45%) with these privacy protection laws, according to research from CYTRIO, a data privacy compliance company. The EU and California laws require companies to provide people with a way to exercise their rights, something 44% of the 5,175 businesses surveyed failed to do. A company was judged somewhat compliant if it used manual processes – email, web forms – for handling data requests.
- More than 50% of companies fail to comply with these laws despite stating on their websites that they need to do so.
- While B2C companies collect more consumer data, their compliance rate is essentially the same as B2B companies (11.3% for B2C vs. 10.3% for B2B).
- The most compliant business sectors are Media & Internet (30%) and Consumer Services (25%). The least: Healthcare Services (0%) and Education (8%).
- Only 15% of California companies are compliant. New Hampshire does best in the state rankings with 24%. Alaska, Arkansas, Idaho, Montana, New Mexico, South Dakota and West Virginia all had 0%.
Why we care. GDPR can levy fines of up to 4% of annual revenue and they mean it: Google, British Airways, H&M and Marriott are among the companies hit with fines of $10 million or more. The CCPA can charge up to $7,500 per record for each intentional violation. That’s just direct fiscal cost. Brand reputational damage is likely to be much higher. Consumers have been very forgiving about data being stolen. This won’t be the case if a company has been misusing it on purpose.
Get MarTech! Daily. Free. In your inbox.