(Photo: Shutterstock)

Despite enforcement of the California Consumer Privacy Actcoming online earlier this month, many companies are stillstruggling to comply with the far-reaching state regulation. Butit's not just a lack of understanding about the CCPA's requirements that isholding them back. It's also a lack of automation andfactors outside their control, according to a new survey of 121U.S.-based companies by cybersecurity and cloud services companyAkamai.

Complying with CCPA requirements are still a somewhat manualprocess for many companies. Only around a third of surveyrespondents, for example, said they fully automated showing orallowing customers access to their personal data. Even fewer, 23%,did the same for customer requests to have their data deleted.However, 43% were able to fully automate customers opting not tohave their personal data sold by the company.

According to the survey, at least half of all respondentsreceived these four CCPA requests at some point. Lesscommon, however, were customer requests about if and to whom thecompany sold their private data, at 38% of companies, and thoseensuring the company wasn't discriminating against customersbecause they exercised their CCPA privacy rights, at 22%. These two last requests were automated by only 21% and 28% ofcompanies, respectively.

Steve Winterfeld, the advisory CISO at Akamai, noted one of thebiggest hurdles to companies automating their CCPA compliance isthe fact many don't store customer data in one central location. Heexplained that companies often use third-party providers that haveaccess to their customer data regulated by the CCPA.

"Now you have data in a lot of places, and so to automatesomething like 'what information do you have about me,' you have topull from multiple places. And to build a system that can integrateall that can be very difficult," Winterfeld said.

For some companies, he added, building such a system isn'teconomical. "Part of that is how many people are going to requirethis. … If five people want their data to be deleted, automating itdoesn't make financial sense, you won't get a return oninvestment," he said.

Most companies said the CCPA compliance challenges they facedwere both internal and beyond their control. Slightly less thanhalf of all respondents cited a lack of consistency between theCCPA and other privacy regulations (47%) , and a lack ofvisibility into what data they hold (46%) as a barrier tocompliance. Around 40% also said inadequate technologyinfrastructure and inadequate implementation time were challenges,while 36% cited a lack of data education.

Winterfeld noted the challenge of "data education" includesmaking sure all departments and employees within a companyunderstand how to comply with CCPA. For example, "you don't havemarketing go hire a company that is not compliant with therequirements," Winterfeld said. He said companies have to make sure"data is treated in accordance to those corporate policies thatallow the company to be compliant."

While attorneys have a pivotal role making sure employees adhereto regulatory requirements, they are often not the ones overseeingtheir organization's CCPA compliance. According to the survey, mostcompanies either relied on their chief information officer, 32%, ortheir chief technology officer, 29%, to manage their complianceeffort, while only 18% gave the responsibility to their chief legalofficer. Nine percent also had their chief customer officerspearhead the effort, while 8% turned to their chief privacyofficer and 3% their chief marketing officer.