For more than two years before the start of General Data Protection Regulation (GDPR) enforcement, companies were warned about potential substantial fines for compliance violations. On the first day of enforcement, an Austrian privacy advocate sued Facebook and Google  for about $8.8 billion for coercing users into sharing personal data. And earlier this year, Google was slapped with a €50 million fine for not obtaining proper user consent for serving personalized ads.

After just eight months of GDPR enforcement, 91 GDPR-related fines have been levied, and it is likely that the data protection organizations in various European countries are still just getting ramped up. Despite all this “encouragement,” the current state of GDPR compliance readiness is bleak. According to one estimate, only 27% of U.S. companies are GDPR-compliant.

Yet, even as GDPR compliance efforts struggle to ramp up, it’s clear we are only at the beginning of a long road of new data privacy regulations and requirements. Going into effect next January is the California Consumer Privacy Act (CCPA), which, while similar in some respects to the GDPR, has key differences, so the ability to comply with the GDPR does not ensure the ability to comply with the CCPA. In fact, only 14% of U.S. companies are compliant with the CCPA, and 44% have not yet started the implementation process.