The California Consumer Privacy Act, which takes effect in January 2020, will significantly limit how companies handle, store, and use consumer data. The law will also require businesses to be more transparent, give consumers the ability to delete and download collected data, and give them the chance to opt-out of the sale of their information.

But a new survey published on Tuesday by security and compliance firm TrustArc suggests a vast majority of companies still have their work cut out for them.

“Our goal was to say, ‘How are people doing in their progress toward the [compliance] goal?'” said Chris Babel, TrustArc CEO. “We found the vast majority of people have a very long way to go.”

The results show that 86% of respondents have not completed preparations to be compliant with the new California law. Companies will have to create complex tools that will identify the data they collect, organize it, and give consumers easy-to-use technology to delete it.

The survey results are based on responses 250 professionals, who are at least partially responsible for privacy matters at companies with 500 or more employees. The questions related to their preparations for California’s new law, which could impose penalties up to $7,500 per infraction for companies that fail to comply.

To prepare for the new rules, 72% of respondents said they plan to invest in technology tools, while 71% said they expect to spend more than six figures on related to compliance. One-fifth of surveyed professionals expect to spend more than $1 million.

“It’s expensive, time-consuming, and difficult,” Babel said. “And there’s a host of things people are looking toward to help.”

About half of the professionals surveyed currently fall under the European Union’s General Data Protection Regulation, a set of new privacy laws that went into effect in May. Of those professionals, half of them say their GDPR programs are helping them plan for California’s new rules. However, only 21% would be currently compliant with the state’s law, which maps out a much more stringent set of regulations compared to those in Europe.

Given the expected six-figure cost for each of the two new laws, it’s no surprise that privacy regulation is hitting companies’ budgets. The survey found that 82% of respondents are increasing how much they spend on managing privacy this year.

And that’s assuming companies only have to deal with two privacy laws. For example, Hawaii, Massachusetts, and Washington are all considering their own state laws while Brazil passed its own regulations that will take effect in 2020.

“There was one big law to make people wake up, and another one in California, but there’s more coming,” Babel said. “Doing it right has benefits for all and is critical to business success.”