A survey of 300 U.S. company executives by consulting firm PwC has revealed some worrying trends on compliance with the California Consumer Privacy Act of 2018 (CCPA). The survey results indicate that half of the respondents were not confident that their organizations would meet the 2020 deadline for CCPA compliance. The Act is aimed at providing state residents with enhanced data privacy rights and includes significant requirements for companies that sold or disclosed personal information of Californians. The challenge appears to be that most organizations would have to significantly overhaul their personal handling practices and privacy programs in order to meet the requirements – and given the fact that the Act comes into force at the beginning of 2020, time is running out.
Low to middling confidence across a variety of sectors
The results of the survey seem to indicate that the U.S. retail sector – which was largely immune to the compliance issues caused by the roll out of the EU General Data Protection Regulation (GDPR) may face an uphill battle to comply with the provisions of the CCPA. In fact, less than half of the survey recipients in this sector (46%) were confident that their organizations could meet all the requirements by the 2020 deadline. However, other sectors were also equally, if not more pessimistic. Manufacturers and others active in the industrial products sector were also not sanguine about their ability to meet the deadline with only 44% expressing confidence. Those in the healthcare sector also expressed low levels of confidence at around 47%.
Perhaps unsurprisingly confidence levels in the Financial Services sector at 58% and the and telecommunications, media and technology (TMT) at 56% were more favorably inclined to commit to meeting the 2020 deadline for compliance with the CCPA.
Hopefully, companies that went through the process of complying with the GDPR over the last two years would have learnt some useful lessons. According to Jay Cline, Privacy Leader at PwC US, “Many companies spent too much time on legal analysis of GDPR and ended up not having enough time to change their business processes or systems before the GDPR’s May 2018 deadline. California’s more mature privacy-enforcement regime won’t be as forgiving to companies that miss the CCPA deadline.”
Clearly, a implementation-focused approach is critical to meeting the CCPA compliance deadline. Cline believes, “Multinationals that completed the painful GDPR drill earlier this year are trying to do two things better with CCPA: getting an earlier jump on translating legal requirements into technical specifications, and adopting a global approach to privacy capabilities.”
Scope of the CCPA
The CCPA applies to businesses with annual revenue of more than $25 million and significantly improves on a variety of safeguards to protect the personal data of Californians – including consumers and employees by broadening the parameters of exactly what defines personal data.
However, the ripple effect of compliance and efforts to meet compliance criteria will mean that the impact of the CCPA will be felt across the United States – rather than simply touching on companies that are based in California. In fact, the survey results indicate that many companies across the country collect data on California’s 39.5 million residents. A large number of these companies are seriously considering the option of extending the rights provided by the Act to all of their employees and their customers.
This would be a proactive move in anticipation that the success of the CCPA would motivate further federal privacy legislation. By taking the long-term view on compliance these organizations would increase operational efficiency and significantly cut costs by rolling out enhanced privacy measures across their entire operation – rather than waiting for further federal or state laws to be unveiled. The growing consensus seems to be that proactivity and readiness is far preferable to a reactionary stance at a later date.
The CCPA compliance challenge
The low levels of confidence to meet the deadline as expressed by many executives seem to be based on two issues. The first of these is the limited time available to meet the criteria for compliance. Make no mistake the deadlines are tight. The law goes into effect on January 1, 2020. The U.S. Attorney General will then clarify any outstanding issues relating to compliance and enforcement will begin 6 months later.
The survey results did indicate that there was certainly a sense of urgency among company executives. The CCPA compliance issue was ranked as a burning business priority by 86% of the respondents.
Given the fact that the provisions of the CCPA allows for a private right of action, as well as the possibility of enforcement action, the focus is not surprising. The Act mandates that consumers can provide a written notification of their intention to take legal action when they are the victims of what they view as a violation of the terms of the CCPA compliance guidelines. The company will then have to remedy the situation within a 30-day timeframe.
However, as per usual with legislation that provides for punitive action, the devil is in the detail. The Act does not specific what the remedial action (a ‘cure’ as per the legislation) would be. Absent solid guidelines, company executives are becoming increasingly anxious regarding compliance issues. 84% have expressed their concerns about what exactly would constitute a ‘cure’ for any violation of the Act. In fact, the sheer scope and complexity of the legislation are providing many executives with sleepless nights.
Shift from one-off compliance blitzes
The CCPA is an example of how privacy and data security issues are influencing both public discourse and legislative efforts – not only in the United States, but across the globe. The increased pressure for GDPR compliance in the EU has no doubt influenced the U.S. legislators when they were designing the CCPA.
The fact that fines for violation of the CCPA are set at a maximum of $7,500 per intentional violations will be of cold comfort to those who sit on Boards across California and elsewhere. The cumulative effect can be costly – however, the potential damage to corporate reputation and the subsequent loss of revenue due to decreased consumer confidence caused by lawsuits will always exceed the quantum of the fines themselves.
With the privacy regulators gaining increased capabilities to impose fines for violations, Cline advised that, “The CCPA moment is the time for privacy leaders and CIOs to shift from one-off compliance blitzes to the deployment of global privacy capabilities. With Brazil’s version of GDPR going live in February 2020, followed by similar initiatives in Argentina, Chile, and India, CFOs won’t continue to fund these fire drills without a longer-term plan.”
Inevitably, more privacy legislations will be enacted, penalties for violations will continue to rise and privacy officers will face increased pressure to ensure compliance. Approaching these regulations with only compliance in mind may no longer be the best strategy as it will only get more difficult. Cline believes that, “CCPA is a career make-or-break moment for CPOs. Those who continue to talk about privacy as a set of gaps to be closed will be marginalized. Those who can accelerate the new-customer contract cycle, help the successful launch of new products, facilitate the entry into new markets, and transfer risk to other entities will see their horizons broaden beyond data privacy.”