The California Consumer Privacy Act (CCPA) is fully in force as of July 1, but a new study from data privacy management firm Ethyca shows that more than half of organizations are still not prepared for it. This is a very late point in the game to get started, as CCPA enforcement actions can apply to violations that date all the way back to the beginning of the year.
Doing business in California? CCPA enforcement is now on the table
Any company that does business in California or handles the personal information of its residents is now subject to CCPA enforcement as of July 1, though the terms of the new law went into effect on January 1 and violations may have accrued since then. Many organizations are running out of time to make necessary changes before they begin facing complaints and state scrutiny.
Though organizations have had since late 2018 to prepare, the Ethyca study finds that 56% of organizations surveyed do not feel that they are ready for either the CCPA or other new privacy regulations that are close to being enacted in other countries. The study surveyed 218 tech company General Counsels who are responsible for ensuring that their organizations are compliant with these measures.
The General Counsels reported that the leading reasons for non-compliance are lack of resources, budgetary allocations and inability to keep pace with increasingly complex requirements. Only 31% of respondents felt that they were fully prepared for CCPA enforcement.
57% of these organizations have committed to spending more on regulatory compliance this year, with only 6% reducing their budgets in this area. In spite of this, 43% of respondents said that preparedness for CCPA enforcement specifically was deprioritized due to the COVID-19 lockdown measures and workplace restrictions. 50% also have yet to appoint a Chief Privacy Officer or Chief Information Security Officer.
So why are so many businesses not yet ready to take CCPA enforcement seriously? The vast majority, 44%, chalked it up to a simple lack of resources. 32% of respondents said that they were still trying to untangle complex privacy regulations as they relate to their companies. 9% said that upper executives had yet to be convinced to buy in, while 8% felt that they did not have enough qualified staff on hand to make the necessary changes.
What’s on the line for companies that are still struggling to catch up if CCPA enforcement comes for them? The system is complaint-based, and each data subject can potentially cost a company $2,500 for each unintentional violation or $7,500 for each intentional violation. Data breaches that involve thousands or millions of customers could be quite costly.
There are size limitations, of course; the CCPA applies to companies that either collect personal information from more than 50,000 individuals + unique devices each year, or simply have an annual gross revenue of at least $25 million. However, the size exemption ceases to apply if a company makes more than 50% of its annual revenue by selling the personal information of California residents.
Lack of preparedness
Ethyca points out that the general lack of preparedness is not always a case of organizational dysfunction, as CCPA terms have changed significantly since the act went into effect earlier this year. Some of the key changes that went into effect on July 1 were not solidified until early April, giving organizations little time to respond. These changes include requiring a new type of separate disclosure for price differences that are based on consent to personal information collection, the removal of the example “opt out” button that companies had been previously encouraged to use (to be replaced with a new link and notification requirement), and a new requirement of a description of commercial purpose in collecting and selling any personal information.
There is also still some lack of clarity as to how the CCPA applies to tech companies that handle the personal information of California residents but are not registered in or do not have any physical presence in the state. The law appears to apply to any organization anywhere in the world, but it is unclear how the state would investigate and enforce these cases. Early analysis by some legal experts indicates that the state may be very selective in CCPA enforcement and opt to spend most of its time chasing down California companies that have violations involving minors or who are based in Silicon Valley and process huge amounts of personal information.
The situation does not appear to be getting any less complex or confusing anytime soon. California is already working on a revamped and stronger data protection law, the California Privacy Rights Act, which is slated to go before state voters on the November 2020 ballot. Organizations are also dealing with similar laws coming online in other parts of the world, the most immediate and substantial being Brazil’s new Lei Geral de Proteção de Dados (LGPD). 73% of the survey respondents said they were having difficulty complying with this new patchwork of international regulations, and 17% said it was outright impossible to be compliant with everything. 49% of respondents are strongly in favor of federal laws to make developing situations like the one in the United States more manageable, and an additional 36% think a federal standard would be at least “somewhat useful.”