With just six weeks to go before the new California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, a surprisingly large percentage of companies are still not ready to handle the compliance demands of the new data privacy regulation. According to a study of 85 companies by New York-based data privacy technology company Ethyca, only 12% of companies have reach an “adequate state of compliance” ahead of the new data privacy regulation becoming law. Moreover, nearly four in ten companies (38%) need at least 12 months to become compliant. With the state attorney general’s office in California suggesting that enforcement actions will begin immediately, that could present a number of problems for compliance laggards.
How companies are responding to the new CCPA data privacy regulation
More than 18 months after the passage of the European General Data Protection Regulation (GDPR), the prevailing sentiment had been that most companies would be prepared for the compliance demands of the CCPA. After all, the California legislation closely adheres to the basic framework of the GDPR, and data privacy issues have been front and center in the media for the past 18 months as well, so the passage of the CCPA is not catching anyone by surprise. Add in the fact that some of the most famous tech companies in the world are based in California, and one might assume that the CCPA would involve just a few incremental changes by companies in order to be fully compliant by the January 1, 2020 deadline.
However, that’s hardly the case. According to Ethyca, more than 70% of companies have not built any sort of engineering solution for policy compliance. Instead, they are just retrofitting old processes, or asking employees to put in more hours in order to ensure compliance with how they collect and store personal information. Moreover, 75% of the companies surveyed by Ethyca are using an entirely manual solution in their approach to data privacy, and none of the companies are fully reliant on software-based solutions. Instead, the preferred option appears to be cobbling together a mix of legacy software solutions and manual solutions. That exposes these companies to regulatory risk, especially if these compliance solutions are not up-and-running by early 2020.
The changing regulatory risk landscape
So just how concerned should these companies be that they are running out of time to be fully CCPA-compliant? Cillian Kieran, the CEO of Ethyca, acknowledges that getting up to speed can take a lot longer than originally anticipated, even for the best companies, “Regulatory compliance in any domain doesn’t happen the moment legislation comes into effect.” As Kieran sees it, enforcement will build over time, leading to a period of “active maturity.” Thus, right out of the gate, companies may not have to worry too much about enforcement actions. After all, the experience of the European GDPR has been that it takes at least six months before regulators start to look deeply into cases, and about nine to twelve months before serious, attention-getting fines start getting handed out.
As Ethyca also points out in its data privacy report (“2019 Privacy Analysis: Approaches to Data Privacy Compliance”), there is no single solution to regulatory compliance being used by companies. In fact, Ethyca acknowledges that all 85 companies it surveyed appeared to be using different approaches and different solutions to meet the demands of the CCPA data privacy regulation. In part, that’s what makes the report an interesting read – for every approach, there are tradeoffs and obstacles, and companies must do the best they can to navigate the regulatory minefield.
That being said, the new CCPA is hardly the only data privacy regulation that companies need to be monitoring. In the report, Ethyca notes that “the world has changed,” and that there is plenty of other data privacy regulations appearing around the world. In fact, on a map of the world, Ethyca highlights a confusing alphabet soup of data privacy regulations – PIPEDA, POPI, PPB, APPI and APP – from around the world. Too many companies, says Ethyca, are only thinking in terms of the United States and European Union, when they should be taking a much more global approach to data privacy laws. Moreover, if the U.S. enacts a privacy law at the federal level, that would be a game-changer for how companies think about data security.
Responsibility for data privacy compliance
One key theme of the Ethyca report is that companies must decide which unit, department or team within an organization will take on responsibility for data privacy compliance. Typically, this is the department or unit with privacy budget responsibility. In 38% of cases, it is the IT team handling data privacy regulations. In another 25% of cases, it is a combination of the legal and IT teams heading up data privacy regulation compliance. In 12% of cases, it is the cyber security team in charge of data privacy regulation. And in 25% of cases, there is no specific division in charge.
From a compliance perspective, this last group of companies is probably the riskiest – it means that nobody within the organization has really claimed ownership of data privacy compliance, and most likely, there is no coherent strategy in place to handle security breaches or data breaches involving customer data. In order to put the right processes and controls into place, it is important to have someone guiding the rollout of new software or IT solutions to manage compliance. That might help to explain why “manual solutions” are still being used at so many companies – they are the default option when nobody is in charge of data privacy regulation compliance.
Looking ahead to 2020
For the next few months, look for big tech companies to take the lead in CCPA compliance. As Ethyca points out in its report, startups are the least likely to have formalized data privacy resources and processes. And, in terms of budgetary allocations, they also have the least flexibility in adopting state-of-the-art IT solutions for data privacy compliance.
Thus, expect companies like Microsoft – which recently outlined its vision for making CCPA compliance the de facto standard throughout the organization, regardless of which state it is operating in – to take the lead in framing how the rest of the tech sector thinks and talks about CCPA compliance. If that helps to buy some time for the 88% of companies that have failed to reach an adequate level of CCPA compliance, then that’s a good thing for the California business community.