Survey: Companies lag behind with CCPA compliance

Those results come from a new survey conducted by TrustArc, a privacy compliance company, and Dimensional Research. The research gauged the readiness of U.S. companies and their plans for complying with the CCPA as compared to the EU’s General Data Protection Regulation.

The California law, enacted in June 2018, defines a covered “business” as any for-profit entity that either does $24 million in annual revenue; holds the personal data of 50,000 people, households, or devices; or does at least half of its revenue in the sale of personal data. 

Among the requirements: granting consumers the right to request deletion of personal information, providing a right to request companies disclose the categories of information that it collects and the identity of third parties to which the information was sold or disclosed, prohibiting a company from discriminating against consumers who opt out of data collection, and allowing businesses to offer financial incentives in exchange for the collection of personal information.

Of companies that have worked on GDPR compliance, 21 percent are compliant with the CCPA, compared to only 6 percent for companies that did not work on the GDPR, the survey says. 

Additional findings from the report:

• 71 percent of companies expect to spend more than six figures to comply with the CCPA.
• One-in-five expect to spend more than $1 million to achieve CCPA compliance.
• For companies not impacted by the GDPR, 79 percent will spend more than six figures to comply with the CCPA, compared to 61 percent who have worked on GDPR compliance.
• 88 percent of respondents say they require external help to understand CCPA requirements.
• 72 percent plan to invest in technology to prepare for the CCPA, while 61 percent plan to spend on consulting expertise.
• 64 percent of companies need help developing their CCPA privacy plan.
• 62 percent of respondents said the top motivation to comply is to meet partner and/or customer requirements.
• 35 percent of respondents described the risk of fines or class action lawsuits as the top driver, and 18 percent cited the risk of negative media coverage.

“Companies that took the steps to comply with GDPR are already ahead of the game and will have an easier path to meet the requirements of CCPA. The companies that did not work on GDPR compliance will be under the gun to implement scalable compliance processes by the Jan. 1, 2020 deadline,” Chris Babel, CEO of TrustArc, said in a statement.

The survey was distributed online from Feb. 15-27 to 250 IT and privacy/legal professionals at U.S. companies required to meet CCPA compliance. Company size ranged from 500 to more than 50,000 employees from a cross-section of industries, including technology, manufacturing, business services, financial services, and insurance.