As the clock winds down to the Jan. 1 effective date for the California Consumer Privacy Act (CCPA), 100 polled compliance practitioners in a joint survey conducted by Compliance Week and ACA Aponix are feeling largely uncertain about their company’s preparedness for the nation’s first modern data privacy statute.

While 21 percent of respondents said they feel “very confident” they’ll be able to meet the new requirements on Day 1, the largest proportion of the group—39 percent—reported feeling only “somewhat confident.” More concerningly, a combined 40 percent of respondents feel either “uncertain” (32 percent) or “not confident at all” (8 percent) their organization will be ready come New Year’s Day.

Part of the problem seems to be companies have a weak grip on the CCPA’s rules, even though many profess this is not the case. While 73 percent of participants stated they have a good understanding of their company’s compliance requirements under the CCPA, in a separate survey question, 62 percent reported the biggest hurdle being faced by their company is understanding all the rules before Jan. 1. 

Alex Scheinman, managing director of cyber-security and risk at ACA Compliance Group, referred to the CCPA as a “moving target.” Case in point: Amendments were made as late as October; the California attorney general also released proposed regulations implementing the CCPA around the same time. Most recently, businesses impacted by the law submitted more than a thousand pages of comments to the California AG pleading for clarity and alignment between the requirements in the regulation and those of the statute.

The CCPA in brief: Who’s required to comply? 

The California Consumer Privacy Act (CCPA) is a law set to strengthen privacy rights and consumer protection for California residents. The bill, which passed by the California State Legislature in June 2018, has given rise to a profound reinvention of privacy regulations for U.S. businesses that fall under its scope. No longer a looming storm cloud on the horizon, the CCPA goes into effect in a matter of days—on Jan. 1, 2020.

 

Not all businesses that handle the personal information of California residents are required to comply with the CCPA. The three thresholds that trigger compliance include:

  • A for-profit company that does business in California and has annual gross revenues of more than $25 million.
  • A business that buys, sells, or shares the personal information of more than 50,000 California consumers, households, or devices per year.
  • A business that derives 50 percent or more of its annual revenue from selling California consumers’ personal information.

Most companies canvassed in the survey (79 percent) are required to comply because they meet the $25 million CCPA threshold. A sizeable chunk (32 percent) meet the 50,000 personal information threshold. Only 9 percent reported meeting the 50 percent annual revenue threshold.

 

Last summer, a standardized regulatory impact assessment (SRIA), prepared by Berkeley Economic Advising and Research on behalf of the California Department of Justice, predicted 75 percent of California businesses would need to comply with the CCPA. That estimate is roughly commensurate with the survey’s findings, where in a sample size of 100, 71 percent of respondents said their company needs to comply. 

“When I say moving target, I mean [impacted businesses] are still waiting for further guidance,” Scheinman explained. The California AG recently suggested leniency will be granted to businesses in the early months of the CCPA’s implementation, so long as they have made a good-faith effort to comply.

While haziness may exist around the requirements of the regulations, what’s clear from the survey is organizations do not necessarily feel intrinsically motivated to protect consumers’ privacy rights. Rather, they’re motivated to follow the language of the law (or try to). The No. 1 reason ranked by surveyed respondents as to why their companies are investing in CCPA compliance was because they are concerned with “meeting regulatory requirements.” The second and third most highly ranked motivations were “meeting customer requirements” and “meeting internal requirements,” respectively. “Supporting the company’s values” came in fourth.

How companies track customer data

There are many ways companies collect personal information about their customers—some obvious, others covert.

The simplest way for companies to collect personal information is by directly asking users for it when they sign up for a product or service. Indeed, the straightforward request is the most common approach among survey respondents, as 77 percent reported their organizations do just that.

A more roundabout way of collecting personal data is by indirectly tracking customers through the stealthy use of online sources, such as cookies and web beacons.

Cookies, or small pieces of data dispersed by a website, are stored on a user’s computer by the user’s web browser; they then record and remember a user’s browsing data along with other pieces of information (e.g. credit card numbers that are typed into form fields). A web beacon is a small, often transparent graphic image that is placed on a website to monitor the behavior of the user visiting the website. A web beacon can track the IP address of a user’s computer along with when and how long the beacon was viewed, the type of browser used, and any previously captured cookie values.

Organizations can also track user data by looking into their own customer services and sales records to survey a user’s transaction history and interaction with support departments. While in some sense this method might qualify as “directly” collecting personal data since the company is looking into its own fund of information, it is “indirect” in the sense it relies on logged information rather than data submitted voluntarily by a user after being asked for it.

Nearly half (48 percent) of survey respondents reported their companies indirectly track customers through such methods and mechanisms.

That percentage “on the passive collection side with cookies” seemed a little low to Scheinman. “I would wonder if those companies really conducted a scan of their website’s pages to see what cookies are being used and whether those cookies are collecting personal information,” Scheinman said.

A third way of collecting personal data is by appending other sources of customers data to a business’ own. Think social media: Companies may allow customers to use their Facebook account to log into their application, and in doing so, collect personal data from their Facebook profiles. Organizations can also build network maps based on friend connections. Any publicly shared information on social media platforms is also fair game. Arguably, this method may seem less furtive to consumers than companies’ use of cookies and web beacons since consumers consciously grant access of their social media profiles to third-party applications.

Almost half of surveyed respondents (47 percent) make use of this practice for personal data collection.

Finally, there is also the option of buying data from third-party sources. Some companies mine, analyze, and sell customer data as a business operation, and organizations can purchase this information for a price. Over a quarter (26 percent) of survey respondents said their organizations make use of third-party sources to supplement personal data collection.

With myriad personal data in tow, companies can build private profiles of users (these are known as “shadow profiles”) as part of a customer data platform. These profiles are valuable for the purposes of market segmentation and targeted advertising.

One workaround to the CCPA? Anonymize the data.

“With many of my clients—and this is not necessarily reflective of all firms—in the financial services space, when clients are leveraging alternative data sets, the data set is typically often anonymized before it is shared with the firm. If it’s coming in anonymized, that means the firm is not purchasing personal data. In which case, it is exempt from CCPA requirements,” Scheinman explained.

The price tag of CCPA compliance

Small businesses in California will likely be hit harder than larger enterprises by the CCPA because the latter are better equipped to absorb upfront compliance costs, according to a standardized regulatory impact assessment (SRIA) prepared by Berkeley Economic Advising and Research on behalf of the California Department of Justice last summer.

“It is likely that the 50,000 PI requirement and the 50 percent annual revenue requirement will apply to many businesses with annual revenues less than $25 million,” the SRIA states. For the 41 percent of respondents who reported their companies meet one or both thresholds, they will want to ensure their firm’s initial expenditure on CCPA compliance is budgeted adequately to meet the associated costs.

For example, nearly half (45 percent) of respondents said they have less than 20 employees in California. The SRIA predicted companies with fewer than 20 employees would incur an average initial cost of $50,000. Among respondents who fell into this size cohort, 71 percent said they budgeted less than $50,000 for an initial expenditure, suggesting they may be underestimating the price tag of CCPA compliance. Overall company sizes were not reported in the survey.

For larger organizations, the SRIA predicted companies with more than 500 employees would incur an average cost of $2 million for initial compliance. Among the survey respondents who work at organizations of this size, only 18 percent budgeted that much money for an initial expenditure. Most respondents in this cohort (32 percent) reported an initial expenditure of $450,000, which the SRIA would suggest is far too low.

“I suppose you can pivot on number of employees as an important indicator of what you’ll spend, but it’s not that only factor,” Scheinman said. “What matters most [in determining how much to budget for initial CCPA compliance] is a company’s data footprint and its existing IT capabilities. However, putting that aside, I certainly know there are plenty of large Fortune 500 companies that are spending seven figures on CCPA compliance. A big chunk of that investment is on technology.”

Action steps and road blocks

Over half of all organizations surveyed (54 percent) said their firm will need to spend less than $50,000 to become compliant with the CCPA. This finding may be partially explained by the fact that larger organizations, especially technology firms, have already been forced to meet the compliance requirements of the European Union’s General Data Protection Regulation (GDPR). Consequently, these firms may face lower costs to become compliant with the similarly veined CCPA.

For companies that do not fall under this category, however, they may want to up the ante on their budget allocation, according to above-stated predictions from the SRIA report.

“That $50K number aligns with what many of my smaller clients are spending,” said Scheinman. “These clients tend to have fairly simple IT infrastructure; data tends to be stored in very few places, and their IT systems have the capabilities they need to address their CCPA obligations. So, there’s not as big of a data discovery exercise, and it tends to take less time. Whereas in larger and more complex firms, data tends to sit anywhere and everywhere, and it becomes significantly more difficult to wrap your head around it. In that case, you may need to upgrade and implement your technology to organize and sift through your personal data assets.”

The costs associated with CCPA compliance include technical, operational, legal, and business costs. The majority of respondents (31 percent) said they anticipate the technical costs—associated with establishing technologies necessary to respond to consumer requests and other aspects of the law—to be the most burdensome for their organization.

Despite respondents’ willingness to admit they’re struggling to metabolize all the rules of the CCPA, most organizations are declining to bring in a third-party technology vendor or consultant to help them comply. More than two-thirds of respondents (68 percent) said they are doing it all in-house.

Scheinman would recommend companies that are struggling to get a handle on the CCPA and don’t have an internal dedicated privacy professional look to help from a third party “whether that’s outside counsel, a consultancy, and/or a privacy tech vendor.”

“Most of my clients in the financial services space don’t have privacy officers. The chief compliance officer, legal, and IT all tend to share privacy responsibilities. Other firms have dedicated privacy officers with subject matter experts who could drive a CCPA compliance initiative without reaching out to a third-party consultant. And even in those cases, you’d probably still need a technology vendor,” Scheinman advised.

CCPA and third parties

Another action step being taken by organizations is investigating how third-party providers collect and manage consumers’ personal information. Only 31 percent of respondents said they are already doing it.

“You should be doing some diligence that includes privacy and cyber-security diligence on any and every third party that you’re sharing personal information with,” Scheinman warned. “Some firms handle third-party diligence in-house­—they rely on industry specific due diligence questionnaires or their own questionnaires, but even then, you have to be able to interpret the responses and know what best practices are and whether or not to accept risk.”

The most difficult CCPA compliance requirement to implement, participants reported, is data inventory/mapping.

“Conducting a data inventory exercise allows the firm to know what data it has, where it is stored, to whom the data is shared and disclosed, and what jurisdiction it was collected from and transmitted to. Mapping the jurisdictional flow of personal data helps firms understand what privacy regulations their compliance program will have to address. Companies have to understand not just what the data is but also where it is. If you don’t know what data you have and where it is, you can’t meet your privacy compliance obligations,” Scheinman said. For example, if data is moving from the European Union to the United States, firms will know they have to address this transfer with one of several options.

Data inventory/mapping can be done manually via interviews with key stakeholders in functional areas. However, there are now innovative tools emerging in machine learning and artificial intelligence that can essentially map and index all the personal data elements in a company’s infrastructure and generate a detailed map.

“Those are the seven-figure tools that some firms­—bigger firms—are using. They can be expensive to purchase and can cost a lot to maintain,” said Scheinman. “I think we’re at the point, though, that something that’s seven figures today will probably be a fraction of the cost in a couple years when the market settles. Right now, many firms are trying to manage this manually, but there are more and more tools inundating the market.”