The California Consumer Privacy Act (CCPA) is set to take effect less than nine short months from now, but most companies are far from prepared.
Effective Jan. 1, 2020, California will become the first state in the nation to enact a law that, in large part, mirrors the stringent data protection and privacy requirements of the European Union’s General Data Protection Regulation (GDPR). Specifically, the CCPA gives California residents several new rights over their data, including the right to request information about the sources and purposes of the personal information collected, the right of deletion of personal information, and the right to “opt-out” of the sale of their personal information.
“What that really means is it’s going to require companies to make some pretty significant changes to their business processes,” says Dave Deasy, senior vice president of marketing at privacy compliance and security company TrustArc. If the GDPR is any indication, making those changes can take a lot of time, depending on the size and complexity of the company, he says. “That’s the primary reason why companies have to start now.”
Register for Compliance Week 2019 | Highly interactive sessions on CCPA and GDPR, networking with senior-level professionals, opportunities to earn 20+ CEUs by attending conference and pre-conference workshops, access to regulators, and more!
Yet, most companies and financial services firms that fall under the CCPA are still only in the early stages of their readiness plans, according to a new survey of privacy compliance professionals conducted by Compliance Week and TrustArc, which gauged organizations’ readiness with the CCPA. Of the nearly 100 compliance professionals we surveyed, all indicated their responsibilities included managing privacy compliance and that their businesses would be impacted by the CCPA.
According to the findings, 45.6 percent said they are “working on a preliminary plan,” while another 26 percent said they have not started at all. Just 15 percent said their plan is “well underway,” and 13 percent said that while they have a plan in place, nothing has been started.
Lack of preparedness, however, is a big risk, given that the repercussions for non-compliance are severe. The CCPA will be enforced by the state attorney general and create a private right of action for unauthorized access to a consumer’s personal information. Failure to address an alleged violation within 30 days could lead to a $7,500 fine per violation, which could be per record or customer file.
Approximately how much do companies expect to invest in CCPA-related privacy compliance expenses in 2019? About 40 percent of qualified survey respondents indicated they plan on spending less than $100,000, with another 20 percent spending nothing on CCPA-related compliance.
– Sources: CW & TrustArc
A bigger driver for change, however, is that “nowadays, most businesses require their vendors to be compliant with all the applicable laws and regulations, and that carries over to privacy as well,” Deasy says. “So, aside from the risk of financial penalties, most companies are going to find that come Jan. 1 next year, they’re going to have a lot of customers who are going to stop doing business with them if they can’t demonstrate that they’re compliant.”
In fact, 68 percent of respondents indicated that meeting customer, partner, or other third-party expectations was their biggest reason for investing in CCPA compliance, while 63 percent also cited fines and class-action lawsuits. Other driving factors included supporting company values; negative media coverage; and meeting internal reporting requirements, including demands from their boards of directors.
The trouble is that companies face numerous challenges in becoming CCPA compliant. The areas in which they seek the most help, according to survey respondents, include creating data inventory and maps; managing privacy complaints and individual rights; and conducting privacy risk assessments.
To overcome these challenges, Deasy recommends several steps companies can take to become CCPA compliant. That starts with conducting a CCPA readiness assessment, which generally involves understanding the requirements of the CCPA, how it impacts the business, and where gaps in compliance exist.
The next step is to build a data inventory. What’s critical here is understanding what data the company collects, where it is stored, who has access to it, and with whom it’s shared. “Creating a data inventory might sound relatively easy, but the reality is it’s pretty complex,” Deasy says. “There are lots of companies [that] collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold.”
This is particularly true of large companies with multiple divisions operating in multiple geographies with multiple systems spread out all over the place. Historically, companies have created data inventories in a manual fashion or in many cases simply didn’t collect enough of the right information, so to have to document all of this for the first time is “significant undertaking,” Deasy says.
In fact, 49 percent of respondents said they still use standard desktop tools, including e-mail and spreadsheets, to manage privacy compliance. Another 46 percent said they use internal systems, and 34 percent said GRC software.
For companies that have already built a comprehensive data inventory for the GDPR, they will find some overlap with CCPA compliance. For example, the CCPA requires companies to identify what data is being sold. Thus, if you’ve already created a data inventory for the GDPR and you put it into a system that allows for updates, “it’s pretty easy for you to go in, add one additional field, and start keeping track of that new information versus if you created that data inventory in a more manual type of system—then sometimes you might have to start the process over,” Deasy says.
“Creating a data inventory might sound relatively easy, but the reality is it’s pretty complex. There are lots of companies [that] collect and rely on selling data, and they simply don’t have any record of where all that data is that’s being sold.”
Dave Deasy, SVP of Marketing, TrustArc
A third step is to have a process in place to follow up on data subject access requests. Even if you know where the information is, large consumer-facing companies might get hundreds—if not thousands—of these data subject access requests a month. “It’s a pretty time-consuming process to be able to follow up on the request and to do all the proper documentation,” Deasy says. “If you don’t have any kind of streamlined and automated process in place, it becomes a significant cost burden to the company.”
A fourth step is to invest in appropriate technologies and tools. TrustArc, for example, offers a privacy platform that companies can use to manage many different elements of the CCPA—such as building a data inventory; conducting and managing privacy assessments; and managing data subject access requests. TrustArc also has a team of privacy experts to help companies that don’t have either the expertise or bandwidth to do the CCPA readiness assessment.
When asked how much they expect to invest in CCPA-related privacy compliance expenses in 2019—including all internal and external personnel, training, consulting, legal advice, technology, and other costs—40 percent said less than $100,000, while 27 percent said they do not expect to spend anything on CCPA compliance. Another 18 percent said between $100,000 and $500,000. Only 13 percent said they expect to spend more than $500,000.
More than half of respondents (57 percent) said in preparing for the CCPA, their biggest investments will go toward new tools and technologies; external legal expertise (31 percent); consultants (21 percent); and internal hiring (20 percent). Seventeen percent said they are not making any CCPA investments at all.
The bottom line is that if the company doesn’t have a clear understanding of where its data is and processes in place to follow up on data subject access requests, “it will become a significant financial burden on the company to be able to respond to these requests,” Deasy says. “For companies that wait too long, it’s almost impossible to put a good process in place to address them.