Survey: Companies say lack of guidance, budget restrictions hamper compliance with CCPA

A survey of 66 business executives whose companies fall under the purview of the CCPA found nearly two-thirds (64 percent) would not be fully compliant by July 1, the law’s enforcement date. The survey was conducted earlier this summer. 

The biggest barrier to compliance is the CCPA’s complexity and the lack of guidance from California regulators, according to 68 percent of survey respondents who said the privacy law affected them. Next was inadequate budget (50 percent) and needing more time (40 percent), followed by a lack of skilled resources (37 percent) and a lack of required technology tools (23 percent). Respondents could choose up to three responses.

One quarter (26 percent) of respondents represented financial services firms like banks and insurance companies, followed by high tech (15 percent) and professional services (9 percent). Other industries represented in the survey were manufacturing (8 percent); media and entertainment (6 percent); aerospace, defense, and intelligence (6 percent); as well as life sciences, retail, consumer goods, and nonprofit organizations.

Beyond avoiding enforcement actions by the California Attorney General’s office, complying with CCPA brings with it other benefits, said Janet de Guzman, senior director of industry marketing and compliance at OpenText, a Canadian-based global information management technology vendor.

“Data privacy is becoming increasingly important to consumers globally, and customers will gravitate towards companies that can protect their personal information. Companies that become CCPA compliant are able to boast about their robust, superior security measures,” she said. “A negative tweet, post, or review can cause millions in lost revenue. Citizen journalism is real and for better or worse can make a company’s misstep very public, very quickly.”

Most survey respondents said they are being asked to comply with the CCPA without much in the way of additional resources. Over the past three years, respondents said their privacy budgets have either stayed the same (44 percent) or increased slightly (36 percent). Only 17 percent of respondents said their privacy budgets significantly increased, while 3 percent said they actually decreased.

Complying with the CCPA is proving to be a tough task for some companies, said Roobi Alam, OpenText’s vice president of global privacy and compliance.

“Companies need to realize that there are no quick fixes to comply with CCPA or any global privacy regulation. The privacy landscape is growing and becoming quite complicated, therefore companies need to dedicate a budget/resources to meet these demanding requirements,” Alam said. “The scope of the budget will depend on the industry, size, and global operations of the company.”

Of the law’s requirements, respondents said they were most concerned about its data breach prevention and notification requirements, as 85 percent were either extremely or somewhat concerned. Equally concerning was knowing what data their firm holds, where it’s stored, and how it’s used (83 percent said extremely or somewhat concerned).

“You cannot comply with data privacy laws unless you know what personal data you hold,” de Guzman said. A key first step toward compliance is to determine your firm’s data footprint by identifying all the relevant departments that process personal information—including HR, finance, contracts/procurement, sales, and marketing. Find out from the departments how they use the personal information; then create a centralized master record of all processing activities, she said. Finally, document a streamlined and defensible process that can be used to keep the inventory up to date.

“If privacy is having its big moment now, I would say that—albeit with less fanfare—records management is too,” she said. “Organizations can’t hold onto personal data forever anymore, which means that companies that have been meaning to and putting off developing a more robust records management program and review their retention schedules have good reason to do so now.”

More than half of survey respondents (54 percent) said the most important factor in selecting a privacy management tool is its ability to integrate with existing business systems that hold personal data, closely followed by the price of the tool (53 percent). (Respondents could pick up to three answers).

Getting all your data systems out of their silos and into an integrated data and content management system is a key step to complying with data privacy laws like the CCPA, de Guzman said.

“More and more, organizations are seeing the benefits of a single technology partner over the multi-vendor approach,” she said. “When companies and governments go with a single strategic technology partner—one with a broad product portfolio—it allows them to collaborate on a multi-year strategy to meet agreed upon objectives together.”

CCPA, and CCPA 2.0—a.k.a. CPRA

California Attorney General Xavier Becerra’s office began enforcing the CCPA on July 1 but has not yet issued an enforcement action. Dominique Shelton Leipzig, a Los Angeles-based attorney with the firm Perkins Coie, said a source within the AG’s office told her that on July 1, notification letters were sent to companies identified as not in compliance with the law. The companies had 30 days to respond.

After that, the AG could decide the company resolved the issues and close the inquiry; extend the time period for the company to come into compliance; or file a lawsuit against the company through the state court system.

Shelton Leipzig said Becerra, through public statements, indicated the AG’s CCPA enforcement priorities would be placed on protecting the data of children, as well as on digital marketing companies that monetize the consumer data they collect. Companies that handle a large amount of personally identifiable consumer data—think utilities, telecommunications, social media, and others—may also draw the attention of the AG’s office.

And there’s another, stricter data protection law on California’s November ballot, which has been called CCPA 2.0. Proposition 24 asks voters to enact the California Privacy Rights Act (CPRA) of 2020.

The ballot question has strong public support, according to an Aug. 3 poll paid for by the ballot question’s proponent, Californians for Consumer Privacy. The poll found that among of 605 likely California voters, 81 percent support the measure. Proposition 24 has generated some opposition, including the American Civil Liberties Union of California and several other civil rights groups.

If passed, the CPRA would give consumers additional rights regarding their personally identifiable information (PII) over and above those granted by the CCPA. Some of those new rights include the right to correct PII; the right to delete PII; and the right to limit the disclosure of PII. A consumer opting out of the sale of PII under the CCPA could also opt out of the sharing of PII under the CPRA. Perkins Coie compares the two measures in this checklist.

The CPRA would also establish a new agency, the California Privacy Protection Agency, overseen by a five-member board and executive director to investigate violations and bring enforcement actions.

Companies could take more than three years to prepare for the new rules, as the CPRA would not take effect until Jan. 1, 2023.