The implementation of the California Consumer Privacy Act of 2018 (CCPA) is just around the corner, but there are indications that many organizations might not be ready for the new data protection requirements.
It’s a situation that’s similar to the months leading up the implementation of the General Data Protection Regulation (GDPR), the European Union’s data protection law that took effect in May 2018.
CCPA, which is designed to strengthen the privacy rights and consumer protection of California residents, was passed by the California State Legislature and signed into law in June 2018 to amend Part 4 of Division 3 of the California Civil Code. The rules will go into effect on Jan. 1, 2020.
The act is intended provide California residents with the right to know what personal data is being collected about them, whether their personal data is sold or disclosed and to whom, and a number of other rights related to personal data.
CCPA has four basic requirements: the protection of personal information (defined as data that identifies, relates to, describes, is capable of being associated with, or could reasonably be directly or indirectly linked to a particular consumer or household); the disclosure of the sources, categories, or specific pieces of consumer information collected, sold, or disclosed for a business purpose; deletion of data if requested by a consumer; and data access and portability if requested by consumers.
The rules apply to any organization that collects consumers' personal data, does business in California, and satisfies at least one of these criteria: annual gross revenue of more than $25 million; possession of personal information of 50,000 or more consumers, households, or devices; or earnings that equate to more than half of its annual revenue from selling consumers' personal information.
A study released in March 2019 by Dimensional Research showed that 88% of U.S. companies need help complying with CCPA. The report, commissioned by TrustArc, is based on an online survey of 250 IT and privacy/legal professionals fielded in February 2019.
Only 14% of the companies surveyed said they were compliant with CCPA, and 44% had not yet started the implementation process. Compliance can be costly, with 71% of the companies expecting to spend more than six figures to comply with CCPA. About 20% expect to spend more than $1 million to achieve CCPA compliance.
More than 70% of those surveyed plan to invest in technology to prepare for CCPA, while 61% plan to spend on consulting expertise. About two thirds said they need help developing their CCPA privacy plan.
A majority of the respondents (62%) said the top motivation to comply with CCPA is to meet partner and/or customer requirements. Other major drivers for complying include internal reporting requirements (cited by 45%), supporting company values (41%), the risk of fines or class action lawsuits (35%), and the risk of negative media coverage (18%).
In a “readiness roadmap” for CCPA compliance, professional services and consulting firm PwC noted that companies serving or employing California residents might find that five CCPA requirements have the biggest impact on their business plans.
These include data inventory and mapping of in-scope personal data and instances of “selling” data; new individual rights to data access and erasure; new individual right to opt-out of data selling; updating service-level agreements with third-party data processors; and remediation of information security gaps and system vulnerabilities.
“Requirement violations include penalty thresholds that may expose large California-based businesses to substantial risk,” the firm said. Organizations with existing privacy capabilities, such as those developed for GDPR compliance and those without any previous preparation might need the entire grace period before the deadline to deploy necessary capabilities, it said.
CCPA is the beginning of “America’s GDPR,” PwC said. Similar to the European rules, the CCPA will require organizations to focus on user data and provide transparency in how they are collecting, sharing, and using such data.
A key question is to what extent can a company extend its GDPR capabilities into its California operations to prepare for CCPA, the firm said.
“Certain CCPA requirements overlap with the existing GDPR individual rights requirements, which may give GDPR-ready organizations a jump start on building a capability around user-data handling practices,” it said. “Still, several policies, processes, and systems will still need updating to address differences between the two laws.”