Companies with customers or employees in California have only 10 months to become compliant with the toughest privacy law so far in the United States. But only a small percentage of such organizations are ready for the upcoming legislation.
Like the European Union’s GDPR, the California Consumer Privacy Act (CCPA) broadly expands consumer rights while requiring companies to be more transparent about their collection and use of personal information.
The CCPA, signed into law in June 2018, gives California residents the right to know what personal information is being collected about them, or whether their personal information is sold or disclosed, and to whom. Californians can also say no to the sale of personal information and have the right to demand free access to their personal information at any time.
The new law targets tens of thousands of businesses worldwide that have customers or employees in the Golden State. With about nine months to the compliance deadline (January 1, 2020), new research shows only 14% of companies meet the requirements and 44% have not yet started implementation. The numbers aren’t too surprising, given how ill prepared companies targeted by the GDPR were mere months before the European regulation went into effect.
Of companies that have worked on GDPR compliance, 21% are compliant with CCPA, compared to only 6% for companies that did not work on GDPR, according to TrustArc and Dimensional Research. And for companies that were not impacted by GDPR, 79% will spend more than six figures to comply with CCPA, compared to 61% who have worked on GDPR compliance, showing the importance of investing early to meet upcoming compliance requirements. One in five companies expects to spend more than $1 million to comply with CCPA.
The survey also uncovered that companies need help to understand and plan for CCPA, with 88% resorting to external sources to better comprehend its requirements. 72% have put money aside for compliance technology while 61% have budgeted for consulting expertise. Motivations for complying with CCPA vary widely. Some prefer to meet partner or customer requirements, while others are more wary of stinging fines and class action lawsuits in case they slip up. 18% listed the risk of negative media coverage as their top concern.
The CCPA applies to any company that does business in California and has annual gross revenues in excess of US$25 million, sits on more than 50,000 records (consumers, households, devices), and / or earns more than half of its annual revenue from selling consumers' personal information.