The California Consumer Privacy Act (CCPA) is fully in force as of July 1, but a new study from data privacy management firm Ethyca shows that more than half of organizations are still not prepared for it. This is a very late point in the game to get started, as CCPA enforcement actions can apply to violations that date all the way back to the beginning of the year.
Doing business in California? CCPA enforcement is now on the table
Any company that does business in California or handles the personal information of its residents is now subject to CCPA enforcement as of July 1, though the terms of the new law went into effect on January 1 and violations may have accrued since then. Many organizations are running out of time to make necessary changes before they begin facing complaints and state scrutiny.
Though organizations have had since late 2018 to prepare, the Ethyca study finds that 56% of organizations surveyed do not feel that they are ready for either the CCPA or other new privacy regulations that are close to being enacted in other countries. The study surveyed 218 tech company General Counsels who are responsible for ensuring that their organizations are compliant with these measures.
The General Counsels reported that the leading reasons for non-compliance are lack of resources, budgetary allocations and inability to keep pace with increasingly complex requirements. Only 31% of respondents felt that they were fully prepared for CCPA enforcement.
57% of these organizations have committed to spending more on regulatory compliance this year, with only 6% reducing their budgets in this area. In spite of this, 43% of respondents said that preparedness for CCPA enforcement specifically was deprioritized due to the COVID-19 lockdown measures and workplace restrictions. 50% also have yet to appoint a Chief Privacy Officer or Chief Information Security Officer.
So why are so many businesses not yet ready to take CCPA enforcement seriously? The vast majority, 44%, chalked it up to a simple lack of resources. 32% of respondents said that they were still trying to untangle complex privacy regulations as they relate to their companies. 9% said that upper executives had yet to be convinced to buy in, while 8% felt that they did not have enough qualified staff on hand to make the necessary changes.
What’s on the line for companies that are still struggling to catch up if CCPA enforcement comes for them? The system is complaint-based, and each data subject can potentially cost a company $2,500 for each unintentional violation or $7,500 for each intentional violation. Data breaches that involve thousands or millions of customers could be quite costly.
There are size limitations, of course; the CCPA applies to companies that either collect personal information from more than 50,000 individuals + unique devices each year, or simply have an annual gross revenue of at least $25 million. However, the size exemption ceases to apply if a company makes more than 50% of its annual revenue by selling the personal information of California residents.
Lack of preparedness
Ethyca points out…
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…