The California Consumer Privacy Act (CCPA) took effect at the beginning of this year. With it came more stringent privacy protections for California residents as well as potential changes to the way businesses that do business in or have customers in California obtain and use personal data. But how prepared are companies for these changes? Here’s what a report [download page] from Egress Software Technologies and Osterman Research found.
In a survey fielded less than 3 months before the CCPA became enforceable, just 3 in 10 companies said they were currently compliant with the CCPA, while 18% said they would be compliant by the end of 2019. In other words, slightly fewer than half (48%) believed they would be compliant by the date that the regulation went into effect.
More than one-quarter (27%) indicated that they will be compliant with the new regulations sometime this year and another 13% that they will be compliant sometime after 2020. However, 12% said they have no plans to be compliant with the CCPA, although this may be due to inapplicability to their business.
The level of readiness for the CCPA varies. Almost two-thirds (63%) of companies have conducted an audit to determine where all their corporate data is located, and 56% have either completed – or anticipated having completed by the end of 2019 – an audit of current data protection policies to ensure their compliance with the CCPA.
Not all the organizations surveyed are investing in making sure they are compliant: only 55% of the companies surveyed reported either having allocated a budget for CCPA or that they would have done so by the end of 2019.
Separately, only half (51%) of companies’ compliance and legal functions understand the importance of compliance with the CCPA, and even fewer (37%) respondents in senior management understand its importance. Indeed, only one-quarter (24%) of senior management report being very familiar with the key provisions of the CCPA.
This slowness in becoming compliant with data protection regulation is nothing new. Prior to GDPR going into effect at the end of May 2018, many US companies gave themselves a low rating on their compliance with the new regulations.
On the bright side, new data [download page] from the Winterberry Group shows that 56% of companies have strengthened and/or clarified their consumer opt-in policies and disclaimers in response to these new data privacy regulations, while more than two-fifths (43%) have revised their policies governing how they use and share data internally.
The full report can be downloaded here.