California Consumer Privacy Act The State of Readiness

Introduction

The California Consumer Protection Act (CCPA), which was signed into law on June 28, 2018 and went into effect on Jan. 1, 2020, requires many businesses to implement a number of new security policies and procedures to protect the personal information of California residents.

The intentions of the law are to provide California residents with the right to know what personal data is being collected about them, know whether their personal data is sold or disclosed and to whom, say no to the sale of personal data, access their personal data, request that a business delete their personal data, and not be discriminated against for exercising their privacy rights.

An organization is legally required to comply with the CCPA if the firm does business in California and satisfies at least one of the following criteria:

A business (including nonprofit entities) is subject to the CCPA if it meets the above thresholds, regardless of where its offices are located.

For many organizations, becoming compliant with CCPA will require heavy lifting from an operational process standpoint. Organizations will need to take the following steps:

The CCPA is projected to be costly to businesses. One economic impact study prepared for the California state attorney general by independent economic research firm Berkeley Economic Advising and Research found that the initial cost of compliance for businesses can be as high as $55 billion USD.

Although becoming compliant with the CCPA may be costly and cumbersome, the costs of noncompliance may be much steeper. As for fines and enforcement, the maximum penalty of the CCPA is $7,500 per user and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine per user.

To illustrate the penalties, consider its possible effect on Facebook, whose Cambridge Analytica scandal was one of the motivations of the citizens’ initiative inspiring the CCPA. According to some publicly available data and some estimation, Facebook has approximately 24.6 million users in California. Using this number, were Facebook found to have violated the CCPA, it could face a rough full maximum penalty of $61.6 billion for an unintentional violation affecting each of its users and up to $184.7 billion for an intentional violation.

The largest financial impact on businesses is the CCPA’s provisioning of the right of consumers to bring lawsuits to light. These situations may arise from instances where their “non-encrypted or nonredacted personal information” is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more.

Survey Findings
The State of CCPA Preparedness

With the law having recently gone into effect, we wanted to understand the state of readiness among organizations subject to the CCPA. How far along are organizations in their preparation process? What work remains to be done? Whom are they turning to for help to achieve full compliance, and how much do organizations believe CCPA compliance will cost?

In this survey, we sought to understand the state of CCPA preparedness as of December 2019, a month before the law went into effect.

Hyperproof fielded this survey in November of 2019. We collected 376 responses from U.S.-based professionals who make decisions on matters of data privacy, IT security, and compliance for their organizations. These responses came from individuals who reported that their organization is absolutely subject to the CCPA as well as individuals who reported that their organization is most likely subject to the CCPA. Just under a third of all respondents were from organizations in the technology industry. Other well-represented industries include financial services, manufacturing, retail, and healthcare.

Are organizations ready yet?

As of December 1, 2019 – the vast majority of survey respondents (91%) reported that they have not completed the work required to be in compliance with the CCPA. In fact, the most common response among those surveyed was that their organization has just begun to assess how CCPA requirements will affect their business (34%). Meanwhile, 15% of all surveyed organizations are still sitting on the sidelines.

When we looked at the responses by organization size, we found that the largest organizations tended to be the further along their compliance journey as compared to smaller organizations.

So, it’s clear that most organizations still have a ways to go before their operations are in full compliance with the law. When do organizations expect to be in full compliance? How many organizations will not be ready before the effective date (Jan. 1, 2020)?

For the CCPA, organizations do receive a small break as enforcement by the Attorney General will not start on the effective date (Jan. 1, 2020). An amendment to the legislation made in 2019 delayed enforcement by up to six months. Instead of starting on January 1, 2020, CCPA enforcement will instead begin six months from the date the AG issues the final regulations, although in no event later than July 1, 2020. At the time of this writing, legal experts anticipate the CCPA enforcement date is likely to start no later than April 2020.

It seems that many organizations are banking on this delay. In fact, the largest proportion of all those surveyed (38 percent) said they expect to become fully compliant at some point between January 1st, 2020 and July 1, 2020.

Large organizations (1000 to 2499 employees) were more likely to select this option compared to midsize (250-999 employees) and small (under 250 employees) organizations. Meanwhile, 30 percent of all respondents reported they expect their organization to be in full compliance with the CCPA before January 1, 2020. Given that 91 percent of all survey respondents haven’t completed all the CCPA-related work streams as of December 1, 2019, it means that many organizations were scrambling in the month of December to get things done.

How long does it take organizations to become fully compliant with the CCPA?

For organizations that haven’t had to comply with the GDPR, getting ready for CCPA compliance requires a lot of heavy lifting. We asked respondents to give us their best estimate on how long it takes for their organization to become CCPA compliant, from when they started analyzing the impact of the regulation all the way to meeting all obligations.

The common response from surveyed organizations was between three to six months (39%). The second most common response was between six to nine months (30%).

One in five respondents said they were able to meet CCPA’s requirements in under three months; this is likely because these organizations had already done the heavy lifting to get ready for compliance with the GDPR.

On the other end of the spectrum, one in twenty respondents said that CCPA readiness process was expected to take their organization more than a full year.

How much will maintaining compliance cost?

We asked respondents to give us their best estimate on how much it will cost their organization to maintain compliance with the CCPA on an annual basis.

40% of all respondents estimated the cost of CCPA compliance on an annual basis at somewhere between $500,000 and $1 million. This was the most common response. However, there are variations when we looked at responses by org size. At a high level, spending goes up as an organization gets bigger.

For small organizations (under 250 employees), the most common guess (selected by 34% of respondents) was between $100,000 and one million USD. This was followed closely by this estimate: Between half a million and one million USD (32%). Another quarter of respondents in the small segment estimated the cost at under $100,000.

Meanwhile, midsize and large organizations are more likely to estimate a higher spend. Close to half of all midsize organizations (45%) and 38% of large organizations (1,000 to 2,499 employees) estimated their CCPA compliance cost on an annual basis at somewhere between half a million and one million.

At the aggregate level, just 2% of all respondents guessed a figure of more than five million US dollars; however that stat goes up to 6% for enterprises (more 2,500 employees).

Who is helping organizations achieve compliance with the CCPA?

Nearly three-quarters of all respondents (72%) said they rely on in-house staff with compliance and IT expertise to achieve CCPA compliance. However, this figure is lower for respondents in the small segment (Under 250 employees) and significantly higher for large (1,000-2,499) and enterprise (2,500+ employees) organizations.

However, the use of external consultancies is fairly common: 47% of respondents reported using external advisors. We did not find significant differences by org size when it came to the use of external consultants. Close to half of all respondents also rely on an in-house legal team (although this practice is less common among small organizations). Meanwhile, just under a quarter of all respondents reported relying on an external legal team, and one in five reported relying on privacy and compliance vendors.

The Importance Of Documenting Compliance Efforts

By the time a firm has done everything that’s required to ensure the protection of consumers’ personal data and process consumer requests, organizations’ compliance leaders may be tempted to move onto the next thing. However, to be fully prepared to avoid fines and penalties of non-compliance, it is important to take the time to thoroughly document all CCPA preparation activities and have a system in place to retrieve these compliance documents quickly.

The CCPA makes a clear distinction between willful non-compliance vs. unintentional non-compliance. Those who are found to be willfully negligent will pay a higher penalty: $7,500 per violation per user vs. $2,500 per violation in unintentional noncompliance cases. Being able to quickly demonstrate compliance can save your business a significant sum of money if your business were found to be in violation and investigated by the California Attorney General.

Hyperproof helps you demonstrate compliance with the CCPA

Hyperproof has built compliance software that provides a central, secure place to capture everything your organization has done or is currently doing to comply with CCPA requirements so that if the California AG decided to investigate your company, you would have all the evidence of your compliance efforts at your fingertips. Hyperproof has also collaborated with data privacy compliance experts to create a CCPA starter template. This template comes with requisite requirements and illustrative controls designed to address the requirements so organizations have a blueprint to jumpstart their implementation process.

If your organization only needs to comply with the CCPA, it may not be all that diffcult to keep track of your compliance activities in spreadsheets and file storage systems (e.g., OneDrive, G-Drive). However, if your business operates in multiple states or multiple regions of the world, it will be much harder to keep all of your compliance requirements and internal compliance activities straight.

The reality is, many companies today not only have to deal with multiple data privacy laws in different areas in which they operate, but they also have to maintain certain voluntary standards like SOC 2® and ISO 27001 to do business with their customers. When businesses reach this scale, it becomes critical to have an effcient system to manage your compliance activities – and that’s what Hyperproof provides.

Survey methodology

376 respondents answered this survey. All of these respondents said their organization is either absolutely subject to the CCPA or most likely subject to the CCPA.

Organization size

We defined organizational sizes for comparison as follows: Small (50 to 249 employees), Mid (250 to 999 employees), Large (1,000 to 2,499 employees), and Enterprise (2,500 or more employees). We deliberately excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about compliance as respondents from larger organizations, simply because organizations generally wait to invest in compliance until they’ve become viable businesses.

19% of all respondents come from Small organizations. 47% reflect Midsize organizations. 41% of respondents come from Large organizations, and 13% come from Enterprise organizations.

Location

All respondents came from organizations with U.S.-based headquarters. Organizations with both single and multiple locations were represented.

Industry

The top industry represented in the survey is the Technology industry, with 36% of total respondents identifying as coming from the tech sector. Other well-represented industries include Manufacturing (13%), Financial Services (12%) and Retail (8%). We had some representation from Business Services (6%) and Education (5%). The remaining respondents came from Government, Advertising, Automotive, Hospitality, Transportation, eCommerce, Utilities, and Insurance.

Job Level

The most common job level respondents identified with is the director level (34%). 32% of respondents identified as a C-suite executive. 7% of respondents identified as the CEO/ president of their firm. The rest identified as SVP level, Manager level or as specialists.

Job Function

48% of all respondents identified their primary job function as Information Technology. 20% identified as Management. 16% identified their primary job function as IT Audit/ IT compliance; 6% selected Information Security. The rest selected other functions including HR Operations, Legal, or Risk Management.

Decision-making regarding data security and data privacy compliance

78% of all respondents said they are directly involved in decisions regarding data security and data privacy compliance. 20% said they are knowledgeable enough to understand the requirements and needs regarding data security and data privacy for their organization. 2% of respondents said they are involved in maintaining and managing data security and privacy compliance but do not make decisions regarding either.

Roles in security, privacy, and compliance

66% of all respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. 20% said they are one of the decision-makers within their organization; 12% said they are part of a team or committee, and 2% said they gather information and provide research regarding data security and data privacy compliance.