As Deadline Looms, Most Companies Unprepared for California’s New Data Privacy Law

hero
Karin Hildebrand Lau
March 22, 2019

With just nine months until California implements the strictest data privacy law in the nation, the vast majority of businesses operating in the state are not compliance ready, a new report found.

Researchers determined that just 14 percent of companies that collect consumer data from California residents are fully compliant with the California Consumer Privacy Act (CCPA), which was signed into law in June 2018 and gave companies until January 1, 2020, to comply. The report was published this month by TrustArc, a San Francisco-based privacy compliance firm.

Of the 86 percent of companies still working to comply, less than half have started implementing their compliance measures. Sixteen percent have not even started to plan their CCPA compliance procedures.

“Compliance can take a minimum of several months and a year or more for larger and more complex companies,” Dave Deasy, senior vice president of marketing at TrustArc, told Cheddar.

TrustArc surveyed 250 companies across various sectors ranging from manufacturing to technology to financial services. The companies sizes ranged from 500 employees to over 50,000.

As we work to strengthen data privacy law, the world is watching.

California Attorney General Xavier Becerra

Modeled in part after Europe's well-known General Data Protection Regulation (GDPR), which was implemented last year, the CCPA is set to be strongest online privacy law in the U.S. The new regulation will require businesses that collect data from California residents to provide those customers with the option to opt-out of having their information saved. It also bans businesses from charging more or denying services to people who opt-out. Moreover, CCPA has an additional protection for minors, which prohibits companies from selling personal data from consumers under 16 years of age without explicit consent. In essence, businesses must provide an opt-in option to minors rather than an opt-out.

Among other mandates, the law also requires companies to disclose what personal information was collected from consumers and, if sold, to whom.

As part of its compliance efforts, San Francisco-based Twitter launched the “Your Twitter Data” tool, which allows users to view and modify information that has been gathered from their accounts, “such as gender, age range, languages, and interests,” the company's head data protection officer, Damien Kieran, told Congress last year. The tool also lets users review “advertisers who have included them in tailored audiences.”

The CCPA stemmed largely from high-profile data breaches and reports about improper use of personal data from some large technology companies, particularly Facebook. Incidents included the Equifax hack in 2017, which unmasked the driver's license and social security numbers of millions of people, and the Cambridge Analytica scandal, during which it was revealed that personal Facebook data was improperly shared with a political data analysis firm.

“Once again California is taking the lead in protecting consumers and holding bad actors accountable,” said State Sen. Bill Dodd (D) after the bill was unanimously passed by the state’s legislature and signed into law by then-Gov. Jerry Brown. Dodd introduced the CCPA with two other state lawmakers.

Once in effect, companies that violate the CCPA will be subject to lawsuits and face significant fines.

As businesses scramble to meet the January 1 deadline, TrustArc found that the cost of compliance is growing. Over 50 percent of companies plan to spend at least $100,000 on new compliance measures; another 20 percent expect to spend over $1 million.

However, the cost varies greatly depending on the type of company and what type of data they collect, TrustArc says.

"Traditional manufacturing companies are not collecting and selling much personal information,” Deasy said. On the other hand, tech firms that collect troves of data, such as personal details, spending habits, and online search histories, face a far more daunting path to compliance.

The size of the company is another significant hurdle ー or advantage ー for companies in getting CCPA complaint.

"Larger companies have a lot more to do, a lot more complexities to address," Deasy said. Smaller companies can more easily “build-in privacy by design."

However, companies with the greatest advantage are those already GDPR-compliant. The two laws are similar in many ways. Both, for example, mandate that consumers have the right to request their data be deleted, or, as the Europeans put it, the “right to be forgotten.”

“Companies that took the steps to comply with GDPR are already ahead of the game,” Chris Babel, CEO of TrustArc, said in a statement. “The companies that did not work on GDPR compliance will be under the gun.”

The two regulatory regimes differ largely in territorial scope and jurisdiction, as well as their data classifications -- CCPA does not separately categorize sensitive personal information, whereas the GDPR specifically classifies and prohibits processing data that reveals personal characteristics such as racial or ethnic origins, political opinions, religious beliefs, or sexual orientation, to name a few.

Another major difference ー and a source of frustration for tech companies -- is that the EU proposed and implemented the GDPR over five years; whereas the CCPA will have been passed and implemented in less than two years.

As the 2020 deadline approaches, state officials are showing no signs of leniency. Just last month, state officials introduced an amendment to the CCPA that will strengthen its enforcement mechanism.

The amendment gives consumers the right to personally sue companies that misuse their data; in the original bill, legal action was to be brought through the state’s Attorney General’s office. The update also removes the statute that originally gave noncompliant companies 30 days to remedy their violation before punishment.

This “will ensure that the most significant privacy protections in the nation are robustly enforced,” State Sen. Hannah-Beth Jackson (D), who co-sponsored the amendment, said in a statement.

A legislative spokeswoman told Cheddar the state’s Attorney General’s office has already started developing its enforcement strategy with additional funding added to its annual budget.

“California, the nation’s hub for innovation, has long led the way to protect consumers in the digital age. And as we work to strengthen data privacy law, the world is watching,” California Attorney General Xavier Becerra said in a statement.

“It’s essential that we get this right,” he added.