In July, I discussed one of the first U.S. responses to GDPR, the California Consumer Privacy Act (CCPA), which is supposed to go into effect Jan. 1, 2020. Tech companies oppose the law and are fighting to get it changed. And based on a new survey from PwC, I bet there are a lot of companies out there that would like to see the tech companies get their way. According to the survey, only half of companies expect they’ll be compliant with the new law when it takes effect in 15 months.
When CCPA and other data privacy laws were introduced and discussed, many security and privacy experts told me that this was a logical next step in a post-GDPR world. Being prepared for GDPR will set the foundation for other data privacy laws. However, there are differences GDPR and CCPA, with standards that are very specific to CCPA, noted Erik Archer Smith, marketing director, ABM at Arm Treasure Data, in an article in IT Business Edge. For example, CCPA will require specific communication channels that will allow California residents to get information about their data, and the law extends the definition of personal data beyond GDPR’s definition. So yes, to be compliant in California is going to require extra work beyond EU compliance.
Not Every Industry Impacted by GDPR
Still, GDPR has provided many organizations with a head start toward CCPA. But not every industry had to meet GDPR regulations, and these industries are now the ones that admit they’ll have the greatest challenges in meeting CCPA. Only 46 percent of retail organizations believe they’ll be ready for CCPA, according to the PwC report. “Confidence in meeting the deadline is similarly lacking in the industrial products (44 percent) and health (47 percent) sectors,” noted the report.
On the other hand, the financial industry and tech and media organizations appear to be best-equipped to meet the deadline, but even these industries don’t hit more than 58 percent in their level of confidence.
Not Enough Time
Not having to do much preparation for GDPR compliance is just one—and perhaps a minor—reason why so many organizations claim they won’t be ready for CCPA. Mostly, it’s a matter of time. With GDPR, businesses had two years to work on compliance, but long before that, the EU had a data protection directive already in place.
CCPA, on the other hand, was pretty much thrown together, passed through California’s legislature in speed unheard of in government, as a way to thwart attempts to put privacy on the November ballot. Businesses have fewer than 18 months to become compliant, and then there is a very short grace period after the Jan. 1 start date. “Six months later — after the state attorney general clarifies certain outstanding issues — enforcement is scheduled to begin,” the PwC report stated. “That does not amount to a grace period, however, because the state is not prohibited from later bringing enforcement actions from instances of noncompliance during those first six months.”
This short time frame to meet the law’s requirements and the minimal grace period for enforcement has turned CCPA into a top business priority for 86 percent of organizations, with the retail industry making an even bigger push.
The reasons for the push come down to money. The penalties of not being compliant is $750 per consumer/incident or actual damages, whichever is greater. In most cases, this will work out to be much less than a GDPR fine, but as Lexology pointed out, “keep in mind that the EU does not allow collective, or class, actions. A class of 1 million people under the CCPA would equal $750,000,000 in potential exposure.”
California’s governor did sign a bill in late September that added amendments to the original CCPA passed in June (one of these amendments added the six-month grace period). Expect that more tinkering will be done with the law before the Jan. 1, 2020, deadline.
Yes, this is California’s law, but as Bruce Schneier stated during SpiceWorld 2018, a privacy law in one state is going to affect everyone across the country.
“More than three-quarters of respondents to our survey say they collect personal information on California residents,” MediaPost quoted the PwC report, agreeing with Schneier. “Many are considering whether to extend CCPA’s rights to all of their U.S. employees and consumers for operational simplicity and long-term readiness for potential federal privacy legislation.”
If businesses aren’t ready for CCPA, it is going to end up affecting all of us, in one way or another.