With the California Consumer Protection Act (CCPA) having recently gone into effect, we wanted to understand the state of preparedness among organizations subject to the CCPA. How far along are organizations in their preparation process? What work remains to be done? Whom are they turning to for help to achieve full compliance, and how much do organizations believe CCPA compliance will cost?
We conducted a survey in November 2019 to understand the state of CCPA preparedness, as of a month before the law went into effect. We collected 376 responses from U.S.-based professionals who make decisions on matters of data privacy, IT security, and compliance for their organizations. These responses came from individuals who reported that their organization is absolutely subject to the CCPA as well as individuals who reported that their organization is most likely subject to the CCPA. Just under a third of all respondents were from organizations in the technology industry. Other well-represented industries include financial services, manufacturing, retail, and healthcare.
In this article, we dive into what we learned through the survey.
The California Consumer Protection Act (CCPA), which was signed into law on June 28, 2018 and went into effect on Jan. 1, 2020, requires many businesses to implement a number of new security policies and procedures to protect the personal information of California residents.
The intentions of the law are to provide California residents with the right to know what personal data is being collected about them, know whether their personal data is sold or disclosed and to whom, say no to the sale of personal data, access their personal data, request that a business delete their personal data, and not be discriminated against for exercising their privacy rights.
An organization is legally required to comply with the CCPA if the firm does business in California and satisfies at least one of the following criteria:
- Generates $25 million USD or more in annual revenue;
- Buys or sells the personal information of 50,000 or more consumers, households, or devices; or
- Earns more than half of its annual revenue selling consumers’ personal data
A business (including nonprofit entities) is subject to the CCPA if it meets the above thresholds, regardless of where its offices are located.
For many organizations, becoming compliant with CCPA will require heavy lifting from an operational process standpoint. Organizations will need to take the following steps:
- Build or update a data inventory of all the personal information they collect
- Review and update vendor/third party provider contracts to make sure vendors have CCPA-compliant security practices and privacy policies
- Develop a process for responding to consumer requests
- Have an internal process in place to find consumer information and ensure hard deletes of that information when requested by consumers
- Train employees on CCPA compliance
- Document their compliance efforts in the event of an investigation
The CCPA is projected to be costly to businesses. One economic impact study prepared for the California state attorney general by independent economic research firm Berkeley Economic Advising and Research found that the initial cost of compliance for businesses can be as high as 55 billion USD.
Although becoming compliant with the CCPA may be costly and cumbersome, the costs of non-compliance may be much steeper. As for fines and enforcement, the maximum penalty of the CCPA is $7,500 per user and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine per user.
To illustrate the penalties, consider its possible effect on Facebook, whose Cambridge Analytica scandal was one of the motivations of the citizens’ initiative inspiring the CCPA. According to some publicly available data and some estimation, Facebook has approximately 24.6 million users in California. Using this number, were Facebook found to have violated the CCPA, it could face a rough full maximum penalty of $61.6 billion for an unintentional violation affecting each of its users and up to $184.7 billion for an intentional violation.
The largest financial impact on businesses is the CCPA’s provisioning of the right of consumers to bring lawsuits to light. These situations may arise from instances where their “non-encrypted or non-redacted personal information” is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more.
The State of CCPA Preparedness: Survey Findings
Are Organizations Ready Yet?
As of December 1, 2019 — just a month out from the effective date, the vast majority of survey respondents (91 percent) reported that they have not completed the work required to be in compliance with the CCPA. In fact, the most common response among those surveyed was that their organization has just begun to assess how CCPA requirements will affect their business (34 percent). Meanwhile, 15 percent of all surveyed organizations are still sitting on the sidelines.
When we looked at the responses by organization size, we found that the largest organizations tended to be the further along their compliance journey as compared to smaller organizations.
So, it’s clear that most organizations still have a ways to go before their operations are in full compliance with the law. When do organizations expect to be in full compliance? How many organizations will not be ready before the effective date (Jan. 1, 2020)?
In our study, we found that 52 percent of all surveyed organizations reported that they do not expect to be in full compliance with the CCPA before the effective date of Jan. 1, 2020.
For the CCPA, organizations do receive a small break as enforcement by the Attorney General will not start on the effective date (Jan. 1, 2020). An amendment to the legislation made in 2019 delayed enforcement by up to six months. Instead of starting on January 1, 2020, CCPA enforcement will instead begin six months from the date the AG issues the final regulations, although in no event later than July 1, 2020. At the time of this writing, legal experts anticipate the CCPA enforcement date is likely to start no later than April 2020.
It seems that many organizations are banking on this delay. In fact, the largest proportion of all those surveyed (38 percent) said they expect to become fully compliant at some point between January 1st, 2020 and July 1, 2020. Large organizations (1000 to 2499 employees) were more likely to select this option compared to midsize (250-999 employees) and small (under 250 employees) organizations.
Meanwhile, 30 percent of all respondents reported they expect their organization to be in full compliance with the CCPA before January 1, 2020. Given that 91 percent of all survey respondents haven’t completed all the CCPA-related work streams as of December 1, 2019, it means that many organizations were scrambling in the month of December to get things done.
How Long Does It Take Organizations to Become Fully Compliant With the CCPA?
For organizations that haven’t had to comply with the GDPR, getting ready for CCPA compliance requires a lot of heavy lifting. We asked respondents to give us their best estimate on how long it takes for their organization to become CCPA-compliant, from when they started analyzing the impact of the regulation all the way to meeting all obligations.
The common response from surveyed organizations was between three to six months (39 percent). The second most common response was between six to nine months (30 percent).
One in five respondents said they were able to meet CCPA’s requirements in under 3 months; this is likely because these organizations had already done the heavy lifting to get ready for compliance with the GDPR.
On the other end of the spectrum, one in twenty respondents said that CCPA readiness process was expected to take their organization more than a full year.
How Much Will Maintaining Compliance Cost?
We asked respondents to give us their best estimate on how much it will cost their organization to maintain compliance with the CCPA on an annual basis.
40 percent of all respondents estimated the cost of CCPA compliance on an annual basis at somewhere between half a million and one million U.S. dollars.
This was the most common response. However, there are variations when we looked at responses by org size. At a high level, spending goes up as an organization gets bigger.
For small organizations (under 250 employees), the most common guess (selected by 34 percent of respondents) was between $100,000 and one million USD. This was followed closely by this estimate: Between half a million and one million USD (32 percent). Another quarter of respondents in the small segment estimated the cost at under $100,000.
Meanwhile, midsize and large organizations are more likely to estimate a higher spend. Close to half of all midsize organizations (45 percent) and 38 percent of large organizations (1000 to 2499 employees) estimated their CCPA compliance cost on an annual basis at somewhere between half a million and one million.
At the aggregate level, just two percent of all respondents guessed a figure of more than five million US dollars; however that stat goes up to six percent for enterprises (more 2500 employees).
Who Is Helping Organizations Achieve Compliance With the CCPA?
Nearly three-quarters of all respondents (72 percent) said they rely on in-house staff with compliance and IT expertise to achieve CCPA compliance. However, this figure is lower for respondents in the small segment (Under 250 employees) and significantly higher for large (1000-2499) and enterprise (2500+ employees) organizations.
However, the use of external consultancies is fairly common: 47 percent of respondents reported using external advisors. We did not find significant differences by org size when it came to the use of external consultants. Close to half of all respondents also rely on an in-house legal team (although this practice is less common among small organizations). Meanwhile, just under a quarter of all respondents reported relying on an external legal team, and one in five reported relying on privacy and compliance vendors.
The Importance of Documenting Compliance Efforts
By the time a firm has done everything that’s required to ensure the protection of consumers’ personal data and process consumer requests, organizations’ compliance leaders may be tempted to move onto the next thing. However, to be fully prepared to avoid fines and penalties of non-compliance, it is important to take the time to thoroughly document all CCPA preparation activities and have a system in place to retrieve these compliance documents quickly.
The CCPA makes a clear distinction between willful non-compliance vs. unintentional non-compliance. Those who are found to be willfully negligent will pay a higher penalty: $7500 per violation per user vs. $2500 per violation in unintentional non-compliance cases. Being able to quickly demonstrate compliance can save your business a significant sum of money if your business were found to be in violation and investigated by the California Attorney General.
Hyperproof helps you demonstrate compliance with the CCPA
Hyperproof has built compliance software that provides a central, secure place to capture everything your organization has done or is currently doing to comply with CCPA requirements, so that if the California AGl decided to investigate your company, you would have all the evidence of your compliance efforts at your fingertips.
Hyperproof has also collaborated with data privacy compliance experts to create a CCPA starter template. This template comes with requisite requirements and illustrative controls designed to address the requirements — so organizations have a blueprint to jumpstart their implementation process.
If your organization only needs to comply with the CCPA, it may not be all that difficult to keep track of your compliance activities in spreadsheets and file storage systems (e.g., OneDrive, G-Drive). However, if your business operates in multiple states or multiple regions of the world, it will be much harder to keep all of your compliance requirements and internal compliance activities straight.
The reality is, many companies today not only have to deal with multiple data privacy laws in different areas in which they operate, but they also have to maintain certain voluntary standards like SOC 2 and ISO 27001 to do business with their customers. When businesses reach this scale, it becomes critical to have an efficient system to manage your compliance activities — and that’s what Hyperproof provides.
376 respondents answered this survey. All of these respondents said their organization is either absolutely subject to the CCPA or most likely subject to the CCPA.
We defined organizational sizes for comparison as follows: Small (50 to 249 employees), Mid (250 to 999 employees), Large (1000 to 2499 employees), and Enterprise (2500 or more employees). We deliberately excluded organizations with less than 50 employees because we felt that respondents from the smallest organizations would not be as knowledgeable about compliance as respondents from larger organizations, simply because organizations generally wait to invest in compliance until they’ve become viable businesses.
Nineteen percent of all respondents come from Small organizations. Forty-seven percent reflect Midsize organizations. Twenty-one percent of respondents come from Large organizations, and 13 percent come from Enterprise organizations.
All respondents came from organizations with U.S.-based headquarters. Organizations with both single and multiple locations were represented.
The top industry represented in the survey is the Technology industry, with 36 percent of total respondents identifying as coming from the tech sector. Other well-represented industries include Manufacturing (13 percent), Financial Services (12 percent) and Retail (8 percent). We had some representation from Business Services (6 percent) and Education (5 percent). The remaining respondents came from Government, Advertising, Automotive, Hospitality, Transportation, eCommerce, Utilities, and Insurance.
The most common job level respondents identified with is the director level (34 percent). Thirty-two percent of respondents identified as a C-suite executive. Seven percent of respondents identified as the CEO/president of their firm. The rest identified as SVP level, Manager level or as specialists.
Forty-eight percent of all respondents identified their primary job function as Information Technology. Twenty percent identified as Management. Sixteen percent identified their primary job function as IT Audit/IT compliance; 6 percent selected Information Security. The rest selected other functions including HR Operations, Legal, or Risk Management.
DECISION-MAKING REGARDING DATA SECURITY AND DATA PRIVACY COMPLIANCE
Seventy-eight percent of all respondents said they are directly involved in decisions regarding data security and data privacy compliance. Twenty percent said they are knowledgeable enough to understand the requirements and needs regarding data security and data privacy for their organization. Two percent of respondents said they are involved in maintaining and managing data security and privacy compliance but do not make decisions regarding either.
ROLES IN SECURITY, PRIVACY, AND COMPLIANCE
Sixty-six percent of all respondents said they are the sole decision-maker in decisions regarding data security and data privacy compliance for their organization. Twenty percent said they are one of the decision-makers within their organization; 12 percent said they are part of a team or committee, and 2 percent said they gather information and provide research regarding data security and data privacy compliance.
The post Survey Findings: Most Organizations Are Still Not Ready For the CCPA appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Jingcong Zhao. Read the original post at: https://hyperproof.io/ccpa-readiness-survey-findings/