The passing of the California Consumer Protection Act (CCPA), surprised many, even privacy professionals. Its quick journey into becoming a California law will have a far-reaching impact on many U.S. businesses. The CCPA wasn’t without issues, such as a number of drafting errors. Couple this with a possible federal mandate coming that could supersede this piece of state legislation, and you might understand why many organizations were dragging their feet at first in terms of compliance.
However, two dates loom large: January 1, 2020 and July 1, 2020.
The law takes effect on that first date, and the second date represents when that law becomes enforceable. With that in mind, organizations need to take CCPA seriously and get on board with compliance preparation. The IAPP and OneTrust decided to survey U.S. privacy professionals about CCPA and their findings were interesting, to say the least.
A LACK OF PREPAREDNESS
The IAPP had privacy professionals rank preparedness on a scale of 0 to 10; the average response was only 4.75. This paints a picture of more than half of organizations not being ready to implement the CCPA. Most organizations cited “a lack of time and bandwidth” followed by the “complexity of the law” as to why they aren’t as prepared as they should be. With the very public spotlight on privacy concerns and the inevitability of compliance, privacy professionals will have to find a way to overcome this lack of preparedness or risk damaging the reputations of their organizations.
reference featured image for CCPA compliance preparedness
Interestingly, some industries are faring better than others in terms of preparedness. For instance, professionals in the software and services industry in particular tend to rate their companies’ level of preparedness for the CCPA higher than average, while those who work in the banking industry tended to rate their companies’ CCPA preparedness slightly below average. Most organizations aren’t prepared to be compliant by the July 1st, 2020 enforcement date, but most plan on ramping up in the first half of 2020. It should come as no surprise that the organizations that are confident in their CCPA preparation were more likely to report compliance confidence by July 2020.
Lack of time, lack of budget, lack of knowledge (or training and tools), lack of internal support, and the complexity of the law were all outlined as obstacles privacy professional see to timely CCPA compliance. The new consumer privacy rights and the sheer scope of the CCPA had a lot of respondents feeling backed against the wall.
Compliance can impact reputation, and therefore brand equity. When asked about the factors motivating them, sanctions and enforcement were toward the bottom. Most cited their organization’s “reputation as the biggest motivator for complying with the new law, followed by the desire to protect consumer privacy.” IAPP’s findings here support the industry-wide notion that “privacy and data protection is central to the organization’s brand.”
One thing is startlingly clear based on IAPP’s findings: All that GDPR preparation paid off. Even though there are key differences, GDPR provided a roadmap for how organizations should approach compliance deadlines, especially since many of the obligations are similar (though not all). IAPP asked respondents to what extent GDPR preparation helped their ability to comply with CCPA. The findings were interesting:
It makes sense that the organizations that were compliant with GDPR would be better prepared for CCPA compliance. The same goes for those organizations that have low GDPR compliance being less prepared to meet the 2020 compliance deadlines for CCPA.
CCPA compliance deadlines are right around the corner, and most privacy professionals and organizations feel woefully underprepared. The reasons range from a lack of time and bandwidth all the way though legal complexity. But the early steps in CCPA compliance are actually the same ones that organizations must undertake when rolling out IG programs, that is, they must conduct an inventory of their information assets, and create a data map of where all information is stored. So good IG practices form the foundation for good privacy compliance practices. It’s important to remember that CCPA is here to protect consumers, and organizations have a responsibility to comply; otherwise, their reputation could take a hit.
Good IG practices form the foundation for good privacy compliance practices.
GDPR served as groundwork for compliance (given that there are similar obligations involved), but organizations need to understand the similarities and differences in order to leverage anything they gained from GDPR compliance. In the end, CCPA represents a sea change for U.S. consumer privacy, and we’re all going to be better for it: consumers gain more control over their personally identifiable information (PII), and IG and privacy professionals get to put their skills to work.