With just six weeks to go before the new California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, a surprisingly large percentage of companies are still not ready to handle the compliance demands of the new data privacy regulation. According to a study of 85 companies by New York-based data privacy technology company Ethyca, only 12% of companies have reach an “adequate state of compliance” ahead of the new data privacy regulation becoming law. Moreover, nearly four in ten companies (38%) need at least 12 months to become compliant. With the state attorney general’s office in California suggesting that enforcement actions will begin immediately, that could present a number of problems for compliance laggards.
How companies are responding to the new CCPA data privacy regulation
More than 18 months after the passage of the European General Data Protection Regulation (GDPR), the prevailing sentiment had been that most companies would be prepared for the compliance demands of the CCPA. After all, the California legislation closely adheres to the basic framework of the GDPR, and data privacy issues have been front and center in the media for the past 18 months as well, so the passage of the CCPA is not catching anyone by surprise. Add in the fact that some of the most famous tech companies in the world are based in California, and one might assume that the CCPA would involve just a few incremental changes by companies in order to be fully compliant by the January 1, 2020 deadline.
However, that’s hardly the case. According to Ethyca, more than 70% of companies have not built any sort of engineering solution for policy compliance. Instead, they are just retrofitting old processes, or asking employees to put in more hours in order to ensure compliance with how they collect and store personal information. Moreover, 75% of the companies surveyed by Ethyca are using an entirely manual solution in their approach to data privacy, and none of the companies are fully reliant on software-based solutions. Instead, the preferred option appears to be cobbling together a mix of legacy software solutions and manual solutions. That exposes these companies to regulatory risk, especially if these compliance solutions are not up-and-running by early 2020.
The changing regulatory risk landscape
So just how concerned should these companies be that they are running out of time to be fully CCPA-compliant? Cillian Kieran, the CEO of Ethyca, acknowledges that getting up to speed can take a lot longer than originally anticipated, even for the best companies, “Regulatory compliance in any domain doesn’t happen the moment legislation comes into effect.” As Kieran sees it, enforcement will build over time, leading to a period of “active maturity.” Thus, right out of the gate, companies may not have to worry too much about enforcement actions. After all, the experience of the European GDPR has been that it takes at least six months before regulators start to look deeply into cases, and about nine to twelve months before serious, attention-getting fines start getting handed out.
As Ethyca also points out in its data privacy report (“2019 Privacy Analysis: Approaches to Data Privacy Compliance”), there is no single solution to regulatory compliance being used by companies. In fact, Ethyca acknowledges that all 85 companies it surveyed appeared to be using different approaches and different solutions to meet the demands of the CCPA data privacy regulation. In part, that’s what makes the report an interesting read – for every approach, there are tradeoffs and obstacles, and companies must do the best they can to navigate the regulatory minefield.
That being said, the new CCPA is hardly the only data privacy regulation that companies need to be monitoring. In the report, Ethyca notes that “the world has changed,” and that there is plenty of other data privacy regulations appearing around the world. In fact, on a map of the world, Ethyca highlights a confusing alphabet soup of data privacy regulations – PIPEDA, POPI, PPB, APPI and APP – from around the world. Too many companies, says Ethyca, are only thinking in terms of the United States and European Union, when they should be taking a much more global approach to data privacy laws. Moreover, if the U.S. enacts a privacy law at the federal level, that would be a game-changer for how companies think about data security.