The European Union’s (EU) General Data Protection Regulation (GDPR) has been occupying the minds of privacy professionals for the past two years and now attention is shifting to the California Consumer Privacy Act (CCPA). The CCPA is the toughest US privacy regulation to date and its impact will be felt by almost every organization that does business in California or handles personal information of California citizens.
To understand the readiness and plans for businesses to meet the January 1, 2020 deadline for the CCPA, Dimensional Research conducted this research among 250 US privacy professionals from Feb 15th – 27th, 2019. The online survey was fielded to IT and legal professionals at a fairly-evenly mixed target group of small (500 to 1,000 employees), mid-sized (1,000 to 5,000 employees) and large (over 5,000 employees) companies. Half the companies were subject to both the GDPR and CCPA, and the other half were only subject to the CCPA. A total of 250 executives, team managers and individual team contributors from companies in the financial services, technology, manufacturing, business services, energy and utilities, healthcare and other key industries completed the survey. All respondents were from the US.
Some sample questions we set out to answer with the survey were: Approximately how much of your GDPR program do you expect to leverage for CCPA? What areas will your company be investing in to prepare for CCPA? How much does your company expect to invest in CCPA-related privacy compliance expenses in 2019? How is the need for technology and tools used to manage data privacy changing at your company?
In part one of this 3 part blog post series, we will share highlights on the current state of CCPA compliance readiness:
Key Takeaway # 1: Only 14% of companies report being CCPA compliant
The CCPA was signed on June 28, 2018, is effective January 1, 2020, and enforcement is slated to begin no later than July 1, 2020. It has many similarities to the GDPR, from its extraterritorial reach to its expansive rights for individuals, and will impact tens of thousands of businesses worldwide that have customers or employees located in California.
Businesses that have prepared to comply with GDPR by creating comprehensive data governance practices, records of processing, and individual rights procedures will have a head start. But, under the CCPA, all companies in scope will need to enhance their data management practices, expand their individual rights processes, and update their privacy policies by the January 1, 2020 effective date.
Of the 250 survey respondents, 50% were impacted by both the GDPR and CCPA, and 50% were impacted by only the CCPA. Results showed that 21% of respondents that have worked on GDPR compliance are ready for CCPA. However, out of the companies that haven’t worked with GDPR, only 6% are ready for CCPA. The overall compliance rate is currently 14%.
Download the full report here.
TrustArc has a comprehensive set of privacy management solutions to help you manage your data privacy management program. We have solutions to help you with all phases of CCPA and GDPR compliance. We can help you build a plan and processes; implement controls and tools; and manage and demonstrate ongoing compliance. Solutions include the TrustArc platform and consulting services. To learn more about TrustArc solutions can help your company prepare for the CCPA, request a demo today!