A new survey has found that only 14% of companies subject to looming California Consumer Privacy Act regulation consider themselves fully compliant, yet the majority (84%) said they had started the compliance process and 56% said they were in the process of implementation.
TrustArc, the company behind TRUSTe certification, commissioned a survey of IT and legal professionals at 250 companies from a range of industries. Half of the firms were impacted by GDPR and CCPA, while 50% were only subject to CCPA.
What’s also interesting is asked how much they expected to spend on CCPA compliance, 71% of respondents said their spending would exceed $100,000; 39% said it would be more than $500,000 and 19% said it would be more than $1 million. The top areas of investment were technology and tools (72%), consultants (61%), lawyers (55%) and internal hiring (45%).
This week marks the one-year anniversary of GDPR, which is increasingly the model for data privacy laws around the world. In California, there are efforts to make CCPA more like GDPR, even as pro-business factions seek to weaken it. CCPA is currently scheduled to take effect in on January 1, 2020.
The market a bigger motivator than the law. Perhaps the most interesting finding of the survey, the primary motivation for “investing in CCPA compliance” was not to avoid liability and legal sanctions. It was meeting customer and partner expectations, which is indirectly about liability and sanctions. Still, the concern is that business will be lost if these firms aren’t in compliance. In other words, the market is already starting to enforce the new privacy rules.
Why we should care. These results, if they can be generalized, indicate that most companies are aware of CCPA and are in somewhere on the compliance spectrum. This is encouraging despite the uncertainty surrounding what the specific requirements will be and the lobbying to both strengthen and weaken the law.
It’s highly unlikely that Congress will pass any privacy legislation before 2020 that will pre-empt the California law. Accordingly, companies from Washington to Florida will need to get ready to comply with the new privacy and data protection framework under CCPA.