While reputation and consumer privacy are the biggest drivers for CCPA compliance, only 55% of companies plan to be ready by the law’s Jan. 1, 2020 effective date, according to the OneTrust and the IAPP research.
The CCPA is the first of its kind U.S. consumer privacy law which broadly expands the data protection and privacy rights of California residents. The law, inspired by the EU’s General Data Protection Regulation (GDPR), requires organizations that do businesses in the state to undertake significant operational reform to meet the increased obligations of handling California consumer personal data.
In the first of three planned reports this year to assess CCPA readiness overtime, the OneTrust-IAPP research revealed most organizations still have a long way to go toward compliance.
Key findings from the research found:
- Only 55% of those surveyed plan to be ready for the CCPA by its enforcement date: Jan. 1, 2020. Another 25% plan to be ready by July 1, 2020, the date California will begin enforcement actions.
- The biggest reason organizations are underprepared is due to a lack of time, whereas the biggest motivator for compliance is company reputation.
- GDPR readiness is paying off: companies with a “high” level of GDPR compliance have early target dates for CCPA compliance (59% will be ready by Jan. 1), while none of the organizations that report “low” GDPR compliance plan to be ready by this same date.
- Federal preemption is unlikely: 47% of those surveyed believe a federal privacy law that preempts the CCPA will not be passed by Congress over the next year or two.
Given the haste with which the CCPA became law, as well as a number of drafting errors, many organizations seem to have taken a wait-and-see approach to compliance. But now, with the law taking effect Jan. 1, 2020, and becoming enforceable July 1, 2020, it is clearly time for organizations to take a closer look at the CCPA and begin preparing toward compliance.
“The CCPA is a major moment for the U.S. privacy landscape and our research reveals companies that didn’t need to overhaul privacy practices for GDPR compliance are now struggling to meet the CCPA’s 2020 deadline,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy (FIP).
“Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA,” said Rita Heimes, IAPP Research Director and Data Protection Officer. “Nevertheless, they seem to think it’s not likely to be replaced by a federal law any time soon.”