There is widespread business confusion and ignorance about the upcoming CCPA regulation

ESET polled 625 business owners and company executives to gauge business readiness for the upcoming California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020. The survey results underscore how unprepared businesses are for the upcoming regulation.

Key findings

72.6% of the polled individuals own or work at an organization that has up to 25 employees:

CCPA readiness

Almost half (44.2%) of all respondents have never heard of the CCPA, and only 11.8% of respondents know if the law applies to their business.


  • About a third (34%) of executives/owners say they don’t know if they will need to change how they capture, store and process data to comply. Another 22% say they “don’t care,” while 35.3% of respondents say nothing needs changing for CCPA compliance.
  • About a third (37.7%) of respondents are “very confident” they will have “reasonable security” in place per the CCPA requirement by January 1, 2020. Another third (33%) say they “don’t know.”
  • Slightly more than half (50.4%) of respondents indicated they did not modify their behavior or processes to bring their businesses into compliance with the General Data Protection Regulation (GDPR).

Some of these answers should not come as a surprise, as 40.7% of the respondents said they do not have a designated person at their business in charge of cybersecurity/privacy policies, and 17.9% said they do not know if the company has such a person.

Interesting results also came up when the pollees were questioned about whether they are relocating their business outside of California to avoid legislation: nearly 10 % of 494 respondents said they are:

CCPA readiness

The law gives Californians the right to sue businesses that are subject to CCPA when their personal information is compromised in a data breach. These businesses can be exposed to significant financial penalties if found in “violation of the duty to implement and maintain reasonable security procedures and practices.”

“It’s clear that businesses are confused about this upcoming regulation, they do not know whether they are subject to the law and what they need to do to become compliant,” said Tony Anscombe, global security evangelist and industry ambassador, ESET.

“This is a serious situation, as the penalties will be severe, and the financial harm could be grave to these firms. Businesses should particularly focus on the ‘reasonable security’ aspect of the law by ensuring they have stringent processes and practices in place, including strong endpoint protection and encryption, throughout their organization.”

Don't miss