With just nine months until California implements the strictest data privacy law in the nation, the vast majority of businesses operating in the state are not compliance ready, a new report found.

Researchers determined that just 14 percent of companies that collect consumer data from California residents are fully compliant with the California Consumer Privacy Act (CCPA), which was signed into law in June 2018 and gave companies until January 1, 2020, to comply. The report was published this month by TrustArc, a San Francisco-based privacy compliance firm.

Of the 86 percent of companies still working to comply, less than half have started implementing their compliance measures. Sixteen percent have not even started to plan their CCPA compliance procedures.

“Compliance can take a minimum of several months and a year or more for larger and more complex companies,” Dave Deasy, senior vice president of marketing at TrustArc, told Cheddar.

TrustArc surveyed 250 companies across various sectors ranging from manufacturing to technology to financial services. The companies sizes ranged from 500 employees to over 50,000.

Modeled in part after Europe's well-known General Data Protection Regulation (GDPR), which was implemented last year, the CCPA is set to be strongest online privacy law in the U.S. The new regulation will require businesses that collect data from California residents to provide those customers with the option to opt-out of having their information saved. It also bans businesses from charging more or denying services to people who opt-out. Moreover, CCPA has an additional protection for minors, which prohibits companies from selling personal data from consumers under 16 years of age without explicit consent. In essence, businesses must provide an opt-in option to minors rather than an opt-out.

Among other mandates, the law also requires companies to disclose what personal information was collected from consumers and, if sold, to whom.

As part of its compliance efforts, San Francisco-based Twitter launched the “Your Twitter Data” tool, which allows users to view and modify information that has been gathered from their accounts, “such as gender, age range, languages, and interests,” the company's head data protection officer, Damien Kieran, told Congress last year. The tool also lets users review “advertisers who have included them in tailored audiences.”

The CCPA stemmed largely from high-profile data breaches and reports about improper use of personal data from some large technology companies, particularly Facebook. Incidents included the Equifax hack in 2017, which unmasked the driver's license and social security numbers of millions of people, and the Cambridge Analytica scandal, during which it was revealed that personal Facebook data was improperly shared with a political data analysis firm.

“Once again California is taking the lead in protecting consumers and holding bad actors accountable,” said State Sen. Bill Dodd (D) after the bill was unanimously passed by the state’s legislature and signed into law by then-Gov. Jerry Brown. Dodd introduced the CCPA with two other state lawmakers.

Once in effect, companies that violate the CCPA will be subject to lawsuits and face significant fines.

As businesses scramble to meet the January 1 deadline, TrustArc found that the cost of compliance is growing. Over 50 percent of companies plan to spend at least $100,000 on new compliance measures; another 20 percent expect to spend over $1 million.

However, the cost varies greatly depending on the type of company and what type of data they collect, TrustArc says.

"Traditional manufacturing companies are not collecting and selling much personal information,” Deasy said. On the other hand, tech firms that collect troves of data, such as personal details, spending habits, and online search histories, face a far more daunting path to compliance.

The size of the company is another significant hurdle ー or advantage ー for companies in getting CCPA complaint.

"Larger companies have a lot more to do, a lot more complexities to address," Deasy said. Smaller companies can more easily “build-in privacy by design."

However, companies with the greatest advantage are those already GDPR-compliant. The two laws are similar in many ways. Both, for example, mandate that consumers have the right to request their data be deleted, or, as the Europeans put it, the “right to be forgotten.”

“Companies that took the steps to comply with GDPR are already ahead of the game,” Chris Babel, CEO of TrustArc, said in a statement. “The companies that did not work on GDPR compliance will be under the gun.”

The two regulatory regimes differ largely in territorial scope and jurisdiction, as well as their data classifications -- CCPA does not separately categorize sensitive personal information, whereas the GDPR specifically classifies and prohibits processing data that reveals personal characteristics such as racial or ethnic origins, political opinions, religious beliefs, or sexual orientation, to name a few.

Another major difference ー and a source of frustration for tech companies -- is that the EU proposed and implemented the GDPR over five years; whereas the CCPA will have been passed and implemented in less than two years.

As the 2020 deadline approaches, state officials are showing no signs of leniency. Just last month, state officials introduced an amendment to the CCPA that will strengthen its enforcement mechanism.

The amendment gives consumers the right to personally sue companies that misuse their data; in the original bill, legal action was to be brought through the state’s Attorney General’s office. The update also removes the statute that originally gave noncompliant companies 30 days to remedy their violation before punishment.

This “will ensure that the most significant privacy protections in the nation are robustly enforced,” State Sen. Hannah-Beth Jackson (D), who co-sponsored the amendment, said in a statement.

A legislative spokeswoman told Cheddar the state’s Attorney General’s office has already started developing its enforcement strategy with additional funding added to its annual budget.

“California, the nation’s hub for innovation, has long led the way to protect consumers in the digital age. And as we work to strengthen data privacy law, the world is watching,” California Attorney General Xavier Becerra said in a statement.

“It’s essential that we get this right,” he added.

Share:
More In Business
Michigan Judge Sentences Walmart Shoplifters to Wash Parking Lot Cars
A Michigan judge is putting sponges in the hands of shoplifters and ordering them to wash cars in a Walmart parking lot when spring weather arrives. Genesee County Judge Jeffrey Clothier hopes the unusual form of community service discourages people from stealing from Walmart. The judge also wants to reward shoppers with free car washes. Clothier says he began ordering “Walmart wash” sentences this week for shoplifting at the store in Grand Blanc Township. He believes 75 to 100 people eventually will be ordered to wash cars this spring. Clothier says he will be washing cars alongside them when the time comes.
State Department Halts Plan to buy $400M of Armored Tesla Vehicles
The State Department had been in talks with Elon Musk’s Tesla company to buy armored electric vehicles, but the plans have been put on hold by the Trump administration after reports emerged about a potential $400 million purchase. A State Department spokesperson said the electric car company owned by Musk was the only one that expressed interest back in May 2024. The deal with Tesla was only in its planning phases but it was forecast to be the largest contract of the year. It shows how some of his wealth has come and was still expected to come from taxpayers.
Goodyear Blimp at 100: ‘Floating Piece of Americana’ Still Thriving
At 100 years old, the Goodyear Blimp is an ageless star in the sky. The 246-foot-long airship will be in the background of the Daytona 500 — flying roughly 1,500 feet above Daytona International Speedway, actually — to celebrate its greatest anniversary tour. Even though remote camera technologies are improving regularly and changing the landscape of aerial footage, the blimp continues to carve out a niche. At Daytona, with the usual 40-car field racing around a 2½-mile superspeedway, views from the blimp aptly provide the scope of the event.
Is U.S. Restaurants’ Breakfast Boom Contributing to High Egg Prices?
It’s a chicken-and-egg problem: Restaurants are struggling with record-high U.S. egg prices, but their omelets, scrambles and huevos rancheros may be part of the problem. Breakfast is booming at U.S. eateries. First Watch, a restaurant chain that serves breakfast, brunch and lunch, nearly quadrupled its locations over the past decade to 570. Fast-food chains like Starbucks and Wendy's added more egg-filled breakfast items. In normal times, egg producers could meet the demand. But a bird flu outbreak that has forced them to slaughter their flocks is making supplies scarcer and pushing up prices. Some restaurants like Waffle House have added a surcharge to offset their costs.
Load More