On the heels of working with clients on compliance with the European Union’s General Data Privacy Regulation (GDPR) and the rapidly evolving landscape of data privacy and security laws and regulations, the next hurdle to set compliance sights on for organizations is the California Consumer Privacy Act (CCPA).
We have previously outlined the requirements of the CCPA in several posts [view related posts]. Now is the time to be thinking about, assessing and determining compliance obligations and implementing those measures so they are in place when the CCPA goes into effect in January 2020.
A report issued this week by TrustArc confirms what we are seeing in the industry: that although companies are aware of CCPA, and some have started addressing compliance with it, a vast majority of companies that it applies to are behind in tackling the requirements.
The TrustArc Report, CCPA and GDPR Compliance Report, states that “[F]or the vast majority of respondents (over 86 percent), CCPA compliance is still a work in progress. 14 percent report being CCPA compliant and 16 percent of respondents have not started the process yet. 21 percent of companies who worked on GDPR compliance report being CCPA compliant already vs only 6 percent for companies who did not work on GDPR.”
According to those surveyed, 64 percent of the respondents said they need help developing a CCPA plan and conducting privacy risk assessments, and 63 percent said they need help addressing international data transfers. Those companies which have already addressed GDPR compliance were ahead of their peers which have not.
Bottom line: If you have not made CCPA compliance a priority in your organization, now is the time. The compliance date is looming, and it takes time to implement the compliance plan. Further, a big incentive to get the compliance plan in place is the fact that CCPA provides a private right of action for consumers to get statutory damages for violation of the Act. We have seen how this has gone with Telephone Consumer Protection Act class action cases. The plaintiffs’ attorneys are ready to test companies’ compliance with CCPA, so addressing compliance now, instead of waiting to get hit with a class action case, is something to be considered.