How are companies preparing for CCPA?
Survey: One-fifth of large companies will spend over $100 million, add over 50 staff on CCPA
A poll of corporate spending plans and policy approaches for California’s landmark privacy law has revealed dramatic levels of preparation. A PwC-sponsored survey of CIOs at companies with at least $1 billion in revenues conducted by a third-party firm the first week of October found that 43% will spend over $10 million getting ready for the California Consumer Privacy Act (CCPA)—with 20% topping $100 million.
By comparison, a similar PwC survey of corporate budgets for the General Data Protection Regulation (GDPR) had discovered 40% of companies expected to spend over $10 million on that regulation. That survey didn’t offer an option for a higher-spending category.
The CCPA budget tail will continue into 2020. Two-thirds of surveyed companies plan to add over ten full-time staff and contractors to sustain their CCPA program, with 22% adding more than 50.
Planned additions to full time staff and contractors to maintain CCPA in 2020.
Preparing for CCPA with technology
Companies preparing for CCPA will also be deploying and enhancing third-party technology at higher rates than for GDPR. Their plans are dispersed across an array of data-discovery and workflow-software providers whose solutions help fulfill CCPA data-subject requests.
Based on survey findings, the percentages in the list below indicate what share of respondents plan to use these tools as part of their CCPA readiness preparations:
| Third-party technology | Percent planning to use for CCPA readiness |
|---|---|
| Salesforce.com: | 49% |
| PwC's CCPA solution: | 33% |
| BigID: | 26% |
| OneTrust: | 23% |
| Dataguise: | 21% |
| Integris: | 21% |
| Jira: | 21% |
| Nymity: | 16% |
| AvePoint: | 16% |
| WireWheel: | 14% |
| Trustarc: | 14% |
The addition of technology into a company’s data privacy program is a marked change from two years ago, when multinationals were preparing for the GDPR. With many of the aforementioned providers less mature in their privacy offerings then, most companies built GDPR programs with largely manual, labor-intensive processes and capabilities. The CIOs responding to this survey, as a result, reported higher rates of automation and readiness with under three months before the CCPA’s go-live date.
What’s driving the high expenditures and focus on automation? High volumes of expected consumer calls starting January 1, 2020. Among companies responding to the survey, two-thirds expect to field over 500 calls per day, with 11% planning for over 10,000 daily.
Operationalizing CCPA
Resourcing for CCPA has also expanded beyond the privacy office—another development since the days of GDPR preparation. The top corporate leaders funding CCPA included the CIO (64%), CCO (36%), CDO (33%), line of business head (29%), and head of customer service (24%).
The survey also discovered that companies are taking a diversity of approaches to operationalize the CCPA requirements. Some of the most noteworthy findings included:
- Over one-third will fulfill CCPA requests from anyone, not just California residents;
- Many financial services companies and healthcare companies will not be exercising the CCPA exemptions for data covered by HIPAA and GLBA;
- More companies will offer a two-tiered authentication process than a single process for CCPA requests;
- Many companies plan to use a data broker or credit-reporting agency to assist in the authentication process;
- Almost half of respondents plan to automatically process bulk CCPA requests;
- A significant portion of companies plan to delete all data requested, not just the previous 12 months afforded by CCPA; and
- De-identification will play a significant role in companies’ approaches to meeting CCPA deletion requirements.
