Many US businesses doubt they will meet California privacy law deadline

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


Only half of US businesses affected by the California Consumer Privacy Act of 2018 expect to be compliant by the 2020 deadline, according to a PwC survey of more than 300 executives at US companies with revenues of $500 million or more.

The law — CCPA for short — is expected to provide state residents sweeping data-privacy rights that most businesses will only be able to honor by first overhauling their personal data-governance capabilities.

The US retail sector — largely unaffected by last year’s scramble for compliance with the EU’s General Data Protection Regulation — may be particularly challenged in meeting the deadline: less than half (46%) of retail and consumer respondents say they will be compliant by 2020. Confidence in meeting the deadline is similarly lacking in the industrial products (44%) and health (47%) sectors.

Respondents from financial services (58%) and telecommunications, media and technology (TMT) (56%) sectors are relatively more confident about meeting the deadline.

The CCPA mandates a wide range of safeguards to protect the personal data of California consumers and employees. The act significantly broadens the definition of personal data to include a range of individual, or household, identifiers. It defines consumer as a “natural person who is a California resident.”

CCPA’s impact will extend well beyond the Golden State and its 39.5 million residents. More than three quarters of respondents to our survey say they collect personal information on California residents. Many are considering whether to extend CCPA’s rights to all of their US employees and consumers for operational simplicity and long-term readiness for potential federal privacy legislation.

Concern about CCPA

The law goes into effect Jan. 1, 2020. Six months later — after the state attorney general clarifies certain outstanding issues — enforcement is scheduled to begin. That does not amount to a grace period, however, because the state is not prohibited from later bringing enforcement actions from instances of noncompliance during those first six months.

Many executives are concerned about the limited time available to prepare. In fact, 86% of survey respondents rank CCPA compliance as one of their top business priorities. Retail and TMT companies are prioritizing CCPA compliance to a greater degree than other sectors.

In addition to the possibility of enforcement actions, CCPA includes a separate private right of action which also goes in to effect at the same time. The law requires that consumers provide written notice to a business within 30 days of a violation before they can take legal action; companies have 30 days to “cure” the issue. The law doesn’t define what a “cure” would entail, however, and that has become a source of anxiety for companies:  84% say they are concerned about uncertainty around the term “cure” as it relates to violations.

Given the CCPA’s broad scope and complexity, the challenge of preparing for compliance might seem overwhelming.  But businesses journeying toward CCPA compliance can break up the work into three phased steps:

  • Assess current capabilities: This year, a company should aim to identify and classify relevant personal data, assess data-governance practices and develop a strategy for monetizing data in a secure way that respects privacy.  In addition, it should assess privacy controls to identify gaps relative to CCPA requirements and prioritize updates of the processes and technologies necessary for compliance. In our survey, nearly a third of respondents say they are in the midst of an assessment, and less than a quarter say they have completed an assessment. 
  • Design the future state: Starting in 2019, a business should establish a program management office that mobilizes the various functions within the company to support accountability, remediation and implementation. In addition, a business should implement processes and technologies for CCPA readiness, and focus on mitigating gaps and establishing privacy controls.  The remediation and implementation effort involves seven workstreams.
  • Operate and sustain: In 2020, when the CCPA is scheduled to go into effect, a business should be focused on establishing monitoring mechanisms for ongoing compliance.

23% who have already completed a CCPA assessment are best positioned to meet the deadline.

Companies preparing for CCPA now will be better prepared to address the evolving privacy regulatory landscape. Momentum toward greater data privacy regulation continues unabated, fueled by consumers’ increasing concerns. With a proactive approach to addressing compliance challenges, companies can gain a competitive advantage over organizations that take a "wait and see" approach.

Ultimately, compliance with the CCPA can help companies effectively manage risks and thrive in today’s data-driven world—and achieve market-disrupting gains.

Your readiness roadmap

Contact us

Jay Cline

US Privacy Leader, Principal, PwC US

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Follow us