CCPA Watch

CCPA readiness gives way to CCPA compliance. CCPA is the first law in the United States that gives the strongest privacy rights to consumers and it’s setting the pace for other proposed state legislation.

Is it just another compliance requirement or is it going to drive real change towards greater protection of consumer’s privacy and data?

Seismic shifts don’t happen overnight. They’re built over time in small steps taken by organizations and people—small steps that slowly push the edge and create higher benchmarks. So PwC has launched this series called CCPA Watch to report on emerging benchmarks. We’re vigilant to the progression of compliance by companies, the reach of the impact beyond California, and the activation of consumers to exercise their rights.

This is where you can keep up with evolving CCPA rules. As we monitor CCPA litigation and enforcement trends, we will share insights here.

For businesses, CCPA Watch is the place to check how you’re stacking up as we analyze how companies are responding to specific requirements of CCPA.

Our research tells a tale of diverging consumer experiences and privacy strategies one week into America’s biggest privacy-law change in over a decade.

How many companies offer a do-not-sell (DNS) link on their websites?

Of the thousand-plus privacy laws and regulations tracked in PwC’s Risk Atlas database, CCPA is the only one in the world to mandate that a covered company that “sells” data should offer a do-not-sell (DNS) link on its websites.

A PwC team analyzed the websites of the 600 largest publicly traded companies and 100 largest privately held corporations and evaluated their approaches to this requirement.

Overall, 16% of the companies offered a DNS link. The percentage breakdowns by industry sector reflect the varied consumer experience we predicted last year.

Not surprisingly, industries with direct interactions with consumers are ahead of the other industries. But we expect that even traditionally B2B companies will catch up over time. For example, manufacturers of smart devices that offer services that track consumers in real-time will have to comply.

The 19% overall benchmark is trending above our expectations. In the months running up to the January 1 CCPA go-live date, the prevailing chatter among privacy professionals at industry events and networking groups suggested fewer than 10% would be launching these links, and instead would declare in their privacy policies that they didn’t sell Californians’ data.

View more

How many companies are offering CCPA rights of access and deletion beyond California residents?

We also checked to see how many companies were offering CCPA rights of access and deletion to all consumers, compared to those that restricted them to California residents only. Over the past year, we had advised companies to plan for the long term, adopt operational simplicity, and extend these rights to all consumers. Indeed, during the same industry events and networking groups mentioned before, the large majority of chief privacy officers were inclined to adopt that universal position.

Among companies that were operating a CCPA individual rights portal that we could analyze, we found the large majority were restricting those rights to Californians -- at least in this first phase of CCPA. Here are the sectoral breakdowns of those percentages implementing that restriction:

  • Health Industries: 75%
  • Financial Services: 67%
  • Consumer Markets: 64%
  • Technology, Media, & Telecom: 57%
  • Industrial Products & Services: 55%

Companies have had to focus on California residents, given the significant resources needed to comply with the deadlines. By the end of the year, we expect coverage beyond California residents, as companies grow more confident about their ability to respond to consumer requests and as more states pass their own privacy legislation.

View more

How many are operating CCPA privacy rights portals?

Companies subject to CCPA had relatively little time to design, test, and launch online triage mechanisms that first verify an individual’s identity before fulfilling their access and delete requests. Those who got the portals into the market achieved a substantial milestone. How many made it?

Across the websites of the 600 largest companies in the United States, we encountered operational CCPA rights portals on 40 percent of them. How did the different sectors rank against each other?

  • Financial Services: 57%
  • Consumer Markets: 49%
  • Technology, Media, & Telecom: 43%
  • Health Industries: 39%
  • Industrial Products & Services: 19%

Among the 600 sites, we found 33 pacesetters, those that are operating privacy rights portals and extending those rights to all consumers. Will their consumers notice this difference and respond in a way that reflects greater trust and appreciation of these brands? Time will tell.

View more


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Sean  Joyce

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Joseph Nocera

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.