Only half of US businesses affected by the California Consumer Privacy Act of 2018 expect to be compliant by the 2020 deadline, according to a PwC survey of more than 300 executives at US companies with revenues of $500 million or more.
The law — CCPA for short — is expected to provide state residents sweeping data-privacy rights that most businesses will only be able to honor by first overhauling their personal data-governance capabilities.
The US retail sector — largely unaffected by last year’s scramble for compliance with the EU’s General Data Protection Regulation — may be particularly challenged in meeting the deadline: less than half (46%) of retail and consumer respondents say they will be compliant by 2020. Confidence in meeting the deadline is similarly lacking in the industrial products (44%) and health (47%) sectors.
Respondents from financial services (58%) and telecommunications, media and technology (TMT) (56%) sectors are relatively more confident about meeting the deadline.
The CCPA mandates a wide range of safeguards to protect the personal data of California consumers and employees. The act significantly broadens the definition of personal data to include a range of individual, or household, identifiers. It defines consumer as a “natural person who is a California resident.”
CCPA’s impact will extend well beyond the Golden State and its 39.5 million residents. More than three quarters of respondents to our survey say they collect personal information on California residents. Many are considering whether to extend CCPA’s rights to all of their US employees and consumers for operational simplicity and long-term readiness for potential federal privacy legislation.
The law goes into effect Jan. 1, 2020. Six months later — after the state attorney general clarifies certain outstanding issues — enforcement is scheduled to begin. That does not amount to a grace period, however, because the state is not prohibited from later bringing enforcement actions from instances of noncompliance during those first six months.
Many executives are concerned about the limited time available to prepare. In fact, 86% of survey respondents rank CCPA compliance as one of their top business priorities. Retail and TMT companies are prioritizing CCPA compliance to a greater degree than other sectors.
In addition to the possibility of enforcement actions, CCPA includes a separate private right of action which also goes in to effect at the same time. The law requires that consumers provide written notice to a business within 30 days of a violation before they can take legal action; companies have 30 days to “cure” the issue. The law doesn’t define what a “cure” would entail, however, and that has become a source of anxiety for companies: 84% say they are concerned about uncertainty around the term “cure” as it relates to violations.
Given the CCPA’s broad scope and complexity, the challenge of preparing for compliance might seem overwhelming. But businesses journeying toward CCPA compliance can break up the work into three phased steps:
23% who have already completed a CCPA assessment are best positioned to meet the deadline.
Companies preparing for CCPA now will be better prepared to address the evolving privacy regulatory landscape. Momentum toward greater data privacy regulation continues unabated, fueled by consumers’ increasing concerns. With a proactive approach to addressing compliance challenges, companies can gain a competitive advantage over organizations that take a "wait and see" approach.
Ultimately, compliance with the CCPA can help companies effectively manage risks and thrive in today’s data-driven world—and achieve market-disrupting gains.