Brands Feel Heat From CCPA: Less Than Half Are Ready For It, Study Says

The joyous holiday season is about to begin. But the Jan. 1 hangover is already beginning for marketers.  

The California Privacy Protection Act (CCPA) takes effect on Jan. 1. And fewer than half of affected firms will be compliant by that date, according to Key Steps in Satisfying Your CCPA and Other Privacy Obligations, a study by Osterman Research, sponsored by Egress Software Technology.

Perhaps worse, senior management is clueless about the law’s provisions at most firms. And few companies feel their data practices are mature.

The CCPA is bringing GDPR-style rules to the United States, and this could be a model for other state or federal legislation.

Now it could be argued that the study has limited reach. Osterman Research surveyed 149 individuals. But all were security professionals.

And the research shows that “most organizations just aren’t yet ready for compliance with the CCPA, despite the fact that we conducted the survey less than three months before it becomes enforced,” states Michael Osterman, principal analyst at Osterman Research.



Among the gaps in compliance and preparation are lack of “a robust email security strategy, efficient processes that can quickly respond to data subject access requests (DSARs), and measures to reduce the risk of email compromise or the accidental exposure of sensitive data,” states Tony Pepper, Chief Executive Officer at Egress.

On the positive side, most firms have made at least some strides toward compliance. Here’s what they report:

  • Have conducted an audit to determine where all corporate data is located — 63%
  • Have completed an audit of current data protection policies to ensure their compliance with the CCPA or will do so by the end of 2019 — 56%
  • Have allocated budget for CCPA or will do so by the end of 2019 —55%
  • Compliance and legal function understands the importance of compliance with the CCPA — 51%
  • Currently compliant with the CCPA or will be by the end of 2019 — 48%
  • Senior business management understands the importance of compliance with the CCPA — 37%
  • Senior management is very familiar with the key provisions of the CCPA — 24%
  • Data protection practices are "very mature" — 15%
In another chart, respondents report the following:
  • We are currently compliant with the CCPA — 30%
  • We will be compliant with the CCPA by the end of 2019 — 18%
  • We will be complaint with the CCPA sometime in 2020 — 27%
  • We will be compliant with the CCPA sometime after 2020 — 13%
  • We have no plans to be compliant with the CCPA — 12%

For the record, the law applies to:

  • Any company that has information about California residents and generates at least $25 million in annual revenue, or
  • Has personal data on 50,000 or more California consumers, or
  • Generates more than one-half of its revenues from sales of personal data.

Here’s one more thing to keep in mind: That “the State of California will be reasonably aggressive in pursuing non-compliant organizations during 2020,” Osterman warns.


Next story loading loading..