Only 10% of businesses have achieved CCPA compliance according to Datawallet Report
22% of businesses have made no visible compliance effort at all
The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and came into effect on January 1st, 2020 giving businesses one-and-a-half years to get ready.
Our new report, “The CCPA Readiness Study” takes stock five months after the passing of the January 1st compliance deadline, shortly before the July 1st AG enforcement start-date, to provide helpful insights into the current rate of CCPA-compliance of businesses of different sizes. We reviewed the compliance efforts that can be detected on the business’ websites, providing statistics for each aspect of CCPA compliance and for each type of business, from companies in the Fortune 1000 to those with less than 50 employees.
Compliance efforts are severely lacking
Shockingly, only 10% of reviewed businesses were found to have achieved full compliance. 22% of businesses had made no visible efforts at all to get ready for the CCPA.
The report identifies several possible reasons for this astoundingly low adoption rate. Perhaps businesses took a wait-and-see approach until California Attorney General (AG) Becerra released the final version of the regulations, which have been submitted on June 1st. Maybe they have been operating under the assumption that they will not be prosecuted for violations that occur before the enforcement start date. The AG has made it clear months ago that his office will prosecute for violations that occurred before July 1st.
The more plausible explanation could be that businesses simply underestimated the complexity of the CCPA and the effort it takes to get compliant. We have seen similar behavior in the EU with the adoption of the GDPR.
Most commonly failed CCPA-requirements
Especially the notification-requirement, stating that consumers must be notified at or before the point of data-collection of which information-categories are being collected, is being ignored on a wide-scale.
A whopping 97% of businesses failed to serve up a CCPA-compliant collection-notice.
The CCPA’s strict “Do Not Sell” stipulations, which apply to businesses who are selling personal information, appear to be a second stumbling block:
The CCPA’s text is clear: businesses should offer consumers at least two contact methods to submit deletion requests. Nonetheless 21% of reviewed businesses failed to meet this minimum.
Uncertainty about the term “sale”
Many businesses expressed uncertainty about whether their data-sharing practices constitute a “sale” as per the CCPA. Most of these businesses participate in online advertising networks and use Real Time Bidding (RTB) strategies to offer tailored ads to their consumers. Phrases like “We do not sell data in the traditional meaning of the word, but might be considered data-sellers under the CCPA” were far from uncommon. 35% of the reviewed businesses stated that they could be considered data-sellers under the CCPA. A staggering 21% failed to include any statement about the sale of information.
Large enterprises outperform SME’s
Overall, Fortune 1000 businesses seem to be slightly ahead of the SMEs, achieving a marginally better score on the “overall compliance” test. It appears that having access to more funds and in-house privacy-professionals provides large enterprises with a leg up, compared to their smaller counterparts.
Datawallet helps you get compliant with powerful out-of-the box tools in a matter of minutes. We’ve got you covered with our intuitive Data Subject Request (DSR) manager, our Consent Manager (CMP), and our data-mapping tool. If you want to jump right in, start your free trial of our easy-to-use compliance platform here (no credit card required)
Need something tailormade for your organization? Contact us at email@example.com.CCPAConsumer PrivacyCCPA ComplianceDatawalletNews