Many companies that handle user data are not prepared for the upcoming California privacy law that is being compared with the European Union’s GDPR regulation.
According to privacy technology firm Ethyca, as many as 88% of these companies have not reached “an adequate state of compliance” ahead of the California Consumer Privacy Act (CCPA), which comes into force in January.
Like GDPR, the CCPA introduces robust data rules that aim to protect the privacy of citizens. The law will also allow the state of California to impose financial penalties on companies affected by data breaches.
Even though California is home to many of the world’s technology giants, only 12% of respondents to a survey of 85 companies of all sizes said they were ready for the new regulatory landscape.
Some 38% of companies need 12 months before they are compliant with upcoming data regulations, according to the Ethyca survey.
Microsoft this week became the first big tech firm to agree to honour the principles of the CCPA across the entire US.
Calling the CCPA a “landmark privacy law”, the company pointed to its early compliance with GDPR as a motivating factor.
“While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction,” Microsoft vice-president for global privacy Julie Brill said in a statement.
But other companies are “running out of time”, according to Cillian Kieran, the CEO of Ethyca, which builds automated data privacy infrastructure and tools for companies.
More than 70% of respondents to the survey have not built an engineering solution for policy compliance — which means they are instead reliant on retrofitting old processes and additional work from employees.
Meanwhile, none of the startups surveyed have built privacy infrastructure or made budgetary allocations for privacy-related technology.
Noting the recent rise of enforcement activity from privacy regulators related to GDPR, which was introduced in May 2018, Kieran said that actions from regulators under CCPA may build “slowly” before gaining pace.
Ethyca also cautioned that companies were very focused on the US and Europe, even though similar privacy laws are now being introduced in other parts of the world.