OneTrust-IAPP Research: Most U.S. Companies are Not Ready for the CCPA


With Only Six Months Until the CCPA's Implementation Date, Research Reveals Less than Half Will be Prepared

WASHINGTON, April 30, 2019 /PRNewswire/ -- Today at International Association of Privacy Professionals' (IAPP) Global Privacy Summit, OneTrust and the IAPP announced the results from research analyzing California Consumer Privacy Act (CCPA) preparedness in advance of the regulation's Jan. 1, 2020 compliance deadline. The IAPP, the largest and most comprehensive global information privacy community and resource, and OneTrust, the largest and most widely-used dedicated privacy management technology platform, surveyed U.S. organizations spanning size and industry, and found that while reputation and consumer privacy are the biggest drivers for CCPA compliance, only 55% of companies plan to be ready by the law's Jan. 1, 2020effective date.  

The CCPA is the first of its kind U.S. consumer privacy law which broadly expands the data protection and privacy rights of California residents. The law, inspired by the EU's General Data Protection Regulation (GDPR), requires organizations that do businesses in the state to undertake significant operational reform to meet the increased obligations of handling California consumer personal data.

In the first of three planned reports this year to assess CCPA readiness overtime, the OneTrust-IAPP research revealed most organizations still have a long way to go toward compliance. Key findings from the research found:

  • Only 55% of those surveyed plan to be ready for the CCPA by its enforcement date: Jan. 1, 2020. Another 25% plan to be ready by July 1, 2020, the date California will begin enforcement actions.
  • The biggest reason organizations are underprepared is due to a lack of time, whereas the biggest motivator for compliance is company reputation.
  • GDPR readiness is paying off: companies with a "high" level of GDPR compliance have early target dates for CCPA compliance (59% will be ready by Jan. 1), while none of the organizations that report "low" GDPR compliance plan to be ready by this same date.
  • Federal preemption is unlikely: 47% of those surveyed believe a federal privacy law that preempts the CCPA will not be passed by Congress over the next year or two.

Given the haste with which the CCPA became law, as well as a number of drafting errors, many organizations seem to have taken a wait-and-see approach to compliance. But now, with the law taking effect Jan. 1, 2020, and becoming enforceable July 1, 2020, it is clearly time for organizations to take a closer look at the CCPA and begin preparing toward compliance.

"The CCPA is a major moment for the U.S. privacy landscape and our research reveals companies that didn't need to overhaul privacy practices for GDPR compliance are now struggling to meet the CCPA's 2020 deadline," said Kabir Barday, OneTrust CEO and Fellow of Information Privacy (FIP). "With OneTrust, organizations can simplify this compliance process and implement an automated and research-backed technology solution to fast-track their efforts and efficiently meet CCPA requirements, including the 12-month 'look back' clause which forces companies to handover consumer data handling practices as far bas as January 2019. We've already seen a massive increase in customer interest in the CCPA, and are helping many organizations make the necessary CCPA operational changes to leverage the new law as a stepping stone for building a global privacy program."

"Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA," said Rita Heimes, IAPP Research Director and Data Protection Officer. "Nevertheless, they seem to think it's not likely to be replaced by a federal law any time soon."

Download The Research