Security Roundup: California’s Data Privacy Act, McAfee, BetterCloud, Kudelski
The countdown is on for the “tens of thousands” of businesses that will be required to comply with the California Consumer Privacy Act (CCPA) by Jan. 1, 2020.
At present, just 14 percent of companies are compliant with CCPA and 44 percent have not yet started the implementation process, according to the results of a new survey by TrustArc and Dimensional Research.
The law will impact tens of thousands of businesses globally that have customers or employees located in California, according to TrustArc.
The CCPA applies to any business, including any for-profit entity, that collects consumers’ personal information, that does business in California, and satisfies one or more of the following thresholds: has annual gross revenues in excess of $25 million; possesses the personal information of 50,000 or more consumers, households or devices; or earns more than half of its annual revenue from selling consumers’ personal information.
Of companies that have worked on General Data Protection Regulation (GDPR) compliance, 21 percent are compliant with CCPA, compared to only 6 percent for companies that did not work on GDPR.
We spoke with Dave Deasy, TrustArc’s senior vice president of marketing, about the long and difficult road ahead for businesses impacted by CCPA. The research did not test to determine if some organizations impacted by CCPA were unaware of their obligations, but “our experience from the GDPR revealed some organizations were not fully aware of their compliance obligations until they had customers or partners inquire about their compliance status,” he said.
“Businesses who have prepared to comply with GDPR by creating good data governance practices, records of processing and individual rights procedures will have a head start,” he said. “One of the biggest differences between the GDPR and CCPA is the introduction of restrictions on the sale of personal data. Individuals may now request an accounting of disclosures, including the sale of personal information to third parties and the option to opt out.”
Some 71 percent of companies expect to spend more than six figures to comply with CCPA, while one in five expect to spend more than $1 million to achieve compliance, according to the TrustArc/Dimensional survey. For companies that were not impacted by GDPR, 79 percent will spend more than six figures to comply with CCPA, compared to 61 percent who have worked on GDPR compliance.
“There are a lot of companies that weren’t impacted by GDPR — typically banks, health care, telecoms, utilities or large companies that don’t have presence in EU,” Deasy said. “Now with CCPA, which shares a lot of the breadth of GDPR, those organizations are having to deal with the complexity of the regulations for the first time.
Eighty-eight percent of companies require external help to understand CCPA requirements. Seventy-two percent plan to invest in technology to prepare for CCPA, while 61 percent plan to spend on consulting expertise.
Also, 66 percent of companies need help developing their CCPA privacy plan.
“We are working with MSSPs who are interested in expanding their security services with the addition of managed privacy services,” Deasy said. “These include services like readiness planning, privacy risk assessments and development of processes to manage consumer rights requests.”
Under the CCPA, businesses are subject to civil action by the California Attorney General’s Office and can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation, if not cured within …