California’s tough online privacy protection measure — the Consumer Privacy Act approved in June 2018 — gives the state’s 40 million residents the right to require a business to disclose the types of personal information it collects on the consumer, where that information is collected and whether it’s being sold or shared, and to opt out of the whole thing.
The Act is slated to come into effect on January 1, 2020 after which companies could be docked up to $7,500 for each violation. While the CCPA resembles much of the European Union’s General Data Protection Regulation that went live more than a year ago, the laws have more in common than form and function: The startling lack of readiness and preparation by the business community prior to the CCPA’s launch date.
In a poll of 625 business owners and company executives conducted by the San Diego, California-based IT security provider ESET, 44 percent had never heard of the bill. The same percentage said it didn’t apply to them. Only 12 percent said their businesses will be affected by the law.
Other findings:
- 34% of executives/owners say they don’t know if they will need to change how they capture, store and process data to comply.
- Another 22% say they “don’t care,” while 35% of respondents said nothing needs changing for CCPA compliance.
- 38% of respondents are “very confident” they will have “reasonable security” in place by January 1, 2020.
- 33% said they “don’t know” if they’ll be ready.
- About 50% of respondents indicated they did not modify their behavior or processes to bring their businesses into compliance with the GDPR.
Of particular note, nearly 71 percent of businesses in the survey said they were not relocating out of California to avoid the legislation.
Why does this sound so similar to the mad scramble some companies doing business in the EU faced in the dawn of that regulation’s enforcement? In this case, however, there’s a potentially painful twist for perpetrators: A key aspect of the CCPA is that it gives Californians the right to sue businesses subject to the law when their personal information is compromised in a data breach.
“It’s clear that businesses are confused about this upcoming regulation, they do not know whether they are subject to the law and what they need to do to become compliant,” said Tony Anscombe, ESET global security evangelist and industry ambassador. “This is a serious situation, as the penalties will be severe, and the financial harm could be grave to these firms. Businesses should particularly focus on the ‘reasonable security’ aspect of the law by ensuring they have stringent processes and practices in place, including strong endpoint protection and encryption, throughout their organization.”