On January 1, 2020, a new California regulation went into effect that may push many unsuspecting enterprises doing business in the state into costly noncompliance while also introducing reputational risk and threatening their brands. The California Consumer Privacy Act (CCPA) grants new consumer rights related to data storage, use, and protection. Companies failing to comply with these rules can be fined up to $7,500 for each violation. Despite the potential impacts, a recent survey by the IT security firm ESET shows how ill-prepared most enterprises are regarding this new compliance obligation:
- Nearly half of all respondents had never heard of CCPA
- More than 8 in 10 respondents did not know if the law even applied to their business
- A third of executives were unsure if their organizations needed to change how consumer data was stored/processed
- Nearly 1 in 4 respondents “didn’t care” about becoming compliant
- More than half had not performed a risk assessment on cybersecurity within the past year
Given the stakes involved, this broad lack of urgency is concerning but not all that surprising. A DataGrail survey indicated that despite investing thousands of hours and being given a two-year head start, only half of the companies reported achieving compliance with the General Data Protection Regulation (GDPR), a similar data privacy regulation in Europe. Additionally, 70% of enterprises admitted the systems they were currently using to comply would not scale. When the pace of regulatory change is accelerating so rapidly, most enterprises are being caught flat-footed.