Organizations Struggle With CCPA, CPRA, GDPR Compliance
The vast majority—92% of companies across all verticals, states and business sizes—are still unprepared for compliance with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), while a similar percentage (91%) are unprepared for GDPR compliance.
A report from Cytrio revealed these organizations are still using time-consuming and error-prone manual processes to attempt to meet data privacy regulations.
More than half (53%) of companies surveyed said they must comply with CCPA but do not provide a mechanism for their users and consumers to exercise their data privacy rights as the law requires.
Cytrio founder and CEO Vijay Basani cautioned that non-compliance would result in potential regulatory fines and negative media coverage if organizations could not prepare.
He pointed to the cautionary tale of beauty retailer Sephora, which was fined $1.2 million for selling consumers’ personal information (PI) without their consent.
“The company received a lot of negative coverage,” he said, and added that, in addition to the negative publicity, companies would see an increase in insurance costs, loss of customers and more.
The Stages of Compliance
Basani explained that while many companies are just starting their data privacy journey, it’s likely that most will follow a three-stage maturity curve based on the adoption processes of other compliance regulations that came before.
The first stage focuses on creating a risk map of where the risk exposure is in collecting, storing, using, sharing and processing personal information.
“Once processes are in place to understand what data is being collected, how is it stored, used, processed and shared and risk exposure and notices and consents are in place, the next step is maintaining what has been established,” he said.
This second phase requires companies to think about connecting front-end privacy controls with the marketing stack to make sure companies are honoring end-user consent and preferences.
The third stage puts mechanisms in place to proactively develop and incorporate data privacy principles across all aspects of the company.
“This stage includes data governance, data masking and data retention to make sure the right people and processes are accessing PI data for the right purposes, that data is not misused and data is deleted beyond its stated purpose,” he said.
Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, added that an organization, regardless of its size, should have an assigned data protection officer role.
“The data protection officer could be a standalone resource or the role and responsibility could be assigned to an information security officer or the company’s general counsel,” he said.
When it comes to ownership by team, he said, for small business organizations, the legal and cybersecurity teams are most often responsible for compliance and for medium and large enterprise organizations there typically should be a privacy team that assumes these roles and responsibilities.
“We also recommend that organizations add software solutions to help with compliance,” Ramamoorthy said. “Data security software solutions that are currently available on the marketing teams can offer complete visibility into corporate data to better determine what sensitive data exists, who has access and what those identities are doing with the access.”
Basani pointed out that in the last two years, the rate of enforcement actions has steadily increased, reaching over $3 billion in total fines and 1,500 companies as of February 2023.
“With the establishment of CPPA, we now have significant enforcement resources to go after non-compliant companies under CPRA,” he says. “As with GDPR, consumers will become increasingly aware and educated about their data privacy rights and will also begin exercising their data privacy rights more regularly.”
Negative media coverage will mean consumers potentially getting disenchanted with companies and could lead to a subsequent loss of business.
“Employee rights to personal data under CPRA will also mean companies need to be diligent about respecting and honoring employees’ rights to their personal data,” he added.
Ramamoorthy explained it’s clear that privacy regulations are not going away, with more states enacting them and growing talk about privacy regulations at the federal level.
As these regulations accelerate and take hold and as governing bodies and watchdog groups begin paying closer attention to organizations that hold sensitive and private data, companies that are slow to comply will quickly find themselves behind the curve,” he said.
“Catching up to get systems and processes up to standards will likely take more time, effort and money than if compliance was initiated and maintained early,” he said.
