Most Companies Have Been Slow to Automate CCPA Compliance

Despite enforcement of the California Consumer Privacy Act (CCPA) coming online earlier this month, many companies in the state are struggling to comply with the far-reaching regulation. It’s not just a lack of understanding about the CCPA’s requirements that is holding them back. It’s also a lack of automation and factors outside of their control, according to a new survey of 121 U.S.-based companies by cybersecurity and cloud services provider Akamai.

Complying with CCPA requirements is still a manual process for many organizations. Only around a third of survey respondents, for example, said they have fully automated their workflows around giving customers access to their personal data. Even fewer—23 percent—have done the same for customer requests to have their data deleted. However, 43 percent have fully automated the processes by which they enable customers to opt out of allowing the company to sell their personal data.

According to the survey, at least half of all businesses have already received requests of each of these types. Less common are customer requests to find out whether, and to whom, the company has sold their private data—cited by 38 percent of respondents. And only 22 percent have received questions about how the company ensures it isn’t discriminating against customers who have exercised their CCPA privacy rights. Only 21 percent and 28 percent of companies, respectively, have automated responses to these last two types of requests.

Steve Winterfeld, the advisory CISO at Akamai, notes that one of the biggest hurdles to automating CCPA compliance is the fact that many companies fail to store customer data in one central location. He explains that organizations often give third-party providers access to customer data that is regulated by the CCPA.

“Now you have data in a lot of places, and so to automate something like ‘What information do you have about me?’ you have to pull from multiple places. And to build a system that can integrate all that can be very difficult,” Winterfeld says.

Moreover, for some companies, building such a system isn’t economical. “Part of that is how many people are going to require this. … If five people want their data to be deleted, automating it doesn’t make financial sense; you won’t get a return on investment,” he says.

Most respondents to the survey said the CCPA compliance challenges they face are both internal and beyond their control. Slightly fewer than half of all respondents cited a lack of consistency between the CCPA and other privacy regulations (47 percent) or a lack of visibility into what data they hold (46 percent) as a barrier to compliance. Around 40 percent cited inadequate technology infrastructure and inadequate implementation time as additional challenges, while 36 percent cited a lack of data education.

Winterfeld notes that the challenge of “data education” includes making sure all departments and employees within a company understand how to comply with the CCPA. For example, “you don’t have marketing go hire a company that is not compliant with the requirements,” he says. He adds that companies have to make sure “data is treated in accordance to those corporate policies that allow the company to be compliant.”

See also:

• Beyond HIPAA: Using AI to Collect Covid-19 Information from Employees
• Companies, Trade Organizations Seek to Postpone CCPA Enforcement Date
• Under the CCPA, Start Tracking Employee Data Now
• Companies Want Clarification on Proposed CCPA Regulations

According to the survey, most companies rely on their chief information officer (32 percent) or chief technology officer (29 percent) to manage their CCPA compliance effort, while 18 percent have given that responsibility to their chief legal officer. Nine percent have their chief customer officer spearhead the effort, while 8 percent turn to their chief privacy officer and 3 percent to their chief marketing officer.

From: LegaltechNews