On the first day of 2020, California residents woke up with new data rights at their disposal. The California Consumer Privacy Act gave them more control over their personal information, with some rights similar to those EU residents enjoy under the General Data Protection Regulation.
Though this new era is only a few months old, a Truyo study shows companies have already begun to receive a high volume of requests, numbers that may be heightened by the COVID-19 pandemic.
The study was conducted by Dimensions Data on behalf of Truyo and featured responses from 221 privacy professionals who worked at companies that have more than 1,000 employees. A vast majority of those surveyed expressed a level of anxiousness about the requests, as 92% said they are concerned about honoring data subjects' rights under the CCPA. The study also found 51% said data subject request fulfillment is the most difficult part of CCPA compliance.
Those challenges may stem from the amount of requests companies have been receiving weekly since January.
Of those privacy professionals who were polled, 24% said they receive 10 to 50 requests per week. On the higher end of the spectrum, 11% said they received 100 to 500 requests, while 9% said they received more than 500 per week. The latter two figures were the ones that caught the eye of Truyo Demand Generation Manager Ryan Foster.
"We didn’t know how many there were prior to this. We knew this was going to be a big deal. We looked at the GDPR as a model for this, and it took a long time for those under the GDPR to start exercising their rights," Foster said. "The adoption rate for the CCPA has been so much faster, and I think it’s been surprising for a lot of people."
Foster believes the media coverage in the U.S., efforts to publicize the law by the California attorney general, and complexity of the GDPR are among the factors for the faster adoption of the CCPA.
The COVID-19 pandemic may also be factored into the elevated volume, as 56% of privacy professionals said they expect an increase in requests as people stay home.
"More people are online, and companies they haven’t heard from in years are sending them emails saying, ‘We are in this together,’" Foster said. "I think it’s just digging up a lot of data that wasn’t as top of mind before and people have more time on their hands."
To respond to these higher-than-expected levels of requests, 64% of organizations plan on spending more than $100,000 on privacy tech solutions, staff, training and consultants to reach compliance. That figure breaks down to 37% saying they will spend between $100,000 to $500,000, 17% plans to invest between $500,000 and $1 million, and 10% expects to pay more than $1 million to ensure data subject right compliance.
"This really shows that companies are taking it very seriously. The California (attorney general) has made it very clear he will not delay (enforcement) due to COVID-19," said Foster, adding, "companies have had two years to come up with a solution for this so they should be well on their way to having a process in place to deal with these requests that are coming in."
When assessing what solution will best help their organizations respond to the inquiries, organizations are turning to third parties, with 56% of respondents saying they have purchased tools from a privacy tech vendor rather than building a solution in-house.
The findings of the report also put a spotlight on the gap between how legal professionals and IT teams understand privacy technology, particularly in regards to automation. Only 13% of IT professionals said the solutions their organizations use to handle data subject requests are fully automated. On other side, 55% of individuals on the legal, privacy and compliance teams said their data subject request capabilities are completely automated.
Foster said this chasm is a result of legal professionals' inexperience with technology and two departments that have had to learn to communicate with one another for the first time.
"Legal gets the request in the inbox, and they send it over to IT and that feels like automation to them. It’s been taken care of as far they understand," Foster said. "Then it goes over to the IT group and they are the ones who actually have to process it by pulling that data, formulating the response and getting it sent back to the consumer in an easily readable format. There’s just a discrepancy between the knowledge processes and what’s going to be in place."
With CCPA enforcement still set for July 1, organizations have less than two months to see whether their efforts have met the standards of the law. Foster said the reason why Truyo approached privacy professionals from larger entities is that it wanted to hear from organizations that are more likely to draw regulatory attention this summer.
"We’ve spoken to the smaller companies, and we’ve spoken to the people in the middle, and they are looking at CCPA and saying, ‘We are not going to be in scope for this.' The California (attorney general) is not going to go after the mom and pop. They are going to go after the big guys that they know have breaches and all this data," Foster said. "We wanted to go after a group that we know was doing something around privacy. I think a lot of smaller companies are doing the 'wait-and-see approach.'"
Photo by Vital Sinkevich on Unsplash
If you want to comment on this post, you need to login.