Will small- and medium-sized enterprises face unique challenges implementing the California Consumer Privacy Act? The IAPP’s Westin Research Center reviewed responses to six IAPP surveys and conducted a focus group for Californian SMEs to find out.
Encouragingly, our research suggests that company size is not a major differentiator in CCPA preparedness. SMEs that responded to IAPP surveys and inquiries express comfort or confusion with CCPA requirements in alignment with their larger peers. They also indicate equal levels of preparedness.
However, we identified several unique characteristics of SMEs’ privacy programs and some broader privacy challenges that merit attention as CCPA guidance is developed and pending legislation elsewhere is considered. Our three main takeaways relate to the applicability of legislation to SMEs, the importance of contracts and verification challenges, as explained in more detail below.
SMEs will be covered by the CCPA — their unique needs should be considered
SMEs we heard from were clear that even if they do not meet the CCPA’s definition of a “business,” their clients and customers will require them to sign contracts attesting to CCPA compliance. Many have already faced such demands. Since SMEs operating as part of the data ecosystem are likely to be covered by the CCPA regardless of any revenue or data processing thresholds designed to lessen their compliance burdens, guidance (and future legislation) should be designed with their needs in mind.
As one might expect, we found that privacy teams in SMEs are typically smaller and multifunctional. Privacy professionals are frequently more senior, often C-suite professionals, but devote only half their time to privacy. They are more likely located in information security or technology departments than legal offices and prioritize client expectations and avoidance of threats and attacks over regulatory and legal compliance (in contrast to their larger peers). Privacy teams at SMEs have smaller budgets than those in larger organizations, though they spend more on privacy on a per-employee basis. They invest less frequently in privacy training but more often in privacy certifications for their employees.
While they express equal levels of CCPA preparedness, SMEs also express equal levels of confusion.
The top concern we heard was lack of clarity in the law, with a focus on whether employee data is covered, how the “sale” of data relates to basic advertising, and how to address potential conflicts of law.
Vendor management may also present a challenge. SMEs are less likely than larger companies to have programs designed to ensure vendors’ privacy and security practices will not threaten the integrity of their own privacy programs. While most SMEs include privacy provisions in vendor contracts (and will need to do so under the CCPA), they use privacy questionnaires and audits significantly less often than larger companies.
Contracts are the priority — large companies will dictate the terms unless regulators step in
The most significant CCPA compliance challenge SMEs expect to face is revising data processing provisions in contracts. Having just updated countless contracts to comply with the EU General Data Protection Regulation, SMEs expect to devote significant time and resources (and invest in outside legal counsel) to update them again.
Those who participated in our focus group indicated they have not yet begun this process due to a lack of clarity regarding contractual requirements and the expectation that the largest companies will set the terms for the entire data ecosystem. They felt that updating contracts now would unnecessarily hamstring their own businesses and lead to wasteful duplication of efforts.
Focus group participants expressed familiarity if not quite comfort with a handful of companies dictating the privacy terms for entire industries. Their main concern was the unlimited liability many had been forced to accept through indemnification clauses in data-processing agreements. Some indicated they had been successful in capping liability at insurance maximums, but others felt they had no choice but to accept the terms as presented. They expressed interest in attorney general guidance or a template for contractual updates.
SMEs automate less — identity verification challenges could increase
SMEs invest less in privacy-enhancing technologies and automation than larger companies. Since they are more likely to operate in the business-to-business rather than business-to-consumer sector, they receive fewer data subject access requests and typically address those received manually. Manual processes are more common than automated ones across the board — for access requests, data inventories, privacy impact assessments and records of processing. This could pose unique challenges for identity verification under the CCPA.
SMEs invest less in privacy-enhancing technologies and automation than larger companies ... This could pose unique challenges for identity verification under the CCPA.
SMEs cited concerns about the potential for harmful, costly and actionable data breaches as a result of fraudulent CCPA access requests, noting recent research conducted on the potential for abuse of GDPR access rights.
They also noted the harm that could arise if “household” data can be sought through access requests and the need for a clear exception to the right of access when the privacy rights of others could be threatened, as exists under the GDPR. The CCPA indicates that the California attorney general will establish rules governing access requests and verification of a consumer’s identity. The SMEs we heard from highlighted the importance of clear attorney general guidance and the need for a checklist for identity verification.
Research methods and considerations
To better understand SMEs’ general approach to privacy, we compared responses from smaller and larger companies to the IAPP-EY Privacy Governance surveys over the past three years. We also reviewed responses to two CCPA-preparedness surveys and one survey on privacy technology adoption. We divided responses at either 250 or 500 employees depending on the survey. It is important to note that the average SME respondent to our governance survey had seven years of privacy experience, only one year less than their peers at larger companies. This suggests that our sample is reflective of those organizations that are already investing significant resources in privacy programs rather than of the broader population of companies.
Photo by Mike Petrucci on Unsplash