A significant number of businesses are not prepared for CCPA and are caught between weighing the cost and effort of complying with the act and the probability of enforcement actions being brought against them. Companies with annual gross revenues of $25 million or more, those that buy or sell more than 50,000 individuals’ data, and those that make more than half of their annual revenues from selling customer data need to comply. 

For businesses that fail to or refuse to comply, fines can be steep. The CCPA states that companies can be penalized $2,500 for each record of unintentional violation and $7,500 for each record of intentional violation. Ignoring the rules or taking no action to comply may result in intentional violations. This cost is levied per record or instance, meaning fines can rise to the hundreds of thousands of dollars.

Complacency is not a strategy. This is just one of many regulations designed to protect consumers’ right to privacy. Organizations should have a comprehensive program, utilizing the right technology partners, to automate their consumer privacy practice and adhere to the regulations. Just as we have seen with GDPR, the companies that fail to make the investment now are only going to have to put in more work and effort down the line.

Organizations need to implement advanced data classification, data anonymization, data masking, security, and access controls in order to set themselves up for successful compliance. ESG believes that many organizations are only ready on the surface—with marketing opt-in/out processes, for example.  

Successful organizations must be able, in time, to offer online portals that provide verified users the ability to know all of the data the organizations hold about them, and comply with the various requirements that are applicable.