A recent study finds that businesses are not prepared for the California Consumer Privacy Act to go into effect on January 1, with many saying the law is too expensive to comply with.

In a few months, the California Consumer Privacy Act (CCPA) will be in effect, and only 8% of businesses are prepared, according to an August 2019 survey of 1,500 businesses, 15% of which were retailers, conducted by personalization data vendor PossibleNOW Inc.

The CCPA privacy law, which will go into effect Jan. 1, 2020, gives Californians rights to opt out of the sale of their personal information, the ability to have their data deleted and a right to know what has been collected on them. This impacts every online retailer that sells to California consumers, as most merchants collect a consumer’s name, location, IP addresses and identifiers that track their web and app use on their internet-connected devices, such as laptops and smartphones.

The CCPA Readiness survey finds that most businesses are aware (20%) or are educating themselves (58%) about CCPA, and only 22% did not know about it.

Although businesses are aware, less than half are ready, as only 8% said they are prepared today. However, 34% said they are not currently prepared for CCPA compliance now, but will be by Jan. 1.


Of the businesses that will not be complaint by the New Year’s Day deadline, the top reason, at 34%, was that it’s too expensive to comply, followed closely by 32% of businesses who said they are waiting to see how it’s enforced.

Businesses that do plan to provide California consumers their data upon request will offer consumers various ways to submit a request related to data privacy. 37% of businesses said they will have online access for consumers to do it themselves, 33% of businesses said consumers will be able to submit requests via email and 25% of businesses said consumers can or will be able to contact the business by phone.

The California Attorney General enforces CCPA, and each violation can amount to civil penalty of up to $7,500 per record for each intentional violation, and $2,500 per record for each unintentional violation. For example, a business that mismanages 1,000 consumer privacy requests could face a fine ranging from $2.5 million-$7.5 million.


Because the law is not yet deployed, the fine specifics and how it will be enforced are still evolving, which is why many businesses may be taking the wait-and-see approach. Once businesses have more information, they can better make a strategy, says Robert Tate, vice president of sales at PossibleNOW.

“These specifics will inform the appropriate levels of both risk management and spend,” Tate says. “Organizations shouldn’t wait too long as CCPA offers an opportunity to get ahead of many other states proposing similar requirements.”

Businesses need to weigh the cost of compliance against the risk and cost of being fined, says Eric Tejeda, marketing director at PossibleNOW. “Just as with GDPR, a significant number of businesses are caught between the cost and effort of complying with CCPA and the probability of enforcement actions against them,” Tejeda says. GDPR stands for General Data Protection Regulation, and is Europe’s privacy law that similarly gives consumers rights to know how businesses are collecting, using and storing their personal data.

Investment in privacy, trust and transparency is a long-term business decision that will will help business outcomes in the long run even if it doesn’t immediately drive sales, Tate says.


“Privacy and security are two of the most understaffed and underbudgeted functions in many companies,” Tate says. “When budget is fixed, limited or non-existent, any incremental investment can be perceived as ‘too expensive,’ especially as a cost center that isn’t driving top or bottom line growth.”