Credit: Urupong Phunkoed/Shutterstock.com

Despite enforcement of the California Consumer Privacy Act(CCPA) coming online earlier this month, many companies in thestate are struggling to comply with the far-reaching regulation.It's not just a lack of understanding about the CCPA's requirementsthat is holding them back. It's also a lack of automationand factors outside of their control, according to a new survey of121 U.S.-based companies by cybersecurity and cloud servicesprovider Akamai.

Complying with CCPA requirements is still a manual process formany organizations. Only around a third of survey respondents, forexample, said they have fully automated their workflows aroundgiving customers access to their personal data. Even fewer—23percent—have done the same for customer requests to have their datadeleted. However, 43 percent have fully automated the processes bywhich they enable customers to opt out of allowing the company tosell their personal data.

According to the survey, at least half of all businesses havealready received requests of each of these types. Less common arecustomer requests to find out whether, and to whom, the company hassold their private data—cited by 38 percent of respondents. Andonly 22 percent have received questions about how the companyensures it isn't discriminating against customers who haveexercised their CCPA privacy rights. Only 21 percent and 28 percentof companies, respectively, have automated responses to these lasttwo types of requests.

Steve Winterfeld, the advisory CISO at Akamai, notes that one ofthe biggest hurdles to automating CCPA compliance is the fact thatmany companies fail to store customer data in one central location.He explains that organizations often give third-party providersaccess to customer data that is regulated by the CCPA.

"Now you have data in a lot of places, and so to automatesomething like 'What information do you have about me?' you have topull from multiple places. And to build a system that can integrateall that can be very difficult," Winterfeld says.

Moreover, for some companies, building such a system isn'teconomical. "Part of that is how many people are going to requirethis. … If five people want their data to be deleted, automating itdoesn't make financial sense; you won't get a return oninvestment," he says.

Most respondents to the survey said the CCPA compliancechallenges they face are both internal and beyond their control.Slightly fewer than half of all respondents cited a lack ofconsistency between the CCPA and other privacy regulations (47percent) or a lack of visibility into what data they hold (46percent) as a barrier to compliance. Around 40 percent citedinadequate technology infrastructure and inadequate implementationtime as additional challenges, while 36 percent cited a lack ofdata education.

Winterfeld notes that the challenge of "data education" includesmaking sure all departments and employees within a companyunderstand how to comply with the CCPA. For example, "you don'thave marketing go hire a company that is not compliant with therequirements," he says. He adds that companies have to make sure"data is treated in accordance to those corporate policies thatallow the company to be compliant."

See also:

• Beyond HIPAA: Using AI to Collect Covid-19Information from Employees
• Companies, Trade Organizations Seek to PostponeCCPA Enforcement Date
• Under the CCPA, Start Tracking Employee DataNow
• Companies Want Clarification on Proposed CCPARegulations

According to the survey, most companies rely on their chiefinformation officer (32 percent) or chief technology officer (29percent) to manage their CCPA compliance effort, while 18 percenthave given that responsibility to their chief legal officer. Ninepercent have their chief customer officer spearhead the effort,while 8 percent turn to their chief privacy officer and 3 percentto their chief marketing officer.

From: LegaltechNews