Was your New Year’s resolution to get your business ready for California’s new privacy law? If not, you’re in good company.

Our recent survey of over 400 small and medium-sized businesses found that the vast majority aren’t prepared for CCPA — or the costly fines and lawsuits that come along with it. Only 7% say they’ve invested in compliance consultants or software.

CCPA was intended to target tech giants, but it’s become a headache for SMBs without the resources or in-house expertise to get up to code.

To give our customers one less thing to worry about, we’ve updated our product to make it easy for employers to meet new legal requirements.

The only way to automate employee privacy notices

Starting this month, companies subject to CCPA are required to send their California-based employees and contractors a notice that details the kinds of personal data they’re collecting and how it’s being used.

If you’re like most business owners, you might be thinking: Great! One more thing to do. Our survey found that less than 4% of companies have taken this step.

Luckily, Rippling is in a unique position to help our customers comply with CCPA notice requirements because most of your employee data is already in our platform. So we created a tool that makes it easy to customize and automatically send privacy updates to your workforce.  

This feature is the first of its kind — and it’s free for current customers.

Here’s how it works

1. Company admins can access the feature in Rippling by going to Company settings → Templates. At the bottom of the new page, click “Create a new CCPA notice”

2. You can fully customize this template form to reflect your organization’s data collection practices — and even add your company logo.

3. Once you’re happy with the form, select how it’s distributed to your workforce. For example, you can set Rippling to automatically send notices to new hires once they’ve completed onboarding.

You can also send notices to specific groups, like salespeople or full-time employees. 

4. You’re done! It’s that easy. 

CCPA notice templates are now live in Rippling — check it out and let us know what you think. In addition to privacy notices, Rippling has all the tools you need to securely manage employee data — and avoid costly fines and lawsuits:

With CCPA enforcement starting on July 1, it’s not too late to get compliant. Schedule a demo today or refer a friend to find out how our powerful platform can give you peace of mind.

On January 1, America’s first comprehensive privacy legislation, the California Consumer Privacy Act, became the law of the land and a de facto national standard. There’s just one problem: More than half of companies have no idea if CCPA applies to them, according to a recent survey conducted by Rippling.

We polled 408 small- and medium-sized businesses, 38% of which are based in California, to see how they’ve responded to the landmark regulation. CCPA applies to companies that have customers in California and meet certain criteria, regardless of where they’re located.

The results show that most companies are still woefully unprepared for the new obligations they have to customers and employees. Here are the top takeaways:

Over half of SMBs don’t know if CCPA applies to them

Ignorance of the law may be no excuse — but it is the norm. Despite the major legal and financial repercussions of not complying with CCPA, 52% of companies don’t know whether it applies to their businesses. Nearly 28% of businesses are confident CCPA doesn’t apply to them, while 20% say it does.

Those results are consistent with surveys conducted before CCPA took effect that found nearly half of business leaders had never heard of the law. But the continued lack of awareness is concerning, suggesting that many companies affected by the law haven’t taken necessary steps to change their data practices.

CCPA enforcement begins July 1, and penalties are steep — businesses can be fined up to $7,500 per incident, and are vulnerable to lawsuits if they fail to comply with disclosure or deletion requests.

Employees still in the dark on data collection

Companies subject to CCPA are required to send out privacy notices to their California employees and contractors informing them what personal data they’re collecting and how it’s being used. Less than 4% of businesses in our survey have taken this step.

Few have outsourced compliance – yet

While CCPA was intended to target tech giants like Facebook and Google, the compliance burden has mostly fallen on SMBs that lack the resources to invest in it. One report found that companies with fewer than 20 employees can expect to shell out $50,000 upfront to become compliant, while firms with more than 500 employees will pay an average of $2 million.

So it should come as no surprise that just 7% of companies in our survey say they’ve invested in compliance consultants or software. 80% say they have not. 

With such high stakes, many businesses would be better off biting the bullet and investing in expert help now—and avoid incurring hefty penalties later on.

Majority practice good password hygiene to avoid data breaches

Data breaches are often disastrous for SMBs, costing $200,000 on average and putting many out of business within six months of an attack. Under CCPA, they could cost considerably more. For the first time, the law makes companies liable for data breaches, including data breaches of third-party vendors with whom they’ve shared sensitive information. 

The good news is a majority of companies are already taking measures to protect their data. According to our research, 68% of companies are using password managers, more than 57% are using Single Sign-On (SSO) for access control, and nearly 47% are encrypting and redacting data. 

Given that weak and stolen credentials are linked to 80% of hacking-related breaches, improving password and access security is one of the best steps businesses can take to avoid costly CCPA penalties and lawsuits.

Are you ready for CCPA?

Ignorance isn’t bliss. If, like most businesses, you’re not sure how CCPA affects you—Rippling can help.

Schedule a demo today or refer a friend to see how Rippling can simplify HR and IT and make CCPA compliance easy for employers.

When the clock strikes midnight this New Year’s, we’ll be living in a new era of data privacy. Thanks to a California law that takes effect Jan. 1, for the first time consumers will have the right to know what personal information companies collect from them and how they use it. 

Considering how much of our personal privacy has eroded in the digital age, it’s an important step forward. But the new law, known as CCPA, has also caused uncertainty for businesses that don’t have legions of lawyers to make sure they’re compliant. One study found that only 12% of companies have achieved “adequate” compliance.

At Rippling, we want to help our customers stay on top of evolving privacy standards. Here’s what you need to know.

Does it apply to you?

The law applies to any for-profit business that collects the data of Californians and earns at least $25 million in yearly revenue, makes 50% of its revenue by selling personal information, or receives the personal information of at least 50,000 California residents. 

Small companies can easily reach the 50,000 threshold by collecting customer email addresses or using cookies on their website. Even if your company doesn’t deal directly with consumers, you may still be covered if you provide online services (like payment processing) to businesses that are subject to the law.

California employers must take action 

Employee data is exempt from most of the new requirements for one year. But all California employers are still on the hook for a few things starting in January. Employers can be sued if they don’t have reasonable security measures in place to protect the personal information of their workforce.

Employers must also notify employees and contractors what type of personal information they’re collecting and how it’s being used. Rippling customers will be able to do that automatically through our platform starting in mid-January.

You could be sued for third-party data breaches

On average, companies share sensitive information with 583 third parties. If one of them has a data breach that compromises your users’ personal information, your business is liable. 

That’s bad news — hackers know third parties are a weak link and actively target them. Vendor hacks account for over half of all U.S. data breaches including many of the biggest of 2019 (Capital One, Quest Diagnostics). These breaches cost twice as much on average and cause lasting damage to your reputation and bottom line. The best way to protect your business is to choose your vendors carefully — check out our infographic for tips.

The penalties are strict, but there’s a grace period

The law takes effect Jan. 1, but enforcement won’t begin until July 1. After that, your business can be fined $2,500 – $7,500 for each violation. For the first time, individuals also have the right to bring costly lawsuits against businesses that don’t comply with disclosure or deletion requests, or are responsible for data breaches of their personal information.

Is your business ready?

If your company does business in California, there are several steps you’ll need to take to comply with the law:

Additionally, companies that collect personal information from consumers should:

California is the first state to enact comprehensive data privacy legislation, but it won’t be the last. In fact, nearly two dozen other states have already followed suit. Whether or not you’re subject to the law on Jan. 1, CCPA will set a new standard for how businesses nationwide manage data. Don’t delay. Invest now in getting your house in order.