What Privacy Law? 52% of SMBs Don’t Know If CCPA Affects Them

Published

Jan 21, 2020

On January 1, America’s first comprehensive privacy legislation, the California Consumer Privacy Act, became the law of the land and a de facto national standard. There’s just one problem: More than half of companies have no idea if CCPA applies to them, according to a recent survey conducted by Rippling.

We polled 408 small- and medium-sized businesses, 38% of which are based in California, to see how they’ve responded to the landmark regulation. CCPA applies to companies that have customers in California and meet certain criteria, regardless of where they’re located.

The results show that most companies are still woefully unprepared for the new obligations they have to customers and employees. Here are the top takeaways:

Over half of SMBs don’t know if CCPA applies to them

Ignorance of the law may be no excuse -- but it is the norm. Despite the major legal and financial repercussions of not complying with CCPA, 52% of companies don’t know whether it applies to their businesses. Nearly 28% of businesses are confident CCPA doesn’t apply to them, while 20% say it does.

Those results are consistent with surveys conducted before CCPA took effect that found nearly half of business leaders had never heard of the law. But the continued lack of awareness is concerning, suggesting that many companies affected by the law haven't taken necessary steps to change their data practices.

CCPA enforcement begins July 1, and penalties are steep -- businesses can be fined up to $7,500 per incident, and are vulnerable to lawsuits if they fail to comply with disclosure or deletion requests.

Employees still in the dark on data collection

Companies subject to CCPA are required to send out privacy notices to their California employees and contractors informing them what personal data they’re collecting and how it’s being used. Less than 4% of businesses in our survey have taken this step.

Few have outsourced compliance - yet

While CCPA was intended to target tech giants like Facebook and Google, the compliance burden has mostly fallen on SMBs that lack the resources to invest in it. One report found that companies with fewer than 20 employees can expect to shell out $50,000 upfront to become compliant, while firms with more than 500 employees will pay an average of $2 million.

So it should come as no surprise that just 7% of companies in our survey say they’ve invested in compliance consultants or software. 80% say they have not. 

With such high stakes, many businesses would be better off biting the bullet and investing in expert help now—and avoid incurring hefty penalties later on.

Majority practice good password hygiene to avoid data breaches

Data breaches are often disastrous for SMBs, costing $200,000 on average and putting many out of business within six months of an attack. Under CCPA, they could cost considerably more. For the first time, the law makes companies liable for data breaches, including data breaches of third-party vendors with whom they’ve shared sensitive information. 

The good news is a majority of companies are already taking measures to protect their data. According to our research, 68% of companies are using password managers, more than 57% are using Single Sign-On (SSO) for access control, and nearly 47% are encrypting and redacting data. 

Given that weak and stolen credentials are linked to 80% of hacking-related breaches, improving password and access security is one of the best steps businesses can take to avoid costly CCPA penalties and lawsuits.

Are you ready for CCPA?

Ignorance isn't bliss. If, like most businesses, you’re not sure how CCPA affects you—Rippling can help.

Schedule a demo today or refer a friend to see how Rippling can simplify HR and IT and make CCPA compliance easy for employers.

last edited: March 26, 2024

The Author

Vanessa Wu

Rippling General Counsel

Vanessa is based in San Francisco and serves as the General Counsel at Rippling, where she oversees the Legal, Compliance, Enterprise Risk, and Internal Audit teams. Before Rippling, she advised on high-stakes litigation in private practice, and served as the GC of publicly-traded technology company.