Press Release

OneTrust-IAPP Research: Most U.S. Companies are Not Ready for the CCPA

With only six months until the CCPA implementation date, research reveals less than half will be prepared

April 30, 2019

Today at International Association of Privacy Professionals’ (IAPP) Global Privacy Summit, OneTrust and the IAPP announced the results from research analyzing California Consumer Privacy Act (CCPA) preparedness in advance of the regulation’s Jan. 1, 2020 compliance deadline. The IAPP, the largest and most comprehensive global information privacy community and resource, and OneTrust, the largest and most widely-used dedicated privacy management technology platform, surveyed U.S. organizations spanning size and industry, and found that while reputation and consumer privacy are the biggest drivers for CCPA compliance, only 55% of companies plan to be ready by the law’s Jan. 1, 2020 effective date.

Download the Research: Ready or not, here it comes: How prepared are organizations for the California Consumer Privacy Act?

The CCPA is the first of its kind U.S. consumer privacy law which broadly expands the data protection and privacy rights of California residents. The law, inspired by the EU’s General Data Protection Regulation (GDPR), requires organizations that do businesses in the state to undertake significant operational reform to meet the increased obligations of handling California consumer personal data.

In the first of three planned reports this year to assess CCPA readiness overtime, the OneTrust-IAPP research revealed most organizations still have a long way to go toward compliance. Key findings from the research found:

  • Only 55% of those surveyed plan to be ready for the CCPA by its enforcement date: Jan. 1, 2020. Another 25% plan to be ready by July 1, 2020, the date California will begin enforcement actions.
  • The biggest reason organizations are underprepared is due to a lack of time, whereas the biggest motivator for compliance is company reputation.
  • GDPR readiness is paying off: companies with a “high” level of GDPR compliance have early target dates for CCPA compliance (59% will be ready by Jan. 1), while none of the organizations that report “low” GDPR compliance plan to be ready by this same date.
  • Federal preemption is unlikely: 47% of those surveyed believe a federal privacy law that preempts the CCPA will not be passed by Congress over the next year or two.

Given the haste with which the CCPA became law, as well as a number of drafting errors, many organizations seem to have taken a wait-and-see approach to compliance. But now, with the law taking effect Jan. 1, 2020, and becoming enforceable July 1, 2020, it is clearly time for organizations to take a closer look at the CCPA and begin preparing toward compliance.

“The CCPA is a major moment for the U.S. privacy landscape and our research reveals companies that didn’t need to overhaul privacy practices for GDPR compliance are now struggling to meet the CCPA’s 2020 deadline,” said Kabir Barday, OneTrust CEO and Fellow of Information Privacy (FIP). “With OneTrust, organizations can simplify this compliance process and implement an automated and research-backed technology solution to fast-track their efforts and efficiently meet CCPA requirements, including the 12-month ‘look back’ clause which forces companies to handover consumer data handling practices as far bas as January 2019. We’ve already seen a massive increase in customer interest in the CCPA, and are helping many organizations make the necessary CCPA operational changes to leverage the new law as a stepping stone for building a global privacy program.”

“Our survey targeted a community of well-informed privacy professionals, and even they seem a bit caught off guard by the CCPA,” said Rita Heimes, IAPP Research Director and Data Protection Officer. “Nevertheless, they seem to think it’s not likely to be replaced by a federal law any time soon.”

Download the full research report to learn more. For additional information, or to request a live OneTrust Privacy Management Software demo, visit or email To learn more about the IAPP, visit


About IAPP

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.


About OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management. According The Forrester New Wave™: GDPR and Privacy Management Software, Q4 2018, OneTrust “leads the pack for vision and execution.” Additionally, Fast Company named OneTrust as one of 2019’s World’s Most Innovative Companies.

More than 2,500 customers, both big and small and across 100 countries, use OneTrust to implement their privacy, security and third-party risk programs, automatically generating the specific record keeping needed to demonstrate compliance with privacy regulations including the EU GDPR, California Consumer Privacy Act (CCPA), Brazil LGPD, and hundreds of the world’s privacy laws.

OneTrust’s size and scale allows it to offer the easiest-to-use and most affordable solution for implementing use cases including: Privacy Maturity Benchmarking, Data Protection by Design and Default (PbD), Data Protection Impact Assessments (PIA/DPIA), Third-Party Vendor Risk Management, Incident and Breach Response, Data Mapping (Records of Processing), Customer Preference Management, Consent Management, Website Scanning & Cookie Compliance, Mobile App Scanning, Data Subject/Consumer Rights Management and Policy & Notice Management. The software, available in 60 languages, is backed by 50 awarded patents, integrates with 300 technology partners, and can be deployed in the cloud or on-premise.

The platform’s intelligence comes from DataGuidance by OneTrust, an in-depth and up-to-date source of privacy and security regulatory summaries, guidance, templates, case law, and analysis. Hundreds of global privacy and security laws and frameworks are built-in, including security frameworks like ISO27001. The database is updated daily by over 30 in-house privacy researchers, along with a network of 500 lawyers across over 300 jurisdictions, and by active input as part of OneTrust’s regulatory engagement program.

OneTrust’s customers are supported by a worldwide team of over 100 in-house privacy implementation and support resources and boasts a customer satisfaction score of 95%. Customers can also access more than 1,000 external individuals who have completed the OneTrust Certified Privacy Management Professional program.

The OneTrust Global Privacy Community is the largest, most active and globally available community for privacy technology. Each year, OneTrust brings together over 10,000 professionals across 400 events to share best practices and breakdown the latest technology innovations driving global privacy compliance. Events include PrivacyConnect workshops in 100+ international cities and PrivacyTech, OneTrust’s global user conference.

OneTrust’s 700 employees are located across co-headquarters in Atlanta and in London with additional locations in Bangalore, Melbourne, San Francisco, New York, Munich and Hong Kong. To learn more, visit or connect on LinkedInTwitter and Facebook.

You may also like


Consent & Preferences

Global Privacy Control: CCPA enforcement of GPC opt-out signals webinar

Watch this on-demand webinar to gain an overview of what Global Privacy Control (GPC) is, the benefits of the signal, and how it works.

October 30, 2022

Learn more


Privacy Management

Employee vs. consumer rights: Same concept, different reality

Join this webinar to learn about the rights request fulfillment complexities introduced by the end of the employee exclusion in the CPRA.

August 25, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more