CCPA applies to Small-to-Medium-Sized Enterprises, and they face unique challenges.
SMEs surveyed by the IAPP – International Association of Privacy Professionals stated that even if they “do not meet the CCPA’s definition of a ‘business,” their clients and customers will require them to sign contracts attesting to CCPA compliance.
Many have already faced such demands. Since SMEs operating as part of the data ecosystem are likely to be covered by the CCPA regardless of any revenue or data processing thresholds designed to lessen their compliance burdens, guidance (and future legislation) should be designed with their needs in mind.”
“The most significant CCPA compliance challenge SMEs expect to face is revising data processing provisions in contracts. Having just updated countless contracts to comply with the EU General Data Protection Regulation, SMEs expect to devote significant time and resources (and invest in outside legal counsel) to update them again.”
For SMEs, “manual processes are more common than automated ones across the board — for access requests, data inventories, privacy impact assessments and records of processing. This could pose unique challenges for identity verification under the CCPA.”