Corporations may be crossing their collective fingers as the California Consumer Privacy Act's (CCPA) July 1, 2020, enforcement deadline continues to inch closer. Exterro's Annual Study of Legal Spend Management was released last week in conjunction with the Blickstein Group and Corporate Counsel Business Journal, and the results indicate that organizations may not be putting their money where their mouths are when it comes to privacy compliance goals.

Responses were collected from 52 corporate legal department employees working across a variety of industries. Among those respondents, 71% indicated that providing defensibility and complying with new privacy laws such as the CCPA would be a top priority for their department in 2020.

However, 65% of respondents also indicated that they believe legal spend geared towards compliance with new privacy laws will decrease in 2020. For example, just over 50% of respondents indicated that they would be spending less than $0.5 million on compliance with privacy laws, compared to the slightly more than 40% who said the same in 2019.

So if companies are making privacy compliance a top priority this year, why doesn't the spend reflect that goal? "A lot of organizations—which I think could be detrimental for their risk mitigation efforts—are taking a wait-and-see approach with the CCPA," said Michael Hamilton, senior managing director of marketing at Exterro.

Organizations may be banking on regulatory authorities not being ready enforce certain aspects of the CCPA straight away. Hamilton noted that this echoes the approach that some organizations also took to the General Data Protection Regulation (GDPR) and its tenants around the right to know and right of access.

Similar provisions are found in the CCPA and allow customers to see and obtain copies of any information a company has collected about them. Putting the necessary infrastructure in place to satisfy those data subject access requests can be pricey for a corporation, though regulators may already be finding the requirement difficult to enforce.

"What we've seen with the GDPR so far is that it's been hard for the EU Commission to really enforce the GDPR at a detailed level, meaning that they are not really able to monitor all of these different requests for personal data and deleting that personal data and anonymizing that personal data," Hamilton said.

But aside from the "wait-and-see" approach, it's possible that businesses are just allocating their privacy-related spend under a different heading. The Legal Spend Management survey, for example, shows that the majority of respondents (51%) believe the most risk for increased costs comes from litigation.

"I think that continues to be the highest amount of risk—the highest amount of risk associated with spend—based on increased litigation from the data privacy laws," Hamilton said. As for the 7% of respondents who rated the specified privacy category as being of the most risk for increased costs, Hamilton believes that refers to creating a defensible process for compliance.

Survey respondents were also asked to rate such privacy initiatives by importance using a scale of 1 (least important) to 5 (most important). Creating an online portal for individuals to request data rated at the top with a 4.5, followed by building an automated data subject access request process at 2.8. Repurposing e-discovery technology to identify, collect and review data subject access requests placed last with a 2.4 rating.

Hamilton thinks that companies could be in trouble come the July CCPA compliance date if they don't have efficient and defensible processes for managing the intake of data subject access requests. "Organizations are, I think, unfortunately going to be getting a wake-up call," he said.