The total cost of initial compliance with the California Consumer Privacy Act (CCPA) is estimated at $55 billion, according to an economic impact assessment report.
The California Department of Justice’s implementation of the CCPA requires a standardized regulatory impact assessment (SRIA) if the estimated economic impact of the regulation is expected to exceed $50 million per year. The SRIA, prepared for the state attorney general’s office by Berkeley Economic and Advising and Research, predicts direct compliance costs will reach between $467 million and approximately $16.5 billion by 2030.
The report made the following assumptions (which might be good for benchmarking purposes) in determining the $55 billion price tag for initial compliance:
- Companies with fewer than 20 employees will incur an average initial cost of $50,000.
- Companies with between 20-100 employees will incur an average initial cost of $100,000.
- Companies with between 100-500 employees will incur an average initial cost of $450,000.
- Companies with more than 500 employees will incur an average initial cost of $2 million.
- It also assumes that 75 percent of California businesses will need to comply with the CCPA.
The CCPA is applicable to any business in California that meets at least one of the following criteria: (1) has annual gross revenues over $25 million; (2) buys, sells, or shares personal information of 50,000 or more consumers, households, or devices; (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information.
Many businesses with annual revenues under $25 million will likely be subject to the CCPA due to the other two thresholds, the report states. The SRIA estimates that anywhere between 50 and 75 percent of businesses that earn less than $25 million in revenue will fall under CCPA regulation requirements.
Adverse impact on small businesses
Small businesses in California will likely be hit harder by the compliance costs than larger enterprises for several reasons, the report warns. For one, large technology firms with the European Union’s General Data Protection Regulation (GDPR) compliance requirements already installed will face lower costs to become compliant with the CCPA. For another reason, “large companies are better suited to absorb up-front compliance costs” thanks to in-house regulatory resources, the report states, while smaller competitors will struggle to interpret and implement the regulations as well as meet associated costs.
“Nearly 99 percent of California businesses have fewer than 500 employees,” the SRIA points out. The competitive disadvantage for small firms will only exist in the short term, however, the report predicts, as a new market for third-party service providers of compliance solutions will emerge.
“Although some small businesses will use in-house resources to become compliant, we expect that many others will outsource this work to dedicated firms. As competition in this new market increases, we expect overall costs to fall, limiting the differential impacts between small and large businesses in the long run,” the report states.
Considerations for consumers and minors
The SRIA addresses equity considerations for the consumers’ perspective, as well. Disadvantaged groups with low computer literacy might not be able to understand how to exercise their privacy rights. In addition, low-income groups might be disadvantaged by the stipulation that businesses can charge consumers a fee in exchange for services—or ask them to give up personal information. High income groups will be able to pay the fee and protect their personal information, whereas low income groups might not.
Concerning the personal information of minors, the CCPA requires firms to obtain affirmative authorization of the minor (if 13-16 years old) or their parent or guardian (if under 13 years old) to sell personal information. This requirement goes beyond existing regulations under the Children’s Online Privacy Protection Act (COPPA), which requires consent for the collection of data; the CCPA, in contrast, requires the additional notification of consent for sale.
Incremental costs and new opportunities for businesses
Compliance costs directly attributable to the DOJ’s regulation break down into four categories the SRIA outlines: (1) the technology and operations costs associated with implementing the CCPA; (2) the costs of complying with the 90-day lookback requirement for firms selling personal information to third parties; (3) the more detailed training requirements; (4) the more detailed recordkeeping requirements. (The latter two categories apply to firms handling the personal information of more than 4 million California consumers.)
Annual technology costs are projected at $75,000 per firm.
While the SRIA acknowledges its net cost estimates reflect a “pessimistic” outlook, it also states the CCPA might ironically provide new opportunity for data-based research and products.
“If the CCPA increases consumers’ trust of data protection,” the SRIA states, “it could actually increase the amount of data that consumers are willing to share with firms. Despite the additional controls put on data use, increased access to users’ data could help improve businesses’ capacity to produce and bring research to market as well as increase firm capacity for product innovation.”