For months, there has been speculation about how much the new California Consumer Privacy Act (CCPA) would wind up costing California businesses as they prepare for the sweeping new privacy legislation, which is set to go into effect on January 1, 2020. According to a new economic impact assessment prepared for the California state attorney general by independent economic research firm Berkeley Economic Advising and Research, initial CCPA compliance could cost companies as much as $55 billion. In addition, there will be compliance costs related to ongoing compliance with the privacy legislation.
Figuring out the impact of the CCPA
Based on numbers provided within the report, an estimated 75 percent of California businesses will be impacted by the new CCPA legislation. In general, the new CCPA applies to three broad classes of California-based businesses: those with annual gross revenue over $25 million per year; those that derive at least half of their annual revenue from selling consumer data and similar types of personal information; and those that buy, sell or share personal information from at least 50,000 consumers, households or devices.
Given the outsized role of the tech sector in California, it’s easy to see how the CCPA will apply to a wide range of companies, from the smallest startups in Silicon Valley that might still be in the pre-revenue stage, to the largest industrial or manufacturing companies in the state. So, it’s not just that the new CCPA will apply to a very narrow spectrum of companies that traffic in personal data (such as data brokers). Rather, it will apply to a large number of companies, which is why the size of the economic impact will be measured in the tens of billions of dollars.
Compliance cost estimates differ by types of company
Of course, CCPA compliance costs will not be the same for all businesses. According to the economic impact report, which was made public by the California Department of Finance, there will be a range of potential outcomes. At the low end of the range will be small companies with less than 20 employees. Here, CCPA compliance costs are projected to average around $50,000 per company. Then, in the middle range of the forecast are companies with between 20 and 100 employees ($100,000 in initial CCPA compliance costs) and those with more than 100-500 employees ($450,000 in initial CCPA compliance costs). At the top end of the range are companies with more than 500 employees ($2 million or more in initial CCPA compliance costs). By aggregating all these figures across company size, it is possible to arrive at the figure of $55 billion in initial compliance costs.
However, while there is a clear correlation between the size of the company and the total amount that they will be spending on CCPA compliance costs, the report is careful to note that the costs will be disproportionately borne by the smaller businesses in California. In general, larger companies have more mature privacy compliance systems, as well as more sophisticated technology systems to make sense of the reporting and monitoring duties of companies under the CCPA.
Impact of GDPR on compliance costs
The good news is that many companies are already partially prepared for the start of the new CCPA era because they have already had to acclimate to the new personal privacy reporting requirements of the European General Data Protection Regulation (GDPR), which went into effect in May 2018. Thus, many companies have already established record-keeping procedures for personal information, started employee compliance training programs, and invested in new technological solutions. This means that they will be able to reduce some of their expected CCPA compliance costs.
Ongoing CCPA compliance costs
It’s important to keep in mind that the economic impact report focused almost entirely on initial, upfront CCPA compliance costs. You can think of this as the cost of getting one’s house in order before the sweeping new privacy legislation goes into effect in January 2020. According to one estimate, only about 2 percent of companies that are required to comply with the CCPA were ready to go in Summer 2019. Thus, almost all companies will be making a mad dash to the finish line over the final three months of the year, as they rush to become fully CCPA compliant.
But that only considers the cost of getting ready for CCPA, and not the ongoing cost and financial burden that will be placed on companies as they struggle to keep up with new changes to the legislation, or to keep up with consumer requests to have their personal data deleted. The total all-in cost of compliance over the next decade could be anywhere from $467 million to $16 billion, say the researchers. That $16 billion in total CCPA compliance costs would theoretically cover special contingencies, such as potential fines or penalties.
Unexpected implications of CCPA
Given the size and magnitude of these CCPA compliance costs, one might expect that privacy compliance would become a huge burden on companies, or at least, an annual drag on their overall profitability. However, that’s not necessarily the case, says Berkeley Economic Advising and Research. There is actually a positive feedback loop that might emerge: as consumers expand their trust in California companies, then they will be more willing to share more and more data with them; and as they share more and more data with them, companies will actually be able to expand the types of goods and services that they offer. Moreover, there might be an economic multiplier effect at work, in which every $1 spent on CCPA privacy compliance might lead to several dollars in new product innovation.
At the very least, the need for nearly all companies to become CCPA-compliant will likely lead to a vast flourishing of new software, new IT solutions and new innovative data products that streamline the process of managing personal data. Thus, the more that the process becomes streamlined and efficient, the more productive and profitable a company is likely to become.
Smaller businesses may be spending more on initial CCPA compliance if they do not have existing #privacy compliance systems like in big companies. #respectdata
Click to Tweet
Of course, that’s very much a “glass half full” approach to the CCPA privacy legislation. It assumes that all companies are on board with the idea of enhanced privacy and security for their customers, as well as greater respect for how personal data is used, shared, and monetized. Starting in 2020, all California businesses will be in it together. If everything goes as planned, then the state of California could become a new paradigm for other states around the nation as the United States finally catches up to Europe with its approach to personal privacy.