Consumer privacy legislation is expensive: even before a law goes into effect, companies incur costs to become compliant. The California Consumer Privacy Act, which goes into effect Jan. 1, 2020, may wind up costing companies in California a total of $55 billion, researchers from Berkeley Economic Advising and Research said.
The sweeping privacy legislation has a number of provisions designed to give consumers more control over how their information is collected and used. For example, under the law, organizations have to tell consumers what data has been collected and what it is being used for, as well have a mechanism to promptly delete the data if the consumer makes the request. Websites will need to be redesigned or updated to include a "Do Not Sell My Personal Information" opt-out link that will be required by the law.
The $55 billion is "is equivalent to approximately 1.8 percent of California Gross State Product in 2018," the researchers wrote in the report, which was prepared for the California attorney-general's office. It is a rough estimate of how much it would cost to get 75 percent of California companies that are subject to the law to become compliant by January.
The CCPA isn't just for the Facebooks and Googles of the world: the law will apply to companies that have gross revenue of at least $25 million; buy, sell, and share personal information of 50,000 or more consumers, households, or devices; or derive 50 percent or more of their annual revenue from selling consumer data.
Unlike the European Union's General Data Protection Regulation, which applies to all businesses that touch personal data belonging to EU citizens, the CCPA focuses on a narrower segment of the economy. Even so, the impact will be widely felt because of the large number of technology companies that collect personal data in California. Personal data in online advertising is a $12 billion annual business in California, the researchers said.
"Total CCPA compliance costs are likely to vary considerably based on the type of company, the maturity of the businesses their current privacy compliance system, the number of California consumers they provide goods and services to, and how personal information is currently used in the business," the researchers wrote.
The researchers cited figures estimating the GDPR's estimated average incremental compliance costs of approximately 5,700 Euros per year. GDPR is also believes to have resulted in a 16-40 percent increase in annual IT budgets, the report said.
There are potential penalties and fines if the company doesn't take adequate steps to protect consumer data. There are also costs associated with becoming compliant before the law event takes into effect. For most organizations, being compliant with CCPA means changing some of their processes, retraining employees, setting up new forms of record-keeping, and creating new tools. Along with the technical and operational costs, there are legal costs associated with interpreting the law so that the organization can make operational and technical plans that won't violate the clauses. There may also be additional business costs, such having to renegotiate service provifer contracts and changing business models to reflect the changes in data retention and handling, the researchers wrote.
Some businesses may already have these mechanisms in place in light of other existing legal frameworks, including federal and international privacy laws," the researchers said. While some of the work the organizations undertook to be ready for GDPR may help lower the compliance cost of CCPA, the two laws are sufficiently different enough that "businesses will not likely be able to fully apply their GDPR compliance systems.
The researchers made some "back of the envelope" calculations and estimated a small company with less than 20 employees will likely spend about $50,000 to get ready for CCPA, compared to a midsized firm with between 20 and 100 employees, whose costs would be over $100,000. Larger enterprises with between 100 and 500 employees will pay about $450,000 in initial costs, and the biggest companies with over 500 employees can expect to spend an average of $2 million, the report said. Legal fees incurred in preparing for the law along could range from $50,000 to $1 million, the researchers said.
This is a good calculation to keep in mind, especially since "nearly 99 percent of California businesses have fewer than 500 employees," the researchers wrote.
The researchers also cited a recent survey by TrustArc which ound that 29 percent of businesses expect to spend less than $100,000 on CCPA compliance, but 32 percent expect to spend between $100,000 to $500,000. The remaining 31 percent expected to spend more than $500,000, with some respondents saying they expected to spend more than $5 million.
The law will take effect in less than 3 months, but a recent International Association of Privacy Professionals survey found that only 2 percent of affected businesses were fully compliant with the law. That same survey found that 8 out of 10 surveyed businesses believed that the law applied to them and they had to take some steps to become compliant.
That $55 billion is just for starters. The estimated economic impact of CCPA is "expected to exceed $50 million per year once fully implemented," the researchers said.
Our preliminary estimate of direct compliance costs is estimated to be $467-$16,454 million over the next decade (2020-30), depending on the number of California businesses coming into compliance.