California's new privacy law could cost companies a total of up to $55 billion in initial compliance costs, according to an economic impact assessment prepared for the state attorney general's office by an independent research firm.
The review, released publicly by California's Department of Finance, provided a broad range for the potential costs companies could face to become and stay compliant with the California Consumer Privacy Act (CCPA) if signed into law by Democratic Governor Gavin Newsom.
On the low end, the researchers estimated that firms with fewer than 20 employees might have to pay around $50,000 at the outset to become compliant. On the high end, firms with more than 500 employees would pay an average of $2 million in initial costs, the researchers estimated. The $55 billion researchers estimated companies will initially pay to become compliant is equivalent to about 1.8% of California's Gross State Product in 2018, according to the report.
In addition, total compliance costs for all companies subject to the law could range from $467 million to more than $16 billion over the next decade, according to the report.
The assessment comes as amendments to the CCPA are nearing final approval this month. The law is set to go into effect on Jan. 1, 2020. The attorney general's office is tasked with defining regulations that will help companies understand the steps they need to take to comply.
The bill grants rights to California residents to be informed about how companies collect and use their data, and allows them to request their personal data be deleted, among other protections. The law would apply to all businesses in the state that generate annual gross revenue over $25 million; derive at least half of their annual revenue from selling customers' personal information; or that buy, sell or share personal information from at least 50,000 consumers, households or devices. Researchers estimated that as many as 75% of California businesses earning less than $25 million in revenue would be impacted by the legislation.
Lawmakers in Washington, D.C. are closely watching the legislation as they consider a federal privacy law. As states begin to take on their own privacy legislation efforts, tech executives like Facebook CEO Mark Zuckerberg have advocated for creating a nationwide policy. Setting one legal standard would likely be less costly and complicated for tech firms than a piecemeal approach to compliance.
Businesses operating in California could have a head start on tackling compliance costs should other state laws or a national policy take effect, according to the report. In the meantime, relatively few businesses will be hurt by having to compete with other firms that are not subject to California's protections.
California's legislation borrows some elements from Europe's General Data Protection Regulation, which went into effect last year. Since many businesses in California that operate in Europe already had to make changes to comply with the GDPR, the report's authors said compliance costs for California's law would be reduced. The EU estimated average incremental compliance costs for the GDPR would total about 5,700 Euros a year (nearly $6,300), according to the report, though there is also evidence the regulation "reduced firm productivity in sectors that rely heavily on data."
Like with the GDPR, the report said, smaller firms are likely to take on a disproportionately larger share of compliance costs compared to larger firms.
"Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs. Resources explain this dichotomy as large technology companies are often several steps ahead of both competitors and regulators," the researchers wrote.
In the long term, however, the authors said the differential impact will likely shrink, driven in part by competition among third-party services that will help small businesses comply with the legislation.
The researchers also looked into the value of the consumer data the CCPA seeks to protect.
They estimated the value of personal information used for advertising in the state tops $12 billion each year, and could be $20 billion or more if you add in the value of that information to data brokers.
"The CCPA will fundamentally change how firms work with personal data. Some industries will be forced to completely revise their business models to incorporate the newly required data protections," the researchers wrote.
The researchers point out that the law could contribute to inequity between socio-economic groups, since people with higher incomes can afford to pay for more expensive services that don't profit from user data. Hayley Tsukayama, a legislative activist at the Electronic Frontier Foundation, said this is a valid concern, but that the issue that predates the CCPA itself. The EFF has supported the introduction of the CCPA.
"I don't necessarily think the CCPA necessarily creates a system of two tiers, but I do think a system of two tiers does exist right now," Tsukayama said.
The law also introduces some new business opportunities, according to the report.
"The CCPA may, somewhat counterintuitively, also provide firms with new opportunities to expand data-based research and products," according to the report.
"If the CCPA increases consumers' trust of data protections it could actually increase the amount of data that consumers are willing to share with firms. Despite the additional controls put on data use, increased access to users' data could help improve business' capacity to produce and bring research to market as well as increase firm capacity for product innovation."
Correction: This article has been updated to reflect the bill has been signed into law, but amendments still need final approval.