Initial CCPA Compliance Costs Could Hit $55 Billion: StudyReport Estimates Anticipated Expenses for California Consumer Privacy Act Compliance
The California Consumer Privacy Act could cost companies in the state a total of $55 billion for initial compliance expenses, according to a new study prepared for the state attorney general's office. The landmark privacy legislation is slated to go into effect on Jan. 1, 2020.
The study, prepared by independent researchers at Berkeley Economic Advising and Research, was made public by the Department of Finance in late September.
The report portrays the $55 billion figure as a rough estimate of initial compliance costs for the 75 percent of California companies that will be required to adhere to the new law.
CCPA is designed to provide sweeping privacy protections for California's residents. It includes, for example, a provision that will allow consumers to know what data companies are collecting on them. Another section gives consumers in that state right to have personal information deleted from company databases (see: CCPA: The Start of a New Era of Consumer Privacy Laws?).
CCPA will affect three types of businesses based in California:
- Companies that have gross revenue of at least $25 million;
- Companies that buy, sell and share the personal information of 50,000 or more consumers, households or devices;
- Companies that derive 50 percent of more of their annual revenue from selling consumers’ personal information.
While the European Union's General Data Protection Regulation covers all businesses that handle personal data of EU citizens, California’s law applies to a narrower set of companies, the study notes (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
Because California is home to so many major technology companies that collect personal data, compliance costs will be high, the study notes. For example, Facebook and Google offer a slate of free services and apps to consumers in exchange for personal information that is sold to advertisers.
In addition to legal fees associate with compliance efforts, other expenses will include employee retraining and new record keeping practices, as well as investments in technologies so websites can include a "Do Not Sell My Personal Information" link as required by CCPA, the study notes.
"Total CCPA compliance costs are likely to vary considerably based on the type of company, the maturity of the businesses their current privacy compliance system, the number of California consumers they provide goods and services to, and how personal information is currently used in the business," according to the study.
An economic impact report in the study analyzes the costs that companies may incur.
For instance, a smaller company with less than 20 employees is expected to spend about $50,000 in initial CCPA compliance costs, while midsized firms with between 20 and 100 employees could incur costs of $100,000 to start, according to the study.
Larger enterprises with between 100 and 500 employees will pay about $450,000 in initial CCPA compliance costs, while the biggest companies with 500 or more employees can expect to pay an average of $2 million, the study finds.
The expenses come at a time when companies are reaping big rewards from the buying and selling of personal consumer data. The study found that using personal data in online advertising is a $12 billion annual business in California. When combined with the buying and selling of information from data brokers, the number swells to $20 billion annually, the study showed.
After the initial compliance expenses, California businesses could spend an additional $16 billion over the next decade to keep up with changes and other expenses, according to the report. Those expenses could include hefty fines for those who violate the law.
A recent report from the International Association of Privacy Professionals found that as of this summer, only 2 percent of affected businesses were fully compliant with the law.
Meanwhile, some other state legislators are using the California law a model. In Nevada, for instance, a new privacy law went into affect on Oct. 1. That law, known as Senate Bill 220, will give consumers more ways to keep websites from selling personal data to third-parties.