CCPA Draft Regs Regulatory Impact Assessment Provides More Insight Into CCPA ComplianceNovember 5, 2019 – Alerts
The California Attorney General attached a Standardized Regulatory Impact Assessment (SRIA) of the economic impact of the draft California Consumer Privacy Act (CCPA) Regulations to the draft regulations. Some key takeaways:
Either 50% or 75% of all California businesses that earn less than $25 million in revenue will be covered under the CCPA.
- While the law says that medical information is not covered as Personal Information (PI) under the CCPA, the SRIA assumes that large firms in the health care sector will still likely need to comply with the law as they collect other non-medical personal information on consumers.
- For businesses located in California alone, the lower bound estimate of the number of businesses affected by the proposed regulations is 15,643. The upper bound estimate ranges from 383,323 to 570,066.
Specific Incremental Costs Directly Attributable to the Regulations
1. The small fraction of technology and operations costs that will directly exceed an average business' or service provider’s interpretation of the CCPA due to the specificity of the regulations.
- Operational costs are predominantly the one-time cost of establishing workflows, plans and other interdepartmental non-technical systems to determine the business’ best compliance pathway under the CCPA.
- These costs are largely labor costs associated with meetings and compliance planning.
- For illustrative purposes, the SRIA assumes that for large companies, three individual employees, each representing a different department in the organization, will need to coordinate with weekly meetings (two hours each) for six months.
- The SRIA assumes that 25% of total expected compliance costs reported by firms are likely to be for the technology requirements necessary to respond to CCPA requests. Based on survey results the SRIA assumes a central value for technology costs of $75,000 per firm, 10% of which is assumed to be directly attributable to the regulations.
- The regulatory requirement that service providers respond to consumer requests by providing the contact information for the primary personal information-collecting business will likely require the service provider to build out a process for responding to requests and identifying which business it is servicing.
2. The costs of complying with the Department of Justice's 90-day look back requirement for firms selling personal information to third parties.
The incremental compliance cost associated with this regulation is the extra work required by businesses to notify third parties that further sale is not permissible. Businesses that sell personal information will need to retain records to track these sales and must allocate resources to communicating with third parties once an opt-out request is made.
3. The more detailed training requirements for firms handling the personal information of more than 4 million California consumers.
- The total compliance cost for the 9,858 businesses with more than 500 employees with respect to the training requirement is $6.062 million per year.
- The SRIA assumes that for large firms, there will be a team of approximately five privacy professionals that may handle consumer requests or be responsible for the business’s CCPA compliance and that each individual will require two hours to complete the training.
4. The more detailed recordkeeping requirements for firms handling the personal information of more than 4 million California consumers.
For this, it is estimated that each company will incur a labor cost of $984/year and that the total cost for businesses assumed to exceed the 4 million consumer threshold would be $9.7 million per year.
5. Verification Costs
- There may be some additional compliance costs attributable to the regulation from a business needing to confirm the identity of consumers without accounts making CCPA requests.
- If businesses build out efficient systems for complying with other aspects of the CCPA related to handling consumer requests, the incremental cost of matching the identity of a consumer to personal information that the business already has is likely to be quite low.
- On the other end of the spectrum, for businesses that attempt to manually verify consumers without an account, the marginal cost would be the labor cost associated with having staff dedicated to this verification process and the variable cost is likely to be quite high.
Regarding financial incentives, the draft regulations are essentially telling businesses that they can use whatever method they prefer to calculate the value of the consumer information, so long as there is an actual method developed that is reasonable.
Incentives for Innovation
- The CCPA will generate incentives for innovation across a range of new privacy products and services for consumers.
- The CCPA will fundamentally change how firms work with personal data. Some industries will be forced to completely revise their business models to incorporate the newly required data protections.
- Data brokers, for example, will need to fundamentally change the way they operate.
- The CCPA may, somewhat counterintuitively, also provide firms with new opportunities to expand data-based research and products. If the CCPA increases consumers’ trust of data protections it could actually increase the amount of data that consumers are willing to share with firms.
Impact on Small Businesses
- Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises.
- Large technology firms that are already GDPR-compliant will likely find it easier to become CCPA-compliant. Furthermore, with more revenue, large companies are better suited to absorb up-front compliance costs.
- These concerns will present real challenges for small businesses in the short term. In the long term however, the differential impacts will be smaller as competition in the compliance solution market increases and costs fall.
- CCPA compliance will create additional barriers to entry for future competitors considering entering the California market.
- Firms that become CCPA-compliant now will be better positioned to adapt to future privacy protection regulations.
- According to the American Community Survey, there are 35 million people in California who have internet access, either with a computer or a mobile phone. These online consumers will be the primary beneficiaries of CCPA.
- Macroeconomic: Aggregate impacts attributable to CCPA could not materially influence California’s baseline growth dynamics.
Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of CCPA compliance issues contact Odia at [email protected] or 215.444.7313.