October 8, 2019
Vast Implications of the CCPA
by Mark Webb
For those who can afford compliance, it will be business as usual. For those who cannot, compliance is a death knell to innovation.
The California Department of Finance recently wrote a Standardized Regulatory Impact Assessment (SRIA) of the California Consumer Privacy Act of 2018 (CCPA). The SRIA was prepared for the Department of Justice, the primary regulatory body, whose work is hoped to provide some clarity over what remains a confusing array of obligations for most California businesses. The Department of Finance is required by law to do these assessments when the proposed regulation has an economic impact of over $50 million.
The Department of Finance went to great lengths to separate the cost of compliance with the CCPA as opposed to the costs generated by possible regulations from the Department of Justice. As to the former, per a letter dated Sept. 16 from the Department of Finance to the Department of Justice, “The SRIA estimates that the initial cost of compliance may be up to $55 billion.”
As noted in the report, “Small firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises.” The definition of small business in the full report appears to be based on an estimate of how many employees would need to generate the revenue necessary to constitute a business as defined in the CCPA. As a result of this calculation, it is estimated that a “small” business would have at least 250 employees.
This analysis, however, does not take into account the impact of the CCPA on a small business that acts as a service provider to a business but does not itself qualify as a business under the CCPA. Using the Finance methodology, this would mean any service provider with fewer than 250 employees that receives personal information from a business. These service providers will need to respond when their business customers start asking for revisions in contracts to meet CCPA obligations, and to show they are otherwise compliant with the obligations of service providers under the act.
The report also notes, looking to the experience of the European Union (EU) and the General Data Protection Regulation (GDPR): “Conventional wisdom may suggest that stronger privacy regulations will adversely impact large technology firms that derive the majority of their revenue from personal data, however evidence from the EU suggests the opposite may be true. Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs.”
The Department of Finance makes the assumption there will be a fairly static compliance environment after Jan. 1, 2020. That may not be a correct assumption. Alastair Mactaggart, the father of the California Consumer Privacy Act of 2018 (CCPA), announced recently he will be going back to the ballot in 2020 with the cleverly named California Consumer Privacy Act of 2020. At least part of the motivation behind this, according to Mactaggart, is to keep the legislature from weakening privacy protections – a much more difficult task when a law is enacted as an initiative measure. Following his initial filing with the attorney general on Sept. 25, Mactaggart filed a slightly edited version of the proposal – now titled the California Privacy Rights and Enforcement Act of 2020 (CPREA) – on Oct. 2. The new moniker for this may have something to do with messaging in anticipation of a campaign next fall.
While the business community is attempting to negotiate with Mactaggart and his coalition in an effort to ameliorate the impact of this initiative, in the rapidly changing world of technological innovation nothing is static. The initiative process in California, however, is public process cast in quick-set concrete. Regardless of what is put into this ballot measure regarding future amendments in the legislature, the proponents of this law will invest in themselves the prerogative to decide what is “in furtherance of” their grand scheme. Their self-serving bureaucracy, the California Privacy Protection Agency (CPPA), is an effort to create a semi-autonomous state within but unaccountable to any of the apparatus of state government. While disdainful of the legislative process, this agency would be governed by a decidedly political five-member panel, two appointed by the governor, one by the president pro tem of the Senate, one by the assembly speaker and one by the attorney general.
No mention of the insurance commissioner — just in case you missed that omission.
See also: In Race to AI, Who Guards Our Privacy?
Regardless of the fate of a ballot measure on privacy, we are now in an environment where multibillion-dollar compliance costs are table stakes. For those who can afford it, it will be business as usual, even if slightly disrupted. For those who cannot, compliance is a death knell to innovation. Promising technologies that are dependent on personal information will be stifled unless Big Tech can grab it and afford the cost of putting such innovations to market. This affects all aspects of California’s economy.
But when Big Government and Big Tech are the only easily identifiable winners in a public policy debate, can we expect anything more?