In June 2018, Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA) into law.
When it became effective on January 1, 2020, CCPA gave consumers sweeping rights over the data companies hold onto, providing consumers the right to know what data businesses have collected as well as giving consumers the right to demand businesses delete data.
Despite admirable intentions, CCPA has failed to strike a balance between protecting consumers’ rights and not financially burdening small and medium enterprises. The financial burdens imposed on CCPA will ultimately be paid for by consumers through higher costs and lost innovation.
While the United States needs a federal data protection law, the CCPA should not serve as the framework.
What’s required at the federal level is a comprehensive data protection and privacy law that secures consumer data but does not impose egregious compliance costs on small businesses that will prevent them from providing affordable and innovative products and services to consumers.
The CCPA did not come into existence organically but mirrors the European Unions’ 2016 General Data Protection Regulation (GDPR).
Both laws provided their citizens with rights “to how their personal information is collected and used,” and are projected to impose significant compliance costs on companies, particularly small and medium-sized enterprises.
An August 2019 report by the California Attorney General’s Office estimated the initial cost of complying with the CCPA stands at $55 billion. On top of the initial $55 billion, estimates suggest the cost of long-term compliance could reach $16 billion annually.
In the impact assessment of the CCPA, the California Department of Justice and attorney general’s office believed small firms who employ fewer than twenty people “will incur $50,000 in initial costs,” while medium-sized firms employing between twenty and one hundred people can expect to “incur an initial cost of $100,000.”
For consumers, the costs of compliance could have serious adverse effects. Firstly, to survive, smaller enterprises will likely pass the costs onto consumers, raising the cost of products and services.
Secondly, to meet the significant costs of compliance small and medium-size enterprises will have fewer capital resources to invest in research and development, preventing them from providing consumers with the next innovative product or service.
CCPA’s impact assessment acknowledged its potential harm to small and medium-sized businesses, claiming “smaller firms are likely to face a disproportionately higher share of compliance costs relative to larger enterprises” as they have fewer capital resources than larger companies.
The disproportionate costs CCPA will impose on small and medium-sized enterprises could be especially damaging to consumers as it will concentrate market power in the hands of large companies who have the necessary capital reserves to meet the “initial cost of $2 million” to comply with CCPA regulations.
Smaller companies will be faced with the choice of having to close as a result of being unable to afford the compliance costs or be acquired by larger companies, meaning market competitiveness is reduced.
Were CCPA used as a framework for federal privacy and data protection legislation, and assuming the costs of compliance remained the same, the effects could cripple small businesses across the United States and cause further harm to a far greater number of consumers.
In the United States, small and medium-sized businesses “account for 89 percent of all businesses” and drive innovation and market competitiveness.
Recent estimates from the Information Technology and Innovation Foundation found if the federal government adopted legislation mirroring the CCPA, it “could cost the U.S. economy approximately $122 billion” and would cost U.S. businesses “up to $18 billion annually in compliance costs.”
Were small and medium-sized companies, who form the bedrock of the U.S. economy, forced to meet the significant costs of complying with a CCPA style federal legislation, consumers across the company would pay the price by paying higher prices and losing access to new and innovative products and services.
The market would similarly see a concentration of power among larger companies on a national scale.
The disproportionate costs of compliance faced by small businesses provide the clearest argument as to why the federal government should not adopt CCPA-style data privacy laws as the costs will be passed onto consumers and they will lose access to innovative products and services.
Instead, the federal government needs to find a balance between ensuring consumer data remains secure but does not impose onerous costs on small and medium-sized businesses.