CCPA Continues to Dominate Data Privacy Discussion

By: Henry Rademacher

On Friday, December 13, 2019, the Brookings Institution hosted a panel discussion on data privacy, specifically the effects that General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) have on businesses and consumers. Like its European cousin, GDPR, CCPA has been a boon for the panel discussion industry. The extent to which it will benefit consumers is far less certain.

California’s controversial data protection law was signed into law 18 months ago. It does not go into effect until January 1, 2020. Independent researchers commissioned by California itself estimate companies will pay up to $55 billion in initial compliance costs. Then, anywhere “from $467 million to more than $16 billion over the next decade.” 

Compliance costs will hit startups and smaller companies much harder than established giants. However, it would be wrong to assume the world’s largest companies are not intimidated by CCPA. Microsoft has already announced that it will “honor” CCPA in all 50 states. 

Several states have passed, or are attempting to pass, their own versions of CCPA, leaving consumers stuck with a messy patchwork of differing regulations. Because the companies most heavily involved in data collection all do business nationwide, each state having a different policy is only going to make a muddled situation more complicated.

Across the political spectrum, there is increasing agreement that data protection is best handled at the federal level. However, there is substantial disagreement over how it should be done. Many, including Digital Liberty, have advocated for a system that is market-based and user-controlled. Others simply want something similar to CCPA to be enacted at the federal level. 

One of the people in favor of a federal legislation similar to CCPA is Joseph Wender, senior policy analyst for Senator Edward J. Markey (D-MA). At the Brookings event, Wender expressed optimism that a federal data privacy bill could be passed by the end of 2020. Unfortunately, when asked, Wender was unable to provide any estimate of the compliance or implementation costs that would arise from such a bill. He freely admitted that Senator Markey’s office does not yet have a plan for preventing these costs from being passed on to consumers. 

But such a policy would have high financial costs. CCPA applies to businesses that meet at least one of three criteria: “companies with more than $25 million in gross revenue, businesses with data on more than 50,000 consumers, and firms that make more than 50% of their revenue selling consumer data (i.e. data brokers).” As recently as August of this year, “only 8% of 1,500 businesses (polled) said that they are ready for CCPA compliance, while 34% said they will be by Jan. 1.”

We are mere weeks away from finding out the fate of the 92% of polled businesses who were not ready for compliance a few months ago. If GDPR is any indicator, the results will not be good.

Although they are frequently discussed together, CCPA and GDPR have significant differences. DLA Piper, whose client roster is full of companies that will have to deal with both policies, have outlined the key differences as follows:

  • The CCPA’s definition of personal information specifically includes household information.
  • While both the CCPA and GDPR require detailed privacy notices, the required content of   those notices differs. A privacy policy that meets the requirements of the GDPR will likely not satisfy the CCPA’s requirements.
  • Under GDPR, a business does not necessarily need the individual’s consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
  • Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
  • Finally, the GDPR and CCPA take different approaches to children’s privacy rights. GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment – but only where the legal basis for processing is consent. Children are defined as under 16, although member states can lower the age to 13. The CCPA, in contrast, addresses the sale of children’s information – not all processing – and requires that businesses first obtain opt-in consent. Parents must provide consent for kids under 13; teens 13-15 can provide their own consent.”

Roslyn Layton of the American Enterprise Institute pointed out that lawyers and consultants, not consumers, have the most to gain from CCPA. She stated that, regarding compliance costs, “The number one cost is a privacy consultant…the second highest is the IT cost.” She added that “the minimum cost is between $100,000 and $1 million for a company to comply with CCPA.”

Big companies can afford those types of compliance costs. Startups and smaller companies may or may not be able to. More than 1000 companies ceased operating in Europe after GDPR was instituted. A similar exodus could easily befall California. Even if it does not, competition will be reduced, while the rich will continue to get richer.

Beyond the economic problems with CCPA, there is the question of whether or not it is even constitutional. It has been argued that CCPA could be unconstitutional under the Commerce Clause because it gives an individual state far-reaching authority to regulate interstate commerce. 

CCPA has too many problems to be used as a framework for federal policy on data protection. Gargantuan compliance costs, serious questions about constitutionality, and a paucity of tangible evidence that it will actually benefit consumers could make CCPA an even riskier bet than GDPR.

Photo Credit: Tom Hilton (flickr)