What we’ve learned from California’s Consumer Privacy Act so far

In June 2018, California passed a major consumer privacy law called the California Consumer Privacy Act (CCPA). CCPA was the first comprehensive consumer privacy law passed in the United States. It gives consumers several important new rights, including the right to know more about a company’s privacy practices, a right to see, delete, and download the personal information stored about them, restrictions on a company’s right to sell their personal information, restrictions on discrimination against consumers for exercising their privacy rights, and the right to sue companies for certain types of data breaches.

Though CCPA went into force Jan.1, some of the law’s implications are already becoming clear.

First, privacy is not cheap. CCPA delegates rule-making authority (as well as enforcement) to the California Department of Justice. As part of the rule-making process, the California DOJ must estimate the compliance costs of its proposed rules. The DOJ also retained a private economics consultancy, Berkeley Economic Advising and Research (BEAR), LLC, to prepare a “Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations.”

The DOJ estimates that CCPA will affect between 15,000 and 400,000 businesses — a startlingly wide range. The DOJ also estimates that “up to 50 percent” of the affected businesses will be “small” businesses, even though CCPA’s authors sought to exclude small businesses from its scope.

Meanwhile, the BEAR assessment summarized that:

“The total cost of initial compliance with the CCPA, which constitutes the vast majority of compliance efforts, is approximately $55 billion. This is equivalent to approximately 1.8% of California Gross State Product in 2018.”

The BEAR assessment is massively over-optimistic that CCPA compliance costs are front-loaded. That does not at all represent the experience with Europe’s General Data Protection Regulation (GDPR). But even if true, BEAR estimates that CCPA compliance costs are roughly equal to 2 percent of California’s GSP. That’s fabulous news for privacy professionals and the private schools that their kids attend, but it’s extremely troubling news for everyone else. Will California consumers get good value from that massive expense?

These numbers also highlight the extraordinary potential risks associated with the newly-proposed ballot initiative, the California Privacy Rights and Enforcement Act (CPREA, colloquially called CCPA 2.0), which proposes to codify some existing parts of the CCPA and extend it in major ways. CCPA already has proven to be extremely expensive, and we have no idea if we’ll get good a return on investment from those expenditures. CPREA imposes significant new compliance costs, but it is unclear if anyone knows how much. It’s possible that CPREA will be a worse financial deal for consumers and the California economy.

The second lesson is that privacy laws are prolix. CCPA runs about 10,000 words. The DOJ’s proposed regulations run another 10,000 words. Together, the law comprises about 20,000 words — and the byzantine drafting of both documents makes them extremely hard to parse. At 22,000 words, CPREA would double the length of the existing law. It has become a full-time job just to keep up with the massive volume of California privacy law. That virtually demands that businesses retain dedicated CCPA specialists to advise them — their own readings and the advice of non-specialist lawyers won’t cut it.

Finally, state heterogeneity in privacy law is now inevitable. Some states introduced their own clone-and-revise versions of CCPA in 2019, but none passed (though some other significant privacy laws did pass). A number of state legislatures will likely restart the CCPA clone-and-revise process in 2020.

At this point, it is impossible that other states could copy CCPA verbatim. First, the California legislature is still tweaking CCPA. There is no finished product to copy. Second, the CCPA has been optimized for California, which has a substantial legacy of privacy laws that other states don’t have. Third, few states would adopt the California DOJ regulations verbatim. Those too are a work in progress, they reflect some unique aspects of California law, and many states couldn’t afford to have their state attorneys general do the work undertaken by California’s DOJ (with its $1 billion a year budget). Fourth, CPREA presents the possibility of further changes.

As a result, it’s inevitable that states seeking to emulate California will adopt consumer privacy laws that are materially different. Any statutory differences between states, even if small, will at minimum require legal review by privacy specialists to determine the differences and their consequences. Any material differences will likely require changes to the business’s privacy program, possibly changes to the business’s databases or software code, and possibly differences in the business’s consumer-facing disclosures. This will all cost money.

Worse, the costs from state-by-state compliance probably won’t translate into consumer benefits. Assuming different states ultimately provide about the same level of consumer rights, the compliance costs will be passed through to consumers with no commensurate benefits.

I believe a federal law would smooth many of these issues. CPREA highlights the madness that has befallen privacy regulation in California. We don’t know if CCPA works, but we’re already having to contemplate potentially drastic revisions to it. This moves the goal posts for businesses trying to do the right thing, and there’s no guarantee that CPREA will be the last initiative on this topic. When will it stop?

Worse, it’s insane to ask California voters to decide something as complex as CPREA. No voter, no matter how dedicated, could possibly understand CPREA’s implications enough to make a well-informed decision. That’s why voters delegate complex policymaking jobs to full-time legislators and their staffs.

Congress needs to put an end to this example of democracy run amok. It will be too late when another state passes a CCPA-like law that creates substantial additional compliance costs. States are often called the laboratories of democracy, but the experiments are creating chaos. The solution is a federal preemptive law that establishes a single national standard for all businesses. We need it now.

Eric Goldman is a Professor of Law at Santa Clara University School of Law, co-director of the High Tech Law Institute, and Privacy Fellow with the Innovators Network Foundation. Follow him on Twitter @EricGoldman and on his Technology and Marketing Law Blog.