Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)

[Introduction: this is part 2 of a 3-part series on the California Consumer Privacy Act, spurred by my comments on the DOJ’s draft regulations (which I’ll post tomorrow). Part 1 of the series addressed how we got here. Today’s part recaps some of what we’ve learned.]

The CCPA hasn’t taken effect yet, but some of the law’s implications are already becoming clear.

Privacy Isn’t Cheap. As part of the rule-making process, the California DOJ must estimate the compliance costs of its proposed rules. The DOJ retained a private economics consultancy, Berkeley Economic Advising and Research (BEAR), LLC, to prepare a “Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations.”

The DOJ’s disclosures make it clear that no one really knows what the CCPA costs or how it will change behavior. It will cost a lot and change a lot of behavior. We don’t have any idea how much.

For example, the DOJ estimates that the CCPA will affect between 15,000 and 400,000 businesses—a startlingly wide range. The DOJ also estimates that “up to 50%” of the affected businesses will be “small” businesses, even though the CCPA sought to exclude small businesses from its scope.

The uncertainty reflects how the CCPA impacts the entire California economy. For example, the DOJ says that the “Attorney General does not have reliable estimates on the creation or elimination of businesses as a result of the regulations because of the very large number of businesses impacted by the CCPA across many different sectors” (emphasis added). The CCPA drafters clearly targeted Facebook and data brokers, but the law did not limit its reach to them. Instead, as the DOJ explains, the affected “businesses fall within most sectors of the California economy, including agriculture, mining, utilities, construction, manufacturing, wholesale trade, retail trade, transportation and warehousing, information, finance and insurance, real estate, professional services, management of companies and enterprises, administrate services, educational services, healthcare, arts, accommodation and food services, among others.” Indeed, few aspects of the California economy are NOT touched by the CCPA.

This highlights one of the CCPA’s worst structural problems: it was drafted with a limited number of use cases in mind, but it nevertheless applies to thousands of other industry niches who didn’t have a voice during the drafting process and now must comply with a law ill-tailored to their issues.

Despite the lack of precision about the CCPA’s consequences, the bottom-line conclusions are breath-taking. In the AG’s Notice of Proposed Rulemaking, the DOJ says:

The Attorney General has made an initial determination that the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states.

The BEAR assessment gets into specifics:

The total cost of initial compliance with the CCPA, which constitutes the vast majority of compliance efforts, is approximately $55 billion. This is equivalent to approximately 1.8% of California Gross State Product in 2018.

The BEAR assessment is massively over-optimistic that CCPA compliance costs were front-loaded. That does not represent the GDPR’s experience at all. But even if true, BEAR estimates that about 2 cents of every 2018 California dollar went to the CCPA. That was fabulous news for privacy professionals and the private schools that their kids attend, but it’s extremely troubling news for everyone else. Did California consumers get good value from that massive expense?

These numbers highlight the extraordinary potential risks associated with the CCPA 2.0 ballot initiative, CPREA. The CCPA already has proven to be extremely expensive, and we have no idea if we’ll get a good return-on-investment from those expenditures. CPREA would impose significant new compliance costs, but I don’t believe anyone knows how much. It’s possible (probable?) that CPREA will be a worse financial deal for consumers.

Privacy Laws Are Prolix. The CCPA runs about 10,000 words. The DOJ’s proposed regulations runs another 10,000 words. Together, the law comprises about 20,000 words. The comprehensibility is further compounded by the byzantine drafting of both documents, which makes them extremely hard to parse. At 22,000 words, CPREA would double the length of the existing law.

It has become a full-time job just to keep up with the massive volume of California privacy law. That virtually demands that businesses retain dedicated CCPA specialists to advise them—their own lay readings and the advice of non-specialist lawyers won’t cut it.

State Heterogeneity Is Inevitable. Some states introduced their own clone-and-revise versions of CCPA in 2019, but none passed (though some other significant privacy laws did pass). A number of state legislatures will likely restart the CCPA clone-and-revise process in 2020.

At this point, it is impossible that other states could copy the CCPA verbatim. First, the California legislature is still tweaking the CCPA. There is no finished product to copy. Second, the CCPA has been optimized for California, which had a substantial legacy of privacy laws that other states don’t have. Third, few states would adopt the California DOJ regulations verbatim. Those too are a work-in-progress, they reflect some unique aspects of California law, and many states couldn’t afford to have their state attorneys’ general do the work undertaken by California’s Department of Justice (with its $1B/year budget). Fourth, CPREA presents the possibility of further changes.

As a result, it’s inevitable that states seeking to emulate California will adopt consumer privacy laws that are materially different. Any statutory differences between states, even if small, will at minimum require legal review by privacy specialists to determine the differences and their consequences. Any material differences will likely require changes to the business’ privacy program, possibly changes to the business’ databases or software code, and possibly differences in the business’ consumer-facing disclosures. This will all cost money.

Worse, the costs from state-by-state compliance costs probably won’t translate into consumer benefits. Assuming different states ultimately provide about the same level of consumer rights as the CCPA, the extra compliance costs will be passed through to consumers with no commensurate benefits.

We Need a Federal Law. CPREA highlights the madness that has befallen privacy regulation in California. We don’t know if the CCPA works, but we’re already having to contemplate potentially drastic revisions to it. This moves the goal posts for businesses trying to do the right thing, and there’s no guarantee that CPREA will be the last initiative on this topic. When will it stop?

Worse, it’s insane to ask California voters to decide something as complex as CPREA—clocking in at 22,000 words—amending the CCPA’s (and its regulations) 20,000 words of CCPA. No voter, no matter how dedicated, could possibly understand the CPREA’s implications enough to make a well-informed decision. That’s why voters delegate complex policy-making jobs to full-time legislators and their staff.

Congress needs to put an end to this example of democracy run amok. It will be too late when another state passes a CCPA-like law that creates substantial additional compliance costs. States are often called the laboratories of experimentation, but the experiments are creating chaos. The solution is a federal preemptive law that establishes a single national standard for all businesses. We need it now.

Prior CCPA Posts

* Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)