The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. California businesses appreciate the intent of the CCPA to help consumers protect their online privacy and the effort by the Attorney General to draft regulations that facilitate and encourage compliance.
However, the Attorney General’s draft regulations fail to address many of the ambiguities in the CCPA, impose mandates that may exceed the authority of the CCPA, and levy high costs on all California business sectors.
The California Chamber of Commerce provided extensive comments on the regulations, expressing concern over the lack of clarity in a variety of areas, including: criteria on privacy controls, consumer notification requirements, the definition of personal information, opting out policies, household information, consumer verification and requests for personal information or deletion of information.
The CalChamber also registered concern that the regulations require actions that were not specified in the CCPA in such areas as the de-facto opt-out provisions, the requirement for a “Do Not Sell” button, consumer verification requirements and the calculation of the value of data.
Compliance costs associated with the CCPA and the regulations will impose a tremendous burden on the economy and have a significant impact on businesses that are required to comply.
An independent report prepared for the Attorney General estimates compliance costs for the new law to be $55 billion, and up to $16.4 billion to comply with the implementing rules. For initial compliance costs alone, these costs were estimated to be:
• Small companies (with fewer than 20 employees): around $50,000 per company;
• Companies with 20–100 employees: $100,000;
• Companies with 100–500 employees: $450,000;
• Companies with more than 500 employees: $2 million or more.