Businesses, consumers and governments in California will suffer net losses from proposed rules pending before the state privacy agency, according to a report released this week by the California Chamber of Commerce.
The agency is scheduled to consider the proposed rules at its November 8 meeting.
The report by Capitol Matrix Consulting (CMC) concludes that the proposed regulations to implement the California Consumer Privacy Act (CCPA) of 2018 will result in a substantial net economic loss to business, consumers and governments in the state, both in the near term and the long term, translating into reduced jobs and tax revenues.
The California Privacy Protection Agency (CPPA) incorrectly concluded that savings from the proposed rules eventually will exceed its costs by understating the costs and overstating the savings, the CMC report found.
The CMC report analyzes anticipated savings detailed in the CPPA’s Standardized Regulatory Impact Assessment (SRIA) of proposed regulations that would add to and change existing rules related to the CCPA of 2018 as amended by the California Privacy Rights Act (CPRA) of 2020.
The SRIA concludes that the regulations would result in direct costs to California businesses of $3.5 billion in the first full year and average annual costs to businesses over the first 10 years of $1.08 billion and will result in employment losses peaking at 126,000 in 2030.
Similarly, the SRIA estimates annual state revenue losses reaching $2.8 billion in 2028. While the SRIA claims long-term benefits will exceed these costs, the report reveals that the purported benefits are based on an arithmetical error and speculative assumptions.
Proposed Regulations
The proposed regulations:
- Update existing CPPA regulations;
- Clarify when insurance companies are subject to the CPPA regulations;
- Require businesses meeting specified criteria to complete annual cybersecurity audits;
- Require businesses to prepare a risk assessment before processing personal information for certain activities;
- Require businesses using automated decision-making technology (ADMT) to give consumers newly created rights to opt out (beyond the scope of regulations to implement the CCPA), and to give consumers information about how the ADMT will be used.
Privacy Agency Errors
The CMC report found that the privacy agency’s Standardized Regulatory Impact Assessment (SRIA) understated the costs by:
- Underestimating external auditor and employee compensation rates paid by businesses;
- Excluding from its economic analysis out-of-state businesses that sell into California markets; and
- Ignoring the massive ongoing costs and business productivity losses resulting from behavioral changes by businesses and consumers following adoption of the regulations.
In addition, the SRIA overstates the savings from the proposed regulations by:
- Grossly overestimating baseline cybercrime losses due to an arithmetical error and other factors, including a flawed approach to estimating future cybercrime losses; and
- Overestimating savings from audits and risk assessments based on assumptions not supported by the literature, including articles listed in the SRIA.
Impact on Innovation
The CMC analysis points out that the SRIA fails to address a key requirement in California law: that SRIAs evaluate the impact of proposed regulations on “the incentives for innovation in products, materials, or processes.”
Automated decision-making technology (ADMT) and related artificial intelligence (AI) technologies are expected to have a huge impact on the global economy over the next decade. A recent study by Goldman Sachs found that AI could drive a 7% increase in global gross domestic product (GDP) and lift annual labor productivity growth by 1.5 percentage points over a 10-year period.
A 7% increase in California GDP would translate into an additional annual GDP of $400 billion by 2036. Therefore, policies stifling even a small fraction of ADMT adoption and use would have impacts amounting to tens of billions of dollars per year, dwarfing actual savings from the proposed rules once the savings are adjusted for arithmetical errors and other factors, the CMC analysis stated.
Impact on State Jobs/Revenues
The CMC analysis warns that there are major implications for California jobs and revenues from the privacy agency’s underestimate of costs and overestimate of benefits of the proposed regulations.
Higher direct costs identified by the CMC analysis would translate into reduced jobs and revenues that are at least double the privacy agency’s estimate.
It also is highly unlikely that the longer-term net economic gains will occur as forecasted by the privacy agency because many of the costs not identified by the privacy agency are ongoing (for example, the regulation’s stifling effects on innovation and ongoing costs and productivity losses due to opt-outs).
Moreover, the privacy agency’s estimates of cybercrime reductions due to the regulations are unreliable. The near-term negative impact of the regulations on the economy and state government revenues will likely grow in the future, according to the CMC report.
