By: Robert Cattanach, Dorsey & Whitney Partner, Joe Lynyak, Dorsey & Whitney Partner, Sam Bolstad, Dorsey & Whitney Associate
The California Attorney General recently published a report assessing CCPA compliance costs. The report attempts to quantify the monetary value of consumers’ personal data, and estimates the total value of personal data exceeds $20 billion annually. The report goes on to estimate the total cost of initial compliance at $55 billion for all companies subject to the CCPA. The report assumes that initial compliance costs will constitute the “vast majority,” of compliance costs. Anecdotally, however, this assumption may need to be reconsidered in light of the anticipated recurring expenses that companies eventually will be required to incur in order to respond to data subject access requests.
Budgeting: The report goes on to estimate compliance costs based on the size of the company:
- Small firm (<20 employees): $50,000. Based on experiences with similar obligations and experiences associated with GDPR, the report predicts that small firms will face disproportionately higher CCPA compliance costs relative to larger enterprises. Based on this disparate impact, the report goes on to posit that holistic data regulation laws may actually provide a competitive advantage to large businesses, which can invest significant in-house compliance resources to adjust quickly, while small competitors struggle to adapt.
- Medium-sized companies (20-100 employees): $100,000
- Medium/large-sized companies(101-500 employees): $450,000
- Large companies (>500 employees): $2,000,000
If you have not yet started compliance efforts and implementation, you are behind your competitors: Most large companies have already started compliance efforts (84%) and implementation (56%).
Data Brokering Innovation:
The report also notes a rise in new features that assist consumers with managing their private data, and a rise in new businesses that can assist with CCPA compliance. For example, the Digital Advertising Alliance announced CCPA compliance tools for the ad industry, most notably including an opt-out tool. Finally, the report goes on to predict that consumers may be more willing to share/sell their private data if they are confident that businesses are now handling their data responsibly.
Enforcement: California DOJ has requested additional $4.5M per year to staff 23 new full-time positions.
Alastair Mactaggart, who spawned the ballot initiative that sparked the CCPA, filed another data privacy initiative to appear on California’s November 2020. The initiative, titled the California Privacy Rights and Enforcement Act, is being dubbed “CCPA 2.0.” If approved by voters, CCPA 2.0 would take effect in January 2021. A few of the more notable features include:
Narrowed definition of “business” subject to CCPA: Increases the threshold for annual sales and purchases of personal information from 50,000 to 100,000 consumers or households.
California Privacy Protection Agency: Establishes a new state agency, which would assume the Attorney General’s enforcement responsibilities and provide regulatory guidance to industry and consumers.
Sensitive Personal Information: CCPA 2.0 would impose heightened protections for Social Security Numbers and health, financial, racial/ethnic, and geolocation data. Specifically, it would expand consumers’ opt-out rights: Whereas CCPA empowered consumers to prohibit the sale of their personal information, CCPA 2.0 would allow consumers to prohibit any use or disclosure of sensitive personal information. The ballot initiative would also prohibit companies from selling sensitive personal information without a consumer affirmatively opting-in.
Minors: Prohibits collection of minors’ data without the child/parent’s affirmative consent (currently limited to prohibiting sale of such data). CCPA 2.0 would also treble fines for violations regarding minors’ data.
Right to correct inaccurate personal information.
Data Subject Access Requests (DSARs) extended beyond the past 12-months unless the request is unduly burdensome.
Additional required disclosures: Requires companies to notify consumers whenever a company uses personal data for profiling to determine eligibility for financial services, housing, insurance, education admissions, employment, or health care services. Also requires corporate disclosures as to how a business uses personal information to influence elections.
Permanent exceptions for employee data and B2B data: These exceptions currently have one-year sunset provisions. CCPA 2.0 would make these exceptions permanent.
Annual cybersecurity audits for “large data processors” that annually collect 5+ million consumers’ personal information.
- Mactaggart leveraged the 2018 ballot initiative to negotiate the CCPA with the California legislature. The fact that Mactaggart felt compelled to return with another ballot initiative suggests that privacy advocates may be less willing to compromise this time around.
- Since this initiative amends an existing statute, unlike the first ballot initiative it can be amended in the future through legislation.
- The 2020 ballot initiative may continue to be revised into October 2020, and is likely to promote ongoing negotiations with the possibility of another legislative compromise being enacted into law.
- Unless this initiative produces another negotiated legislative compromise, and assuming the ballot initiative receives the requisite number of signatures, it will be placed on the ballot and could be adopted by California voters in November 2020, in which case the revised provisions will take effect in January 2021.