Last weekend, the State of Calif. Attorney General released an independent report putting the estimated cost of California Consumer Privacy Act (CCPA) initial compliance for the world’s fifth-largest economy at $55 billion. While much of the focus has been on larger companies like Google and Facebook, as Wired explained, the companies most likely to feel the sting aren’t operating at that scale. It’s the smaller companies that could take a larger percentage hit

The smaller companies in California are most likely to feel the CCPA sting

Which rights are granted?

CCPA builds on the state’s existing data privacy law, which has not kept up with the evolving definition of Personal Information (PI). The law affords consumers four key rights:

  1. Right to Know: The right to be informed about how and why and when data is collected, what data or categories of data is collected, as well as the disclosure of use and sales of PI.
  2. Right to Delete: The ability to request that businesses delete PI collected from the consumer and direct service providers to also delete (unless excepted).
  3. Right to Opt-Out: Consumers can direct a business selling a consumer’s PI to stop. Minors from 13-16 may not have their PI sold without affirmative authorization. Under 13, that authorization must come from a parent or legal guardian.
  4. Right to Non-Discrimination: No business may discriminate against a consumer for exercising any of these rights. They can’t deny goods or services, charge different prices or provide a different level or quality of service. But, a business can offer different rates or service if the value is reasonably related to the consumer’s data.

With 6 amendments waiting for a signature from the governor of the State of California by Oct. 13, 2019, the law is expected to go into effect on Jan. 1, 2020 with enforcement beginning on July 1, 2020.

For those who remember the onset of EU’s data privacy regulation, GDPR (General Data Privacy Regulation), this may sound similarly stressful, but if you’re already GDPR compliant, you are part way there. Still, this is an untested law with some admittedly fuzzy language. How strictly it will be enforced remains to be seen. Based on the AG’s recent report, here’s what companies can expect in terms of cost.

4 categories of cost

The AG’s report outlines four main costs. As we saw with CCPA, thinking through the full impact of the law will require legal costs if you fall within the requirements and could include rethinking your business model.

  1. Legal costs: You’ll need an attorney to evaluate your technical and business plans. No matter what you read online, your best source is the legal consultant you pay to interpret the law regarding your specific situation.
  2. Operational: You’ll need to establish some non-technical infrastructure and procedures for handling compliance.
  3. Technical: Establishing the technologies to handle requests from large numbers of consumers and for things like establishing an opt-out button on your home page if you sell PI.
  4. Business: The law may impact your business model or require renegotiations with service providers.

Back of the napkin costs

So total compliance cost is going to vary. How much? The AG’s report expects that 75% of all California businesses will be expected to comply, with the total cost of efforts coming in at approximately $55 billion collectively, which is 1.8% of California’s 2018 Gross State Product.

Back of the napkin costs

Source: Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations* *

Also important is that 83% of California’s businesses will be able to leverage their GDPR compliance. The laws aren’t perfectly aligned, which is why we are seeing CEOs like Apple’s Tim Cook and Satya Nadella call for a global data privacy law.

"Back of the napkin estimates of how much your company might need to spend to become #CCPA compliant."

Future-proofing

Compliance isn’t a one-and-done activity. It requires regular maintenance and monitoring, which will vary according to business model and company size. While the rapidly evolving data privacy landscape can seem daunting. Having gone through GDPR compliance, many Auth0 customers tell us that identity can be a good place to begin to properly clarify what data they need to retain to give their customer’s the experiences they expect. If you’d like to learn more about how Auth0 can help you move towards CCPA identity compliance, reach out to an Auth0 expert.

View of Bay Bridge and San Francisco from Treasure Island California

"The State of Calif. AG estimates initial CCPA compliance costs at $55B. Find out what your company can expect to spend."

About Auth0

Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.

For more information, visit https://auth0.com or follow @auth0 on Twitter.