Last weekend, the State of Calif. Attorney General released an independent report putting the estimated cost of California Consumer Privacy Act (CCPA) initial compliance for the world’s fifth-largest economy at $55 billion. While much of the focus has been on larger companies like Google and Facebook, as Wired explained, the companies most likely to feel the sting aren’t operating at that scale. It’s the smaller companies that could take a larger percentage hit

The smaller companies in California are most likely to feel the CCPA sting

Which rights are granted?

CCPA builds on the state’s existing data privacy law, which has not kept up with the evolving definition of Personal Information (PI). The law affords consumers four key rights:

  1. Right to Know: The right to be informed about how and why and when data is collected, as well as the disclosure of use and sales of PI.
  2. Right to Delete: The ability to request that businesses delete PI collected from the consumer and direct service providers to also delete (unless excepted).
  3. Right to Opt-Out: Consumers can direct a business selling a consumer’s PI to stop. Minors from 13-16 may not have their PI sold without affirmative authorization. Under 13, that authorization must come from a parent or legal guardian.
  4. Right to Non-Discrimination: No business may discriminate against a consumer for exercising any of these rights. They can’t deny goods or services, charge different prices or provide a different level or quality of service. But, a business can offer different rates or service if the value is reasonably related to the consumer’s data.

With 6 amendments waiting for a signature from the governor of the State of California by Oct. 13, 2019, the law is expected to go into effect on Jan. 1, 2020 with enforcement beginning on July 1, 2020.

For those who remember the onset of EU’s data privacy regulation, GDPR (General Data Privacy Regulation), this may sound similarly stressful, but if you’re already GDPR compliant, you are part way there. Still, this is an untested law with some admittedly fuzzy language. How strictly it will be enforced remains to be seen. Based on the AG’s recent report, here’s what companies can expect in terms of cost.

4 categories of cost

The AG’s report outlines four main costs. As we saw with CCPA, thinking through the full impact of the law will require legal costs if you fall within the requirements and could include rethinking your business model.

  1. Legal costs: You’ll need an attorney to evaluate your technical and business plans. No matter what you read online, your best source is the legal consultant you pay to interpret the law regarding your specific situation.
  2. Operational: You’ll need to establish some non-technical infrastructure and procedures for handling compliance.
  3. Technical: Establishing the technologies to handle requests from large numbers of consumers and for things like establishing an opt-out button on your home page if you sell PI.
  4. Business: The law may impact your business model or require renegotiations with service providers.

Back of the napkin costs

So total compliance cost is going to vary. How much? The AG’s report expects that 75% of all California businesses will be expected to comply, with the total cost of efforts coming in at approximately $55 billion collectively, which is 1.8% of California’s 2018 Gross State Product.

Back of the napkin costs

Source: Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations* *

Also important is that 83% of California’s businesses will be able to leverage their GDPR compliance. The laws aren’t perfectly aligned, which is why we are seeing CEOs like Apple’s Tim Cook and Satya Nadella call for a global data privacy law.

"Back of the napkin estimates of how much your company might need to spend to become #CCPA compliant."


Compliance isn’t a one-and-done activity. It requires regular maintenance and monitoring, which will vary according to business model and company size. While the rapidly evolving data privacy landscape can seem daunting. Having gone through GDPR compliance, many Auth0 customers tell us that identity can be a good place to begin to properly clarify what data they need to retain to give their customer’s the experiences they expect. If you’d like to learn more about how Auth0 can help you move towards CCPA identity compliance, reach out to an Auth0 expert.

View of Bay Bridge and San Francisco from Treasure Island California

"The State of Calif. AG estimates initial CCPA compliance costs at $55B. Find out what your company can expect to spend."

About Auth0

Auth0, the identity platform for application builders, provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.

For more information, visit or follow @auth0 on Twitter.