The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes. The proposed regulations would establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.
CCPA Fact Sheet
The California Consumer Privacy Act (CCPA) was enacted in 2018 and takes effect on January 1, 2020. On October 10, 2019, Attorney General Xavier Becerra released draft regulations under the CCPA for public comment.
CCPA New Rights for California consumers:
• The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
• The right to delete personal information held by businesses and by extension, a business’s service provider;
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.
Cost estimates for CCPA compliance
According to estimates in the Standardized Regulatory Impact Assessment for the CCPA regulations, the CCPA will protect over $12 billion worth of personal information that is used for advertising in California each year.
Preliminary estimates suggest a total of $467 million to $16,454 million in costs to comply with the draft regulation, if finalized, during the period 2020-2030
CCPA and GDPR
The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) are separate legal frameworks with different scopes, definitions, and requirements. A business that complies with GDPR and is subject to CCPA may have additional obligations under CCPA.
For example, under GDPR, companies must undertake a data inventory and mapping of data flows in furtherance of creating records to demonstrate compliance. Additional data mapping may be important to reflect the different requirements under CCPA.
Under GDPR, companies must develop processes and/or systems to respond to individual requests for access to personal information and for erasure of personal information. These processes and/or systems may be applied to handling CCPA consumer requests, although businesses may need to review and reconcile the different definitions of personal information and applicable rules on verification of consumer requests.
Under GDPR, companies must draft and execute written contracts with its service providers (“processors”). Companies may need to review these contracts to reflect requirements under CCPA.
Source: Berkeley Economic Advising and Research, LLC, Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations (August 2019)
Source: Berkeley Economic Advising and Research, LLC, Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations (August 2019). This number is specifically the cost associated with the regulations and not general compliance costs associated to the underlying CCPA law.