CCPA: The cost of Compliance
Since enaction, the California Consumer Privacy Act (CCPA) has had significant impacts on businesses worldwide as many struggle with compliance. In fact, the California Attorney General (AG) has already sent warning notices out to companies. The notices give entities thirty days to comply with CCPA by remedying violations or they face potential lawsuits initiated by the AG. Fortunately, at this point, the AG’s office has declined to publicly name those businesses that have been cited, Should the AG decide to do so in the future, such public exposure is likely to have a real, tangible effect on the businesses’ bottom line as consumers are increasingly savvy and privacy-oriented.
CCPA applies to three basic categories of businesses: (1) businesses with annual gross revenue in excess of $25M; (2) businesses that derive at least 50% of their revenue from selling consumer data; and (3) businesses that buy, sell, or share personal consumer information from at least 50,000 consumers, households, or devices. While at first glance, it seems that the three categories would limit the number of businesses impacted by CCPA, it is paramount to consider the behemoth that is the California economy and the depth and breadth of companies likely to fall within the ambit of the CCPA. Thus, management teams must delve deeper and assess what the financial impact will be based on the size of the business.
Those companies subject to the CCPA, must respect the significant privacy rights afforded to California residents regarding how the business collects, processes, and shares their personal information. These include: (1) the right to notice of the categories of personal information collected on California residents and the purposes for which these categories will be used, (2) the right to access any data held by the company on them, (3) the right to opt of such use (4) the right to request deletion of any personal information, and (5) the right to equal services and prices of goods and services even where a consumer exercises such rights.
In reality, the cost of CCPA compliance is significant. A recent report indicates the actual cost of CCPA compliance may reach $55B. According to an article in CPO Magazine, when looking at businesses ranging from fewer than twenty employees on the lower end of the scale to greater than 500 employees at the high end, compliance costs may range from $50,000 to over $2,000,000. Consequently, when you examine the aggregate size of such businesses the conservative estimate of $55B in initial outlays for CCPA compliance across California businesses begins to make a lot more sense.
There is a potential silver lining for larger international firms. Companies that were previously subject to GDPR have a leg up on their non-GDPR compliant counterparts as much of the underpinnings and legwork required to achieve compliance were already addressed during GDPR compliance efforts. Naturally, in order to maintain compliance there will be ongoing costs, and failure to comply with changing laws and regulations may include fines and or penalties. Therefore CCPA compliance will be a recurring expenditure for businesses. Efforts at efficiency will likely lead to increased outsourcing of privacy work in an attempt to achieve economies of scale and allow businesses to take advantage of specialized expertise.
Consequently, finding Data Privacy Experts and GDPR and CCPA knowledgeable compliance consultants may prove essential not merely in the short-term to obtain initial compliance but also in the long-term to maintain and ensure that privacy-related issues are addressed with strict adherence to the regulatory timelines. This is also something for businesses across the Country to remain cognizant of, as it is inevitable that additional privacy regulations are forthcoming at the State level as well as Nationally. Those companies that are able to get in front of compliance requirements and achieve GDPR and/or CCPA compliance will be well-positioned as these new regulations get implemented. Furthermore, consumers are likely to start choosing to do business with those companies that demonstrate proper data privacy practices.
ADVISORI Can Assist
We understand the level of effort required of businesses to develop, implement and maintain a CCPA compliance program. We know because we have done it. To aid our clients, we have developed a CCPA Compliance Center. By simply installing a CCPA link on your website, we will handle all your CCPA requests by using our people, processes, and technology.
From your website, we will be able to monitor and track customer consent to ensure that personal information is processed legally. We will also receive and process your data subject access request submitted on-line or via our 1-800 call center.
Using our PII discovery technology and DSAR Robotic Automation, we provide end-to-end data subject access request fulfillment services, irrespective of the volume. We also provide on-demand reports including DSAR types; locations of origin; fulfillment response rates; and related DSAR trending and forecasting. Outsourcing the cumbersome data subject access request fulfillment obligation to us, allows our clients to reduce the risk of untimely responses, data subject complaints, and data protection authority inquiries.
ADVISORI is a purpose built company with the sole focus of relieving our clients of the oftimes overwhelming burden of privacy/data protection functions so that they can focus on their core business activities.