real time web analytics
Blogs

How Much Does It Cost to Be CCPA Compliant?

Victor
2019-11-016 min read
Industry News
Regulations
InfoSec Best Practices

Halloween was yesterday, but something even scarier is around the corner: CCPA.

Just kidding. CCPA is not scary, nor is it something to dread.

What’s actually scary about the CCPA is the estimated total cost for all businesses (who either operate out of California or have customers in California) to become and stay compliant with CCPA: $55 billion . This is equivalent to ~1.8% of California’s Gross State Product in 2018.

These figures came out of the California Attorney General’s 48-page report (published Aug 2019) assessing the potential capital and operational expenses incurred directly as a result of CCPA. The report itself is a fascinating read (if you’re into reading legislative reports and policies), and we combed through the report to share with you the three biggest takeaways so you can best prepare before Jan 1, 2020 (when CCPA takes effect):

1) How much you should expect your business to spend initially to be compliant

Companies with < 20 employees: $50,000
Companies with 20-100 employees: $100,000
Companies with 100-500 employees: $450,000
Companies with > 500 employees: $2 million
These estimates were based on CCPA’s baseline costs (e.g. dedicated internal / external resources spend reviewing and implementing updated privacy policies and terms of service) and the incremental costs (e.g. annual audits and checks to ensure compliance) attributable to the regulations. What will lower some of these initial costs for you is the work you’ve already done to be GDPR compliant (you did do that, right?). However, both privacy laws are not the same despite their similarities, so you’ll still need to become CCPA compliant.

2) Additional capital costs you need to consider to maintain compliance

You’ll need to factor in costs for:

Systems and processes in place to track, record, and respond to consumer requests (in addition to their personal information) for both your business and your vendors and partners
Method for notifying third parties to whom personal information was sold within the past 90 days if a consumer requests to be opted out
Consumer personal information data handling training and certification for your employees (especially crucial if your company collects, buys, sells, or shares the personal information of more than 4 million Californians)

Note that the operational costs (e.g. employees and contractors’ time spent working on compliance efforts, their salaries) are hard to pinpoint here because it varies for each business, but you’ll need to factor that into your total compliance costs as well. To give you perspective on how serious the California Department of Justice is when it comes to enforcing CCPA, they plan on hiring 23 full-time employees at an estimated cost of $4.5 million per year.

3) The total value of California consumers’ personal information regulated under the CCPA is worth over $12 billion annually

Ever wonder how much you’re actually worth in the eyes of advertisers and companies like Google and Facebook? According to The Financial Times, your basic personal data (e.g. DOB, age, gender) is worth $0.0005. Now if you’re experiencing life milestones like getting married or becoming pregnant / have other sensitive personal info, your value goes up (e.g. info that a woman is pregnant is worth $0.11). Adding all of this info up comes out to $277.65 per person (assuming a one-time sale of your personal information). Extrapolating these numbers to the estimated 35 million Internet users in California, you’ll find that basic information for all 35 million Internet users is worth $169 million. And more sensitive personal information is worth a whopping $9.7 billion – no wonder Google and their tech brethren lobbied so hard to weaken CCPA. And to think Google preached “Don’t Be Evil” at one point in its history. Advertisers have also placed a premium on personal information: the Interactive Advertising Bureau, a trade group that sets advertising standards and shares data about the advertising industry, determined that the average revenue per user (ARPU) from all search, banner, and video ads for desktop computer users is $135.71 and $266 for mobile users . Applying those values to the estimated 30.9 million desktop users and 31.7 million mobile users in California, you’ll see that they’re worth $4.2 billion and $8.4 billion, respectively . We’re not going to proverbially beat you upside the head with yet another screed on the consequences of non-compliance. And we’re going to avoid giving you redundant “What’s the CCPA All About?” advice. You know the stakes, so start your CCPA compliance efforts with our 9-step checklist that tells you what you need to know and what to implement.
TUGBOAT LOGIC INC. © 2019 - BURLINGAME, CA, USA
,