1442A Walnut Street, Suite 108
www.bearecon.com
entirely attributable to the law. The CCPA is very clear about what rights consumers have
and that businesses must respond to opt-out, deletion, and access requests. The majority
of these costs, which are incurred even before the regulations are drafted, would be
incurred regardless of how DOJ crafted the specific regulations. However, the operational
compliance costs of the ongoing training requirements and some record-keeping
requirements for firms with more than 4 million California consumers are directly
attributable to the regulations and are therefore calculated in this assessment.
Technology costs, which cover the websites, forms, and other systems necessary to fulfill
the CCPA compliance obligations, are also quite substantial due to passage of the CCPA.
However, like operational costs, these are mostly attributable to the law, not the
regulation. As an example, consider the “Do Not Sell My Personal Information” link
required by the law. All CCPA-compliant companies must include this link on their
webpages; however, the DOJ regulations will give them guidance on what must be
included on the webpage to which the link directs consumers. While there might be some
design costs that could be attributed to DOJ’s requirements, the vast majority of the cost
of including the link is attributable to that requirement in the law.
For the areas of incremental economic impact that we have described above, the SRIA
calculates, to the extent possible, an estimate of this cost for California businesses. To
reiterate, these are the costs that we assume are directly attributable to DOJ’s
regulations, not the CCPA overall.
To put these incremental costs in perspective, we generate a back of the envelope cost
of CCPA compliance, including both the statute’s baseline costs and the incremental
costs attributable to the regulations, using estimates from the TrustArc survey cited
above. Assume that smaller firms (<20 employees) will incur $50,000 in initial costs (the
median of the lowest cost category)
2
, medium-sized firms (20-100 employees) incur an
initial cost of $100,000 (the maximum of the lowest cost category in the survey),
medium/large firms (100-500 employees) incur an initial cost of $450,000, and firms with
greater than 500 employees incur, on average an initial cost of $2 million. Also assume
that 75% of all California businesses will be required to comply with the CCPA (see
Section 2.1 for detailed estimates of the number of firms affected by firm size and
industry). The total cost of initial compliance with the CCPA, which constitutes the vast
majority of compliance efforts, is approximately $55 billion. This is equivalent to
approximately 1.8% of California Gross State Product in 2018.
The TrustArc survey only sampled privacy professionals from firms with at least 500 employees. Therefore, it is
very possible that we are overestimating the compliance costs for smaller firms. However, in the absence of
reliable compliance cost information for this category of businesses, applying the TrustArc estimates provides an
upper bound on the total compliance costs.
Page 11 of 48
2