(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)
As California, along with the rest of the country, faces an economic catastrophe that rivals that of the Great Depression, state officials face many options for helping businesses survive this crisis. While the top priorities should be making it safe to get back to work and providing financial assistance to struggling businesses, lawmakers should also avoid inflicting additional harm on businesses. Unfortunately, California is racing towards imposing a sweeping new privacy law that would cost businesses billions and stands to be overruled in just a few years.
On July 1, the California Consumer Privacy Act (CCPA) will go into effect and create onerous and costly new obligations for how businesses collect and share personal information about individuals. For businesses already struggling to make payroll and cover rent, the economic cost of complying with the CCPA will hit hard. According to an economic impact assessment of the law commissioned by the state attorney general’s office, the initial compliance costs from this law will total $55 billion. And it won’t just be large companies footing the bill—small businesses with less than 20 people can expect to spend around $50,000 for compliance, while medium-sized firms will see an increase of $100,000 to $450,000 in expenses.
It is not too late to rescind this law and reduce these unnecessary costs. While the CCPA was enacted in 2018 and officially went into effect in January, the Attorney General was not set to begin enforcement until July 1. Moreover, since the state has not yet finalized the rules, which have already undergone two rounds of revisions, many businesses have not yet committed to major changes because they are waiting on the final text of the regulations.
It would have been an uphill battle to meet this deadline in the best of times, but faced with a major workforce disruption, it is now totally impractical. Already more than 60 business groups, including retailers, restaurants, hotels, and car dealers have called for a six-month delay to give them time to comply with the rules. But the attorney general has refused, insisting these companies find a way to meet this arbitrary deadline even as many of them remain shut due to the pandemic.
While a delay would be welcome, a better option would be to repeal the law entirely. Not only would this relieve businesses from the immediate financial costs, but it would also alleviate the indirect costs that will come from constraining companies in their use of data to optimize and personalize services. Making it harder for businesses to innovate and operate efficiently will only delay economic recovery.
Of course, consumer privacy is important, but the unanticipated economic collapse should be a key factor in deciding that this is not the right law for the times. The question California lawmakers must ask themselves is how many jobs are worth sacrificing just to push through these new rules by July 1?
The irony is that the CCPA will likely prove to be entirely unnecessary. The best solution for consumers and businesses is not to have 50 different state privacy laws, but a single national privacy law. Indeed, Congress is actively pursuing legislation that would preempt all state privacy laws, so in a few years, this entire endeavor may have been nothing more than a multibillion dollar exercise in regulatory futility.
As California seeks to reopen for business, policymakers have many tough choices in the months ahead. Hitting undo on a bad privacy law is not one of those. It’s time to repeal the CCPA.