On November 3rd, California voters passed Proposition 24, enshrining the California Privacy Rights Act of 2020 (CPRA) into state law, and expanding the consumer privacy protections established by the California Consumer Privacy Act of 2018 (CCPA). Unfortunately for Californians, CPRA imposes far too many financial burdens on businesses that will stifle innovation and centralize market power in the hands of large companies, while also exacerbating the digital divide between wealthy and lower-income Americans.
One of the major risks following Proposition 24 is that states across the country will follow California’s lead and implement stringent data privacy and protection laws that hurt both businesses and consumers. The only way to prevent this would be for the federal government to pass its own data protection legislation that preempts state laws and balances the needs of consumers and businesses.
The fear that other states could follow California is not fictional as a number of states have CCPA copycat laws in various stages of the legislative process. Maine and Nevada, for example, have both passed laws very similar to CCPA, while sixteen other states have bills in various stages of the legislative process. Without a federal data privacy law, these CPRA copycat laws could well become enshrined into state law beyond California, Nevada and Maine, inflicting greater harm to consumers and businesses across the country.
One of the principal flaws of Proposition 24 is the fiscal impact it will impose on businesses and consumers. The California Legislative Analyst’s Office estimates Proposition 24 would cost the state approximately $10 million per year, a fee that might be paid by taxpayers if there aren’t sufficient violations to meet the cost of enforcement. That fee does not include the likely increased workloads on the State Department of Justice and Courts.
CPRA would impose further compliance costs on already cash-strapped businesses that could stifle innovation and centralize the market in the hands of larger companies. The economic impact of CCPA, for example, showed smaller firms with fewer than twenty employees, “will incur $50,000 in initial compliance costs,” medium-sized enterprises with between twenty and one hundred employees will “incur an initial cost of $100,000,” larger firms that employ between one hundred and five hundred employees “will incur an initial cost of $450,000,” and the largest companies that employ over five hundred people can expect to pay “an initial cost of $2 million.” In total, compliance with CCPA will cost $55 billion. Given the more stringent requirements set forth by CPRA, it seems perfectly reasonable to expect the costs of ongoing compliance to go up.
These significant compliance costs are particularly problematic for smaller companies because, unlike their larger counterparts, they do not have the start-up capital to run effective compliance programs or the resources to defend themselves against charges of data misuse. Facing these significant financial barriers, fewer entrepreneurs will be able to start smaller tech companies, and the power of large companies will have their market share reinforced.
When assessing the economic effects of CCPA, the State of California has acknowledged this, stating that smaller businesses “do not have the internal capacity to manage compliance,” and that many “small firms have struggled to meet compliance costs” of enhanced privacy regulation.
Not only does CPRA impose further compliance costs on California businesses, disproportionately affecting smaller companies, it could also create a situation whereby wealthier Americans can pay for enhanced privacy and data protection while lower-income Americans are forced to opt-out of protections. Numerous organizations, such as the ACLU and League of Women Voters have warned “Prop 24 expands the ability, which already exists in CCPA, for businesses to provide inferior service for consumers who do not pay to protect their confidential information and superior service for Californians who do pay.”
This is particularly problematic because it prevents lower-income Californians, who are more focused on meeting ends meet, from receiving the same standard of service as wealthier Californians who have significant disposable income. This will further reinforce the digital divide that exists between rich and poor when states should be taking steps to bridge it. The fact that states outside of California have attempted to replicate its regulatory environment should concern every American given the recent passage of Proposition 24 and the harm it will cause to Californians. Not only is Proposition 24 bad for California’s businesses and consumers, but it would also be bad for America if other states follow California’s lead. The only solution is a federal data privacy law that preempts state legislatures.