International Center for Law & Economics Comments on CCPA

Opening excerpt from International Center for Law & Economics Comments on CCPA

Executive Summary

We thank the Attorney General’s Office (“AG’s Office”) for the opportunity to comment on this tin1ely and highly relevant policy discussion. We begin our analysis of the California Consumer Privacy Act (“CCPA”) with a discussion of the standardized regulatory impact assessment (SRIA) prepared for the AG’s Office by Berkeley Economic Advising and Research, LLC. The bottom-line cost figures from this report are staggering: $55 billion in upfront costs and $16.5 billion in additional costs over the next decade.  The analysis includes large benefits as well, but as we will show below, the actual costs are even higher than the SRIA estimates and the benefits fall far short of making up for those costs.

Related, the AG’s Office should take note of some of the early evidence of how the EU’s General Data Protection Regulation (“GDPR”) is faring. After its first twelve month period in force, the compliance costs were astronomical; enforcement of individual “data rights” led to unintended consequences; “privacy protection” seems to have undermined market competition; and there have been large unseen – but not unmeasurable – costs in forgone startup investment.

In one example of the ultimate scale of the compliance costs, Google reportedly spent “hundreds of years of human time” in order to be compliant with GDPR.  Nonetheless, France still found it noncompliant, levying a $57 million fine against the company for noncompliance. A report by the Internet Association of Privacy Professionals estimated that roughly 500,000 firms in the EU registered a data protection officer. Data protection officers can serve more than one organization, but the number of actual officers is undoubtedly large, and at an average salary of $88,000, amount to a huge ongoing cost.

Consider this in the context of the SRIA’s findings. The SRIA provides a very rough estimate of affected businesses based on assumptions about revenue per employee in order to arrive at a range of between 9,858 and 570,066 affected businesses. Already this rough estimate exceeds the number of firms that registered data protection officers in the EU, but the SRIA further opines that “[a] lack of data prevents us from estimating with precision the number of businesses that meet the other threshold requirements in the CCPA” – suggesting that the actual compliance costs of all affected firms could be significantly higher. And this is just for firms within California, leaving aside the compliance costs to extraterritorial firms that reach the statutory thresholds for California customers or users.

Implementation of GDPR also led to a host of unintended consequences. Although GDPR was designed to reign in the power of large ad-tech companies, like Google and Facebook, it perversely resulted in smaller vendors suffering n10re harm than the large companies. Venture funding also appears to have taken a hit, with a “17.6% reduction in the number of weekly venture deals, and a 39.6% decrease in the amount raised in an average deal following the rollout of GDPR.” And it is the latter sort of unintended consequence that should be most troubling to regulators, as all too often there do not even exist proxies like VC funding by which to judge the pro-social behavior (like starting new companies) that laws like GDPR and the CCPA silently deter.

Finally, despite the DC Circuit trimming the FCC’s 2018 Restoring Internet Freedom Order (“RIF Order”), the fact remains that the FCC still retains a conflict-preemption authority to specifically preempt state laws that are incompatible with its regulations.  To wit,

Conflict preemption applies to “state law that under the circumstances of the particular case stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress-whether that ‘obstacle’ goes by the name of conflicting; contrary to; repugnance; difference; irreconcilability; inconsistency: violation; curtailment: interference, or the like.

The DC Circuit only limited the FCC’s ability to generally preempt all potentially conflicting state laws, requiring that each preemption be challenged in a fact-intensive inquiry.