From the GDPR to the CCPA: How do your compliance costs measure up?
Updated: Jun 14, 2020
by Antimo Fiorillo
A few months ago we took a very close look at 2018 in review, primarily regarding the EU’s landmark GDPR, but also the world-wide trend of increasing privacy regulation. While the GDPR is a landmark development and the most well-known, similar laws are being passed and discussed all over the world, such as Brazil’s General Data Protection Law (LGPD), India’s Personal Data Protection Bill 2018, and the California Consumer Privacy Act (CCPA).
One key aspect of these different bills is their harmonization. We have seen it already with the GDPR: one of the most significant parts of the regulation is that it also applies to non-EU companies dealing with the data of EU citizens, which set off a worldwide scramble of international companies struggling to get compliant in an unfamiliar regulatory landscape. The GDPR and EU framework also explicitly incentivize harmonization, as the European Commission can adopt adequacy decisions, if the partner country is judged to have sufficient data protection, that allow much easier GDPR compliance for international data transfers. With this in mind, it makes sense for smaller countries (and almost everyone is smaller than the EU as a bloc) to develop their laws similarly to the GDPR in order to enable easier transfers.
A similar dynamic is playing out in the United States with the CCPA which bears closer scrutiny. The law comes into effect January 1st, 2020—very soon, as far as the timescale needed for major firms to get compliant.
The law is less broad than the GDPR, but shares some key characteristics and similarities. These include data subject rights such as Disclosure, Deletion, Access, Opt-out (“Do Not Sell My Personal Information”), and Non-discrimination, which cover a lot of the same things as the GDPR’s rights. For instance, companies must inform data subjects of the following:
The type of personal information collected;
The tool used to collect personal information;
The purpose of collecting and selling personal information; and;
The type of third parties that will receive personal information.
Perhaps the most important similarity, long-term, is the impact the CCPA will have beyond its boundaries. In the strictest sense, it only applies to companies operating in California. However, California has 40 million people and an economy that would be fifth largest in the world if it stood alone. Just like with the GDPR, many companies will find it easier to apply CCPA protections universally, instead of treating such a large and important part of their customer base differently than the rest of the United States population.
In some respects we are in the middle of a sequence of falling dominoes: as a huge, important player adopts data protection regulations that have reach beyond their own borders, other states find it easier, and thus financially beneficial, to adopt similar regulations. After all, if you’re already getting compliant with the CCPA, you might as well do a bit more and also become compliant with the GDPR, giving yourself access to the massive EU market without needing additional compliance efforts down the line. And as other players like Japan, Brazil, or India adopt similar things, the potential benefits for getting up to speed only get bigger and bigger.
Finally, there’s also the customer-facing benefits that were a large part in prompting these regulations in the first place: scandals like Cambridge Analytica and massive data breaches are getting more and more news, so many companies are using their privacy and security strengths as advertising, setting them apart from the competition.
The costs of getting compliant, and necessity to look ahead
Of course, as Intellegant consults on and implements GDPR compliance, particularly for US firms, we’re well aware this can be easier said than done. A very interesting new survey from DataGrail, The Cost of Continuous Compliance: Benchmarking the Ongoing Operational Impact of GDPR & CCPA recently came out looking at GDPR compliance and applying this to the CCPA. Among many other findings, it reports that:
For the GDPR:
51% of respondent companies said they were compliant with it by the 2018 May 25th deadline,
31% by the end of 2018, and
18% were not compliant as of April 2019.
As for their spending:
26% spent less than $99,999 on consulting and technology for the GDPR,
34% of the firms spent between $100,000 and $499,999,
21% between $500,000 and $999,999,
14% between $1 million and $4,999,999, and
5% have topped $5 million.
And that’s just money, the average firm also spent between 2,000 and 4,000 hours in meetings preparing for the GDPR.
Despite all this, respondents are still worried about the CCPA, with 50% feeling the CCPA is too complex or vague, and 49% seeing no clear path for achieving compliance. Perhaps most critically, 70% thought that the systems they put in place previously will still not be compliant for future regulations. As DataGrail itself says in the report: “An overwhelming majority (79%) of companies are spending at least $100,000 on GDPR & CCPA compliance. Yet, it appears that companies are approaching each regulation on a case-by-case basis, instead of building a solution to support existing and forthcoming regulations”.
As we have demonstrated, it is extremely likely that data privacy and security will continue to be a hot topic for regulators. It’s not only demanded by consumers and voters, but these laws have pressure from each other to take similar—though not exact—forms. As a consequence, any company with international ambitions, or even a long-term view in one single country, should take a hard look at steps to future-proof their compliance. Far better to do that, and allow yourself the wonderful worldwide flexibility that the modern data age has given us, than risk needing to spend hundreds of thousands on compliance multiple times.