19
FORTUNE.COM // JANUARY 2020
THIS YEAR, many Americans will get
a powerful tool to protect their on-
line privacy. A sweeping new law will require
millions of businesses to tell consumers what
data they have collected about them and, if
asked, to delete it.
The law, known as the California Consum-
er Privacy Act (CCPA), could play havoc with
the online economy, since so many compa-
nies—from tech giants to ordinary retailers—
rely on targeted ads. If people demand that
companies delete their data, those ads would
be less effective.
Walmart, for example, could miss out on
sales because its online ads wouldn’t be as
personalized as before. Google, meanwhile,
risks losing a big chunk of its revenue because
generic ads command far lower prices than
ones targeted using personal data.
The effect of California’s law, which is be-
ing copied in nearly two dozen other states,
could therefore be enormous. But that’s only
if people assert their new rights after the law
goes into effect on Jan. 1—which is a big “if ”
considering that relatively few have taken
advantage of a similar privacy law in Europe,
called GDPR, that was implemented in 2018.
“Is this a big deal for thousands or hun-
dreds of thousands or millions of people? We
don’t know yet,” says Chris May, who focuses
on corporate risk for consulting firm Deloitte.
For businesses affected by the privacy
rules, however, the burden of complying is
very real. Requirements include giving con-
sumers two ways, such as an online form and
a toll-free number, to ask for their data and
to demand that it be deleted. A nonpartisan
report commissioned by California’s attorney
general says the state’s businesses will have
to spend an extra $55 billion for upfront
costs, such as legal advice and engineering,
or an extra $55,000 to $2 million for indi-
vidual firms.
While CCPA is a California law, most major
companies do business in the state and, as a
result, are impacted. Few of them can afford
to pull out of the nation’s biggest market.
To create goodwill, a handful of big compa-
nies, like Microsoft, and small ones, including
Boston-based Internet service provider Starry,
have said they would voluntarily comply with
the new law in all 50 states. So far, Starry CEO
Chet Kanojia says, only a handful of custom-
ers have asked for their data to be deleted,
while several dozen more have written to
thank the company for giving them the option
to do so.
Others, like Tim Day, a senior vice presi-
dent at the U.S. Chamber of Commerce, are
less sanguine about CCPA. He warns that the
law will ensnare thousands of smaller enter-
prises, such as florists and wineries.
California’s law exempts most firms with
less than $25 million in sales. But companies
that have data for at least 50,000 people—a
threshold that’s easily reached for businesses
that collect customer email addresses, for
instance—are subject to new rules.
“Large businesses have the capacity to
figure this out, but it’s an extreme burden for
small ones, which are the backbone of this na-
tion’s economy,” says Day.
As a result, Deloitte’s May predicts that
many small and midsize companies may not
comply with the law, calculating that they
won’t be punished or that any penalty will be
cheaper than jumping through CCPA’s hoops.
California’s Justice Department is tasked with
enforcing the law, starting July 1, following a
six-month grace period, and May suggests it’s
unlikely that florists and wineries will be top
targets. The agency declined to provide details
about its enforcement strategy to Fortune.
“We were given the responsibility to en-
force, and so that’s what we’re going to do,
working as much as we can with consumers
and businesses to make sure they’re comply-
ing with the law,” California Attorney General
Xavier Becerra says in an email.
This may not be the final word, how-
ever, because the Chamber of Commerce is
lobbying Congress to pass a federal law to
preempt CCPA. An earlier attempt by the tech
industry fell short, but Day says the Cham-
ber’s push is different in that the organization
wants to preserve the law’s broad principles,
notably the right to demand and delete most
personal data, while doing more to spare
smaller businesses.
In Congress, there has been unusual bipar-
tisan agreement to pass such a law, although
Democrats and Republicans disagree about
who should enforce it and whether it should
preempt state privacy laws. While many think
new legislation is unlikely until after the 2020
presidential election, Cameron Kerry, a privacy
expert at the Brookings Institution, believes
U.S. attitudes about privacy have changed so
dramatically that a law may pass before then.
Says Kerry: “There’s been a shift as
more members of Congress spend more
time online and worry about the implica-
tions of data privacy for their children and
grandchildren.”TECH
“L arge
businesses
have the
capacit y to
figure this
out, but it’s
an e x treme
burden for
small ones,”
says Tim Day,
a senior vice
president
at the U.S.
Chamber of
Commerce.