By Jeff John Roberts | FORTUNE
THIS YEAR, many Americans will get a powerful tool to protect their online privacy. A sweeping new law will require millions of businesses to tell consumers what data they have collected about them and, if asked, to delete it.
The law, known as the California Consumer Privacy Act (CCPA), could play havoc with the online economy, since so many companies—from tech giants to ordinary retailers—rely on targeted ads. If people demand that companies delete their data, those ads would be less effective.
Walmart, for example, could miss out on sales because its online ads wouldn’t be as personalized as before. Google, meanwhile, risks losing a big chunk of its revenue because generic ads command far lower prices than ones targeted using personal data.
The effect of California’s law, which is being copied in nearly two dozen other states, could therefore be enormous. But that’s only if people assert their new rights after the law goes into effect on Jan. 1—which is a big “if” considering that relatively few have taken advantage of a similar privacy law in Europe, called GDPR, that was implemented in 2018.
“Is this a big deal for thousands or hundreds of thousands or millions of people? We don’t know yet,” says Chris May, who focuses on corporate risk for consulting firm Deloitte.
For businesses affected by the privacy rules, however, the burden of complying is very real. Requirements include giving consumers two ways, such as an online form and a toll-free number, to ask for their data and to demand that it be deleted. A nonpartisan report commissioned by California’s attorney general says the state’s businesses will have to spend an extra $55 billion for upfront costs, such as legal advice and engineering, or an extra $55,000 to $2 million for individual firms.
While CCPA is a California law, most major companies do business in the state and, as a result, are impacted. Few of them can afford to pull out of the nation’s biggest market.
To create goodwill, a handful of big companies, like Microsoft, and small ones, including Boston-based Internet service provider Starry, have said they would voluntarily comply with the new law in all 50 states. So far, Starry CEO Chet Kanojia says, only a handful of customers have asked for their data to be deleted, while several dozen more have written to thank the company for giving them the option to do so.
Others, like Tim Day, a senior vice president at the U.S. Chamber of Commerce, are less sanguine about CCPA. He warns that the law will ensnare thousands of smaller enterprises, such as florists and wineries.
California’s law exempts most firms with less than $25 million in sales. But companies that have data for at least 50,000 people—a threshold that’s easily reached for businesses that collect customer email addresses, for instance—are subject to new rules.
“Large businesses have the capacity to figure this out, but it’s an extreme burden for small ones, which are the backbone of this nation’s economy,” says Day.
As a result, Deloitte’s May predicts that many small and midsize companies may not comply with the law, calculating that they won’t be punished or that any penalty will be cheaper than jumping through CCPA’s hoops. California’s Justice Department is tasked with enforcing the law, starting July 1, following a six-month grace period, and May suggests it’s unlikely that florists and wineries will be top targets. The agency declined to provide details about its enforcement strategy to Fortune.
“We were given the responsibility to enforce, and so that’s what we’re going to do, working as much as we can with consumers and businesses to make sure they’re complying with the law,” California Attorney General Xavier Becerra says in an email.
This may not be the final word, however, because the Chamber of Commerce is lobbying Congress to pass a federal law to preempt CCPA. An earlier attempt by the tech industry fell short, but Day says the Chamber’s push is different in that the organization wants to preserve the law’s broad principles, notably the right to demand and delete most personal data, while doing more to spare smaller businesses.
In Congress, there has been unusual bipartisan agreement to pass such a law, although Democrats and Republicans disagree about who should enforce it and whether it should preempt state privacy laws. While many think new legislation is unlikely until after the 2020 presidential election, Cameron Kerry, a privacy expert at the Brookings Institution, believes U.S. attitudes about privacy have changed so dramatically that a law may pass before then.
Says Kerry: “There’s been a shift as more members of Congress spend more time online and worry about the implications of data privacy for their children and grandchildren.”