The marketing research and data analytics industry already has a helpful example of the costs of an overly broad data privacy law in the money spent attempting to comply with Europe’s General Data Protection Regulation (GDPR). A new study tries to quantify the cost of a comprehensive U.S. privacy law modeled on GDPR and the California Consumer Privacy Act (CCPA), the new law coming into effect in the Golden State on January 1, 2020.
A study from the Information Technology and Innovation Foundation (ITIF) “estimates that if Congress were to pass legislation that mirrors many of the key provisions in the GDPR or the California Consumer Protection Act (CCPA), it could cost the U.S. economy approximately $122 billion, or $483 per U.S. adult, per year, which is more than 50 percent of what Americans spend on their electric bills each year. In contrast, if Congress passed a more targeted set of privacy protections, it could still boost consumer protection, but reduce costs by 95 percent to approximately $6.5 billion per year.”
ITIF evaluated “two types of costs associated with a federal data privacy law: compliance costs and market inefficiencies." For example, a stringent federal law was estimated to cost $18 billion a year in compliance costs and about "$104 billion in market inefficiencies, which would be borne out in increased costs, decreased productivity (for both organizations and consumers), and decreased innovation." The costs on both ends would be dramatically higher if the law doesn’t preempt state and local laws.
However, the study also tried to take account of the cost of inaction, particularly when multiple states are pursuing their own conflicting morass of privacy laws, like CCPA, "which could be even more costly than overly restrictive federal legislation because of the inefficiency of having no national standard."
ITIF urges that, "Maximizing consumer welfare requires accounting for costs, because expensive rules increase prices (or reduce free access to products and services) and hinder the development of improved products and services. Federal data privacy legislation should not be a hidden tax on consumers."