ORANGE, Calif.—On behalf of California’s small-business owners who are losing income due to the COVID-19 pandemic, business leaders are asking for a new data privacy initiative to be temporarily shelved.
As of Jan. 1, companies had to comply with the California Consumer Privacy Act (CCPA), which requires some businesses that collect consumer data to give consumers access to that information and allow them to refuse its sale to third parties.
A new initiative—the California Privacy Rights Act (CPRA)—would add regulations and compliance costs to the CCPA, according to the National Federation of Independent Business (NFIB).
Californians for Consumer Privacy, the group behind the initiative, announced on May 4 it had gathered enough signatures to place the measure on the November ballot.
In a May 5 letter addressed to Alastair Mactaggart, chair of Californians for Consumer Privacy, the NFIB and 19 other organizations implored that he withdraw the ballot initiative.
“In times like this, we believe it is unreasonable to add new mandates on businesses, higher compliance costs, and additional burdens on the state economy,” the letter states.
Small-business owner Teresa Razo told The Epoch Times that any additional costs right now could make her operations unsustainable. She was already struggling to navigate the CCPA—and that was before the pandemic.
While most of the new CCRA provisions wouldn’t go into effect until 2023, she expects that it may take years to recover from current damage to her business.
‘Time and Money’
“Everything is time and money, unfortunately,” she told The Epoch Times. “And as small-business owners, that’s what we don’t have.”Because all the laws are changing, she said, it’s become essential to pay for expert advice on compliance.
“It has been really, really hard.”
She and her husband, Leo, own two restaurants in Orange County: Cambalache Grill in Fountain Valley, and Villa Roma in Laguna Hills.
Gov. Gavin Newsom’s March 19 stay-at-home order immediately affected her financially. Cambalache Grill’s revenue dropped 78 percent “within days,” she said.
“I think probably one of the hardest things I had to face ... was to lay off some of my staff,” she added. “Especially my staff that’s been with me for 10, 12 years.”
The other restaurant, Villa Roma, fared somewhat better, because one half of the building functions as a market and deli. Even so, income rapidly dropped by 60 percent.
“The first week I was a mess,” Razo said.
Since then, things have gotten steadily worse for Razo, who is also president of the Fountain Valley Restaurant Association and a member of the Orange County Hispanic Chamber of Commerce.
“There’s a chance that we could lose ... both [businesses],” she said. “But, you know, there’s a big chance we’re losing one.”
Any additional costs could be the difference between surviving or going under, she said.
“We’ve always put business, employees, and community first, and then sometimes, we pay ourselves,” she said. She added that “all these regulations” associated with the CCPA are going to “put an extra burden on us.”
“It’s time and money,” she says. “And sometimes, you know, it’s something where you have to have each of your employees under certain training ... And it’s not that we have a couple thousand dollars there, just to see what we can spend it on—especially now.”
Mactaggart’s Response
But Californians for Consumer Privacy has no intention of postponing the initiative.“I’m not receptive to this notion that because of coronavirus we now need to [withdraw CPRA],” Mactaggart told The Epoch Times. “I think businesses and various chambers of commerce ... have used, in the last five years, every excuse under the sun to claim that privacy is incompatible with good business or profitability. I don’t agree with that at all.”
He said CCPA is “a tremendous achievement in this country; by far the most far-reaching consumer privacy law.” And CPRA improves it—in favor of small businesses, he said.
Not Targeting Small Businesses
The CCPA applied to businesses that collect information from 50,000 or more California residents annually. The CPRA raises that threshold to 100,000, Mactaggart said.He said the initiative isn’t targeting small businesses, but rather larger enterprises that deal in massive amounts of personal data.
“One of our intentions here was to make life easier for small business,” he said. “You’ve got to go where the problem is, and the problem is not with the mom-and-pops. The problem is with big purveyors of information.”
The CCPA currently applies to any California business that collects data if it meets one of three conditions: if it makes more than $25 million in annual gross revenue, collects data from more than 50,000 California residents annually, or makes 50 percent or more of its annual revenue selling personal information.
For many small businesses, however, figuring out whether they fall under the purview of the law and under the new initiative takes resources, said John Kabateck, the California state director for NFIB.
Restaurants and retailers are among the businesses most affected by the current crisis. And both the CCPA and CPRA “have really been targeted toward” those businesses, in particular, Kabateck told The Epoch Times.
“This is the worst possible time you could be adding more layers of regulations and costs and liability to small businesses that are barely hanging on,” Kabateck said. “All we’re asking is: Do no harm.”
Kabateck said small businesses have been crushed by the pandemic, “and now, you’re going to create a whole new set of rules that are going to create … a further, bigger labyrinth for small businesses?”
The May 5 NFIB letter argues that CCPA’s confusing language, the absence of finalized regulations, and high compliance costs will devastate small businesses that are already struggling.
The letter was signed by the California Small Business Association, the California Asian Chamber of Commerce, the California Black Chamber of Commerce, and the California Hispanic Chamber of Commerce, among others.
Costs Could Be $50,000 Per Small Business
An assessment of CCPA by Berkeley Economic Advising and Research—commissioned by the Attorney General’s Office in 2019—estimates that small businesses with 20 or fewer employees would have to pay an estimated $50,000 in initial compliance costs.Statewide, the approximate initial compliance cost would be approximately $55 billion—the equivalent of 1.8 percent of California’s 2018 gross state product.
But Mactaggart contested those numbers.
“They don’t tell you how they calculated it,” he said. “I was really shocked at how shoddy the actual study was. ... This is, quite frankly, not good work, with basically no data.”
‘Let Us Figure Out How We Can Survive’
Razo said, “It’s not that we don’t want to continue to make things better, but honestly, compliance right now is quite impossible.”Reopening won’t be the same as returning to normal, she said. For example, her restaurants will likely be forced to use disposable items, which she called a “different burden.”
“I’m sure we’re going to have capacity limitations,” she said. “We’re going to have a lot of limitations and expectations, and it’s going to cause us to bleed.”
Due to the crisis, she feels, a lot of things—like CCPA and CCRA—should be “put to the side.”
“First, let us figure out how we can survive,” she said.