Nice Thought, Poor Execution: Why the Dormant Commerce Clause Precludes California’s CCPA From Setting National Privacy Law

70 Am. U. L. Rev. F. 75 (2020).

* Senior Symposium Editor, American University Law Review, Volume 70; J.D. Candidate, May 2021, American University Washington College of Law; B.A. Dance and Political Science, 2018, The George Washington University. I am extremely grateful to the many people that helped me take this piece from blank page to publication. I would like to thank my editor, Daniel de Zayas, my faculty advisor, Stephen Wermiel, and the entire AULR staff for their constant support, diligent feedback, and valuable assistance in creating this piece. I would also like to thank my family, friends, and Ben for always encouraging me in my endeavors, and for their steadfast support throughout my law school career.

Technology plays a growing role in the lives of Americans. As technology’s role in society increases, so does the amount of data companies collect from their consumers. News outlets are publishing an increasing number of stories about how shocking amounts of data are stored and collected with very few checks on the organizations that take part in these practices. Consumers are increasingly aware of the vast amount of data collected by companies, leading to widespread digital privacy anxiety. In the absence of a national law, states have stepped in to tame this largely unregulated space. The California Consumer Privacy Act (CCPA) constitutes California’s effort to fill in the void left by the lack of federal privacy legislation. The CCPA attempts to provide comprehensive data privacy protections to California’s citizens.

This Comment argues that the CCPA, in its current form, violates the dormant Commerce Clause because it imposes an undue burden on non-California-based businesses by compelling them to comply with stringent requirements before collecting or processing California citizens’ personally identifiable information. Furthermore, it urges that Congress should interpret the CCPA as a public desire for a national comprehensive privacy law and work to pass legislation that gives Americans legitimate privacy rights.

Introduction

Increased integration of technology into the everyday lives of Americans means that more Americans must confront their blatant lack of digital privacy. A father of a teenage daughter was enraged when Target coupons for baby and pregnancy-related products arrived via mail addressed to his daughter. Much to his surprise, the coupons were not the result of a poorly designed ad campaign, but rather Target had predicted his daughter’s pregnancy before she had the chance to tell him.¹ Rosie Spinks, a runner, was shocked to discover that her “Enhanced Privacy” settings on the popular running app Strava broadcasted her habitual running routes that strangers could view.² In the workplace, companies track employees’ texts, chats, emails, and meetings and even review recorded and transcribed phone calls, all under the guise of measuring “productivity, management efficacy[,] and work-life balance.”³ Consumers are beginning to realize how little control they have over data that is shared about them.⁴ There are an increasing number of stories published about how shocking amounts of data are stored and collected with very few checks on the organizations that take part in these practices.⁵

While most individuals’ privacy horror stories result in nothing more than nominal insecurity and inaction, Alastair Mactaggart’s digital privacy anxiety led to one of the largest developments in the history of U.S. privacy law. During an evening of pizza and wine at his Oakland, California home, Mactaggart, a wealthy real-estate developer, brought his privacy concerns to a friend who just so happened to be a software engineer at Google.⁶ Much to Mactaggart’s dismay, his friend informed him that “there was plenty to worry about, [that i]f people really knew what [Google] had on them, . . . they would flip out.”⁷ This conversation was the genesis of what would soon become the first comprehensive data privacy law in the United States, which would be would be written, debated, and passed in less than a week: the California Consumer Privacy Act⁸ (CCPA).⁹

The CCPA constitutes California’s effort to fill in the void left by the lack of federal privacy legislation. While the United States has some federal privacy laws, these laws are either specific to a certain industry or govern how a business can use certain categories of data, but the laws do not cover all situations through which privacy concerns can arise.¹⁰

Directly responding to consumers’ growing digital privacy anxiety, the CCPA grants California residents unprecedented statutory privacy rights, such as the right to know what information businesses collect and the right to request that businesses delete the information altogether.¹¹ Businesses subject to the CCPA must give consumers the opportunity to exercise those rights¹² and are barred from discriminating¹³ against consumers who choose to exercise their rights. Notably, however, the CCPA’s business definition includes a broad material scope because the threshold for the amount of data that a business must process before it must comply with the law is relatively low.¹⁴ Businesses subject to the CCPA range from tech giants like Amazon, Google, and Facebook to mom-and-pop shops located wholly outside of California.¹⁵ The CCPA’s intended targets will certainly be forced to overhaul their data practices, but the CCPA’s wide reach created unintended consequences.¹⁶

The boundaries of the CCPA’s broad material scope are circumscribed by the dormant Commerce Clause. The dormant Commerce Clause—sometimes called the negative Commerce Clause—is an implied limitation on the states’ authority to burden or regulate interstate commerce.¹⁷ Generally, a state’s regulation amounts to regulating interstate commerce if (1) it is discriminatory against out-of-state business;¹⁸ (2) it is non-discriminatory, but the burdens the regulation places on interstate commerce outweigh the local benefits (this balancing act is called the Pike test);¹⁹ (3) it regulates conduct that takes places wholly extraterritorially;²⁰ or (4) it is one of many inconsistent regulations across multiple states.²¹ The CCPA does not impose different requirements on companies outside of California compared with California-based companies.²² However, to comply with the CCPA, businesses all over the country must spend significant amounts of time and money overhauling their data privacy practices—all in exchange for the residents of one state to have legitimate privacy rights.²³

This Comment argues that the CCPA, in its current form, violates the dormant Commerce Clause because it imposes an undue burden on non-California-based businesses by compelling them to comply with stringent requirements before collecting or processing California citizens’ personally identifiable information. Furthermore, it urges that Congress should interpret the CCPA as a public desire for a national comprehensive privacy law and work to pass legislation that gives Americans legitimate privacy rights. Part I explains the perceived need for a comprehensive privacy law in the United States and explores the development and specific requirements of the CCPA. Part II discusses the history of the dormant Commerce Clause and examines how courts have interpreted the dormant Commerce Clause to both strike-down and uphold state internet regulation in the form of both pornography²⁴ and anti-spam statutes.²⁵ Finally, Part III argues that the CCPA violates the dormant Commerce Clause because it imposes an undue burden on non-California-based businesses, constitutes an extraterritorial regulation of interstate commerce, and raises legitimate concerns about the potential for multiple conflicting laws. This Comment concludes that courts should strike down the CCPA as unconstitutional and that Congress should pass a comprehensive national privacy law because regulation of the use of consumer data is imperative and states cannot enact their own laws without exceeding the scope of their authority.

1. The California Consumer Privacy Act

Applying a dormant Commerce Clause analysis to the California Consumer Privacy Act first requires a thorough understanding of the CCPA. This Part explores the nation’s attitude towards privacy, which led to the CCPA’s development. It also discusses the CCPA’s scope, compliance costs, and open questions concerning the CCPA’s impact.

A. Privacy in the United States

Following the Cambridge Analytica scandal—an incident that exposed the data of eighty-seven million Facebook accounts to be used for nefarious purposes²⁶—many Americans began to realize how much of their sensitive personal information is gathered, stored, and sold on a regular basis. Consumers consistently sign away their rights to their personal identifiable information without even taking the time to open a company’s privacy policy.²⁷ Even if a consumer did take the time to read that policy, she may not even understand it because these policies are typically written in language that is difficult for the layperson to understand.²⁸ Additionally, even if the consumer is able to understand the policy, she likely would not be stopped from clicking “I Agree to the Terms and Conditions.”²⁹ Since there is no longer any way to prevent marketers or malicious actors from gathering and using personal information, it is not hard to see why some believe that digital “privacy is dead.”³⁰ Americans’ ever-growing dependency on technology at work, at school, and at home and the rise of the Internet of Things³¹ only seems to cement the idea that privacy rights no longer exist.³²

This notion, that privacy rights are dwindling, is not unique to the United States.³³ In April of 2016, the European Parliament approved the General Data Protection Regulation (GDPR),³⁴ which went into effect in May 2018.³⁵ This sweeping regulation was the first comprehensive privacy law with a major global impact. The GDPR created meaningful protections for personal information in the European Union (EU), and it created punitive measures for organizations that fail to comply.³⁶ Perhaps the GDPR’s biggest impact was introducing the world to the concept of a “data protection law.”³⁷ Following the implementation of the GDPR, consumers worldwide began to expect more from companies managing their data.³⁸

While the United States has some privacy laws, these laws are specific to a certain industry or they govern how certain types of data can be used.³⁹ There is currently no national law governing the general use of data, and the limited existing U.S. privacy law is extremely narrow and does not cover all of the situations in which privacy concerns can arise.⁴⁰ Accordingly, consumers are increasingly aware of how little control they have over their data⁴¹ thanks to the constant stream of privacy horror stories about the amount of data that is stored, collected, and sold with little to no oversight on the data collectors.⁴²

B. The Beginnings of the CCPA

The origins of the CCPA rest in millionaire Alistair Mactaggart’s discomfort with the United States’ delayed approach to regulating digital privacy.⁴³ While Americans generally share this discomfort,⁴⁴ Mactaggart went a step further than most. He researched how much information companies really knew about him by educating himself about data mining and online tracking practices.⁴⁵ He scrutinized privacy policies that the average person barely gleaned and discovered that “there was no real limit on the information companies could collect or buy.”⁴⁶ He learned that the primary purpose of all this data was to help businesses accurately advertise and sell him products that he may want.⁴⁷ Alarmingly, the amount of data available for sale allows businesses to predict consumer spending habits with incredible accuracy. In fact, “[w]ith Silicon Valley’s help, [advertisers] could make increasingly precise guesses about what [consumers] wanted, what [they] feared, and what [they] might do next: Quit [their] job, . . . have an affair, or get a divorce.”⁴⁸

Mactaggart, horrified by what he learned, felt the need to act.⁴⁹ He poured $3.5 million of his own money into calling attention to Californians’ lack of digital privacy.⁵⁰ After consulting with privacy experts, Mactaggart learned that Silicon Valley would fight hard against any meaningful privacy regulation that the legislature tried to pass.⁵¹ Mactaggart focused his efforts on drafting a ballot initiative that would bypass the California legislature and bring the data privacy issue directly to voters.⁵² If passed, this initiative would impose significant legal, technical, and administrative burdens on companies, promising almost certain doom for the tech industry:

Under the proposed law, every California consumer could demand, from most large businesses, an outline of his or her digital dossier, showing what categories of personal information the company had collected. Mactaggart and Soltani included nearly every category of personal information that they could think of: not only whether the companies had collected your name and address but also if they had collected your browsing history, your fingerprints, your face scans or your location data. They would also be required to inform consumers if they were drawing “inferences,” the sophisticated guesses companies make about, say, your dating habits or your taste in convertibles. And if consumers didn’t like the deal, they could “opt out,” demanding that companies no longer sell or share any data in a given category.⁵³

This initiative promised to cripple Silicon Valley. In addition to being difficult to amend, the CCPA includes strict guidelines, hefty compliance costs, and harsh enforcement provisions that would be “toxic to the business community.”⁵⁴

Mactaggart’s initiative found quick favor with voters and received the necessary number of signatures to ensure his initiative would be on the ballot for the November 2018 election.⁵⁵ While the Secretary of State certified Mactaggart’s initiative, Mactaggart still faced significant personal costs before the ballot initiative would win over the majority of voters.⁵⁶ The technology industry was prepared to spend a lot of money to keep Mactaggart’s initiative from becoming law.⁵⁷ Therefore, Mactaggart offered the California legislature a deal: draft a meaningful comprehensive privacy law that aligns with the spirit of his initiative, and he would formally withdraw his initiative from the ballot.⁵⁸ This was an attractive proposition to both parties; the California legislature had the opportunity to play a role in developing California’s privacy legislation, and Mactaggart “would get his desired policy outcome without spending the millions more needed to contest the $100M that opponents threatened to spend.”⁵⁹

Moving at unprecedented speeds, the California legislature introduced, amended, and passed the California Consumer Privacy Act.⁶⁰ The governor signed the bill into law on June 28, 2018—just seven days after the bill was introduced.⁶¹ The process did not include ample opportunity for consumer or business input.⁶² With the passage of the CCPA, the business community is “now faced with a ‘take it, or leave it’ scenario which is very problematic given that the business community overall has had little input to these negotiations.”⁶³ This “rushed and non-inclusive process”⁶⁴ resulted in a law that is riddled with egregious typos,⁶⁵ drafting errors,⁶⁶ and flawed policy.⁶⁷ The numerous errors make the CCPA extremely confusing and hard to follow.⁶⁸ The California legislature passed amendments to the CCPA through September 2019, and the Attorney General did not release the final regulations until June 2020—after the legislature rewrote the bill three times.⁶⁹ The CCPA went into effect on January 1, 2020, with many businesses still wondering how exactly to comply with the cumbersome law.⁷⁰ At the time of writing, the final regulations total 11,000 words, which largely ignore comments from the business community and remove business-friendly regulations.⁷¹ Despite the “final” regulations becoming effective in August 2020, the California Attorney General proposed additional modifications in October 2020.⁷²

C. A Closer Look at the CCPA

While Mactaggart’s original version of the initiative was taken off the ballot, it still managed to lay the foundation for the CCPA.⁷³ The CCPA’s purpose is to provide comprehensive data protection to California residents.⁷⁴ To achieve this goal, the statute is purposefully wide-ranging and contains definitions that are intentionally vague.⁷⁵ This Section highlights key provisions that raise dormant Commerce Clause concerns.

Since January 1, 2020, California residents⁷⁶ have the right to know what personal information businesses subject to the CCPA have collected, sold, and disclosed.⁷⁷ California residents must be given the opportunity to opt-out of the sale of their personal information—a broadly defined term⁷⁸—and must be protected from “discrimination” should they choose to exercise these rights.⁷⁹ An estimated half a million U.S. companies—primarily small- and medium-sized businesses—fall within the CCPA’s grasp.⁸⁰ A business is subject to the CCPA if it does any amount of business in California and has more than $25 million in revenue, received or shares personal information for commercial purposes of 50,000 or more consumers, or derives fifty percent or more of its annual revenue from selling consumers’ personal information.⁸¹ This broad definition encompasses all kinds of businesses, even ones that exist entirely outside California.⁸²

Additionally, the CCPA demonstrates to the forty-nine other states that comprehensive privacy regulation is possible and opens the door to fifty competing and conflicting laws.⁸³ The CCPA is the first of what will likely be many state laws governing the use of data.⁸⁴ The California legislature’s rapid passage of the CCPA also demonstrates that states can enact data privacy legislation quickly.⁸⁵ The possibility of a multitude of conflicting laws appearing almost overnight would create problems for the businesses required to comply with them.⁸⁶

Further, the CCPA requires companies to significantly overhaul privacy and data practices shortly after many of these companies were required to change those same practices to comply with the GDPR.⁸⁷ For some, compliance with the CCPA means significant costs, some of which are not practical.⁸⁸ Even if a business takes steps to avoid doing business in California, the internet has created a world without borders, facilitating unprecedented commercial opportunity.⁸⁹ The smallest businesses located entirely outside of California likely processes some data of California residents, and taking steps to avoid the world’s fifth largest economy⁹⁰ could prove detrimental to certain businesses.⁹¹

1. Scope, compliance, and predicted impact

The CCPA is a unique privacy law that attempts to give Californians legitimate privacy rights in a world where digital anxiety about consumers’ lack of control over their personal information runs rampant. However, the CCPA reaches beyond the borders of California and imposes its requirements on businesses that may not have the means to comply. Its rushed passage and vague definitions leave many businesses with open questions about CCPA compliance. This Section explores the CCPA’s broad scope, compliance requirements, and remaining ambiguities.

a. The scope of the CCPA

Due to its vague and untailored definitions, the CCPA has a broad material scope. Unlike other U.S. privacy laws, the CCPA covers all types of personal data.⁹² The CCPA does not give any relevance to the data’s origin or intended use.⁹³ If the information a business collects fits the CCPA’s broad definition of “personal information,” the law protects that information.⁹⁴ The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”⁹⁵ The CCPA then goes on to define eleven non-exhaustive categories of information that exemplify its definition of “personal information.”⁹⁶ However, some of these categories mention types of personal information that are unclear or seemingly non-existent.⁹⁷ The only categories of data that are explicitly carved out of this definition are (1) information that is publicly available⁹⁸ and (2) information that is deidentified or collected as “aggregate consumer information.”⁹⁹ However, the CCPA provides no guidance as to determining when information is “personal information” as opposed to “deidentified or aggregate consumer information.”¹⁰⁰ Further, the CCPA’s definition of personal information is substantially different from existing federal and state privacy law, making it more difficult for businesses to identify what information should be protected by the CCPA.¹⁰¹

The CCPA applies to any for-profit entity that “collects consumers’ personal information.”¹⁰² Like its definition of “personal information,” the CCPA’s definition of “business” is broad and encompasses a wide range of businesses with differing abilities to comply.¹⁰³ A business that has any activity in California is subject to the CCPA if the business meets one of three statutory thresholds: (1) it has more than $25 million in annual gross revenue, (2) it buys, receives, sells, or shares the personal information of 50,000 or more consumers annually, or (3) it derives fifty percent or more of its annual revenue from selling consumers’ personal information.¹⁰⁴ The CCPA only excludes the collection or sale of a “consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California,”¹⁰⁵ meaning that, to be exempt from the law, no part of a data sale can take place in California, and no data collected from California can ever be sold.¹⁰⁶ This only implicates businesses that have minimal connections to California or none at all. A business that swipes an average of 137 credit cards a day or “less than [fourteen] sales per hour over a [ten]-hour business day” would still be subject to the CCPA.¹⁰⁷ This is a low threshold that many local boutiques, coffee shops, and mom-and-pop restaurants satisfy.¹⁰⁸ The International Association of Privacy Professionals (“IAPP”) estimates that over 500,000 U.S. companies fall within the CCPA’s grasp.¹⁰⁹ The extremely broad scope of the CCPA’s “business” definition encapsulates the major tech giants with whom the architects of the CCPA were primarily concerned but also captures many smaller businesses that do not have the means to comply.¹¹⁰

b. Compliance and its challenges

The CCPA establishes significant individual rights for California residents. A majority of these rights create legitimate protections but simultaneously present serious challenges to businesses attempting to provide these complicated rights to their customers.¹¹¹ Businesses are facing extraordinary burdens in their attempts to operationalize the CCPA’s consumer rights and opt-out requirements.¹¹² The following are new rights created under the CCPA, each of which poses unique difficulties for businesses.¹¹³

i. The right to know & the right to access

A major contributing factor to global digital privacy anxiety is the average consumer’s lack of knowledge on how much and what kinds of data businesses collect.¹¹⁴ Prior to the CCPA, businesses could generally provide information to consumers about what categories of data they collect about consumers. Businesses typically do this in a privacy policy or a terms and conditions agreement.¹¹⁵ However, these policies are frequently written in complicated language and rarely read by consumers.¹¹⁶ The CCPA creates several key rights for consumers that center around the right to know about a business’s data collection practices and the right to access that information.

The CCPA mandates that businesses disclose their general data policies and practices to consumers and requires that businesses provide ongoing insight to consumers regarding data collected about generic consumers.¹¹⁷ At or before collection, the law requires a business to notify consumers of the business’s “generic collection practices,” which inform the potential customer about what categories and specific pieces of information the business collects.¹¹⁸ A consumer can also request a business’s generic collection practices at any point following collection.¹¹⁹

The CCPA goes beyond generic data practices and extends “the right to know” to the consumer’s own personal information.¹²⁰ The CCPA enables consumers to request a business which collects that consumer’s personal information disclose: (1) the categories of information collected about that consumer, (2) the source from which the consumer’s personal information is collected, (3) the businesses or commercial purpose for collecting or selling the consumer’s personal information, (4) the categories of third parties with whom the business shares the consumer’s personal information, and (5) all specific pieces of the consumer’s personal information it has collected.¹²¹ Prior to the CCPA, some companies may have allowed for consumers to request some of their personal information; however, the CCPA requires companies to provide consumers with unprecedented access to their personal information.¹²²

A general “right to know” what information a business collects and “right to access” that information pose an extreme challenge to businesses.¹²³ Many businesses do not currently have the infrastructure to handle these types of data requests because these businesses do not understand how much data they possess.¹²⁴ One study estimates that fifty-four percent of businesses do not know where all of their sensitive data is stored, and sixty-five percent of businesses do not have the ability to analyze and process all the data they collect.¹²⁵ Within one company, expansive “data sprawl” makes it difficult for a company to know exactly how much data it has on one individual.¹²⁶ For example, if a company ran a month-long promotion collecting emails, that information may have been placed in a database that was used for a short period of time and then quickly forgotten.¹²⁷

Further, most businesses do not collect and process data through standardized methods.¹²⁸ The data is organized into multiple databases that were developed in silos.¹²⁹ Many data-processing systems were designed and developed thirty to forty years ago with dated technology that was not designed with consumer privacy in mind.¹³⁰ Among those databases, the metadata that describes the customer’s personal information may differ across systems.¹³¹ Without sophisticated supplemental technology, businesses may struggle to determine whether John H. Smith, John Harry Smith, or J. Smith are different customers. While some companies are beginning to implement data-mapping strategies to combat these problems, this solution is expensive and labor intensive.¹³² Larger businesses will eventually develop the necessary infrastructure to process and respond to consumer requests, but small- and medium-sized businesses likely will not, forcing them to make tough decisions about avoiding the California marketplace altogether.¹³³

Another challenge facing businesses is the CCPA requirement for a covered business to provide a consumer with requested information in response to a “verified consumer request.”¹³⁴ The CCPA provides that the Attorney General is tasked with developing additional rules consistent with the CCPA.¹³⁵ In June of 2020, the Attorney General released his “final” draft of the CCPA regulations.¹³⁶ The regulations provide vague guidance.¹³⁷ The regulations treat the verification of a consumer requests as a fact-specific scenario. The regulations call for businesses to consider six factors when verifying consumer requests: (1) the type of information requested; (2) the risk of harm to the consumer; (3) the likelihood a nefarious actor would seek out the data; (4) whether the business can actually verify the consumer’s identity based on the information the business has; (5) how the business interacts with the consumer; and (6) the available technology for verifying the consumer’s identity.¹³⁸ This test transforms verifying consumer requests into a case-by-case-process—minimizing the consumer right while maximizing the onus on businesses.

The majority of businesses struggle to comply with existing privacy laws.¹³⁹ If a business responds to a “consumer request” filed by a bad faith actor, that business, in its attempt to comply with the CCPA, provides a neatly-packaged data portfolio for which there may be detrimental consequences.¹⁴⁰ Particularly for smaller businesses, poor guidance on verifying consumer requests could provide nefarious actors with easy access to sensitive personal information.¹⁴¹ Verifying data requests is difficult and, if done improperly, could compromise the personal information of the very individuals the CCPA seeks to protect.¹⁴²

Operationalizing “the right to know” and “the right to access” is a burdensome task for any business. Businesses must develop new policies, create new database architecture, and implement new data management practices.¹⁴³ For small- and medium-sized businesses, these rights will require both a heavy administrative lift and large costs that may severely impact these businesses’ bottom line.¹⁴⁴ The CCPA’s “right to know” and “right to access” may provide consumers with a little more control over their data but will harm smaller businesses in the process.

ii. The erasure right

The CCPA provides that “[a] consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”¹⁴⁵ This right to be deleted is reminiscent of the GDPR’s “right to be forgotten.”¹⁴⁶ The “right to be deleted” proves to be one of the most difficult challenges facing businesses preparing to comply with the CCPA.¹⁴⁷

Businesses cannot delete all of a consumer’s information because they may not know where that information is located.¹⁴⁸ Many businesses do not have a complete understanding of the location of all of their collected data.¹⁴⁹ For the same reasons that businesses fail to aggregate a single consumer’s information, businesses will struggle to track down all the information to fully comply with a “verified consumer’s” deletion request.¹⁵⁰ The final draft of the California Attorney General’s regulations states that “a business may present the consumer with the choice to delete select portions of their personal information only if a global option to delete all personal information is also offered and more prominently presented than the other choices.”¹⁵¹ Providing customers with a “global option” is an impossible task if a business is not equipped to map and process all of its collected data.

Deleting a consumer’s data prematurely can have significant consequences affecting a company’s ability to provide its goods and/or services. The CCPA exempts deletion requests for data necessary to complete transactions, uphold legal obligations, maintain security and functionality, protect First Amendment rights, conduct research, and for internal, normal, and lawful uses.¹⁵² However, businesses are required to examine the nuances of each exemption to the “erasure right” to determine if one is applicable at the time of a consumer request.¹⁵³ Businesses will face immense administrative burdens when attempting to process these deletion requests and when determining if a relevant exception applies.¹⁵⁴ In some cases, it may be impossible to anticipate at the time of the request if a relevant exception is applicable—potentially rendering this right useless.¹⁵⁵ For example, in both ongoing and anticipated civil litigation, it is common for businesses to provide their attorneys with huge amounts of information that likely falls within the scope of the CCPA. The CCPA would require businesses to “maintain an inventory of what consumer information is collected and produced in civil litigation” to be deleted when (and if) the litigation ends.¹⁵⁶

Finally, proving that businesses have deleted customers’ requested data is one of the biggest ambiguities concerning CCPA enforcement.¹⁵⁷ The act of deleting data is costly and may be difficult—if not impossible—to prove.¹⁵⁸ Fully deleting data is a complicated, multi-step process.¹⁵⁹ The Attorney General’s final regulations require that businesses “inform the consumer whether or not it has complied with the consumer’s request.”¹⁶⁰ However, this puts businesses in the tough situation of confirming consumer’s deletion requests without having the means to prove that the data was actually deleted.

iii. The right to “opt-out” of data sales

The CCPA mandates that “[a] consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.”¹⁶¹ This provision of the CCPA empowers the consumer to control a business’s ability to sell that consumer’s data.¹⁶² This opt-out provision applies to a wide variety of transactions because the CCPA defines “sale” very broadly¹⁶³ to include any data exchange from one business to another “for monetary or other valuable consideration.”¹⁶⁴ After a consumer asserts her right to opt out of data sales, a business cannot request the consumer to allow the business to sell her data again for a minimum of twelve months.¹⁶⁵

The right to opt out of data sales is an easier provision to implement than the “right to know,” “the right to access,” or the “erasure right.”¹⁶⁶ Generally, when businesses are sharing data with third parties, there is a paper trail.¹⁶⁷ Businesses who explicitly sell data will be able to pinpoint exactly what data is actively being shared and enable consumers to “opt-out.”¹⁶⁸ While businesses may have an easier time identifying the data they share or sell to third parties, there are still considerable challenges associated with providing this right to consumers. Businesses will need to develop strategies to record and track these requests, which is an enormous administrative burden on small- to medium-sized businesses that rely on consumer data sales to provide free services.¹⁶⁹

iv. Anti-discrimination provisions

The CCPA bars any businesses from discriminating against a consumer who chooses to exercise her CCPA rights.¹⁷⁰ However, the CCPA does provide for an exception to incentivize consumers to allow businesses to sell their data:

A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the business by the consumer’s data.¹⁷¹

The classic example is a business providing coupons to consumers who provide their email at check out. The business is able to sell the consumer’s data and in return the company rewards the consumer with coupons.

v. Minimal private right of action that only exists where there is a data breach

The CCPA provides that:

Any consumer whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . .¹⁷²

In the event of a data breach, a consumer may recover anywhere from $100–$750 in statutory damages or actual damages, whichever is greater, “per consumer per incident.”¹⁷³

This is a significant shift from other data breach laws that require the Attorney General to bring an enforcement action against businesses that failed to maintain reasonable security procedures.¹⁷⁴ However, the CCPA does require that consumers give businesses a thirty-day opportunity to “cure” that breach before bringing a civil action against that business.¹⁷⁵ In any other circumstance not involving a data breach, the California Attorney General has the exclusive right of action and only after providing the delinquent business with a thirty-day cure period when consumers suffer no actual pecuniary damages.¹⁷⁶ This minimal private right of action lacks the “teeth” that the California legislature promised Mactaggart.¹⁷⁷ Mactaggart and his fellow sponsors of the CCPA were unsatisfied by the final amended product, and the team has launched a new initiative called the California Privacy Rights and Enforcement Act of 2020.¹⁷⁸

The CCPA went into effect on January 1, 2020; however, the final impact of the law remains unclear.¹⁷⁹ California lawmakers passed the CCPA in 2018, California lawmakers were passing amendments through late 2019. The California Attorney General, tasked with clarifying ambiguous portions of the law, issued his “final” regulations, which went into effect in August 2020.¹⁸⁰ Nevertheless on October 14, 2020, the AG released yet another draft of regulations currently pending Office of Administrative Law approval. The CCPA is in effect, yet businesses must follow new versions of regulations that come out every few months.

II. The Dormant Commerce Clause

The dormant Commerce Clause circumscribes the boundaries of the CCPA’s broad material scope. The Commerce Clause is a constitutional provision that explicitly grants Congress the power to regulate commerce among the states.¹⁸¹ Article I, Section 8 affirmatively grants Congress the power to regulate interstate commerce.¹⁸² Although the Constitution does not explicitly prohibit the states from regulating interstate commerce,¹⁸³ the Supreme Court has inferred this doctrine from Congress’s affirmative power to regulate commerce amongst the states.¹⁸⁴ While the states are not wholly prohibited from regulating interstate commerce, if a regulation furthers protectionist policies, thus unduly burdening the flow of commerce amongst the states, that law will be struck down as unconstitutional.¹⁸⁵ The following Sections explore dormant Commerce Clause jurisprudence and break down the four traditional categories of dormant Commerce Clause violations.

A. Defining Commerce: Gibbons v. Ogden

Since 1824, when the Supreme Court decided Gibbons v. Ogden,¹⁸⁶ it has consistently read the Commerce Clause to mean that the states cannot regulate interstate commerce.¹⁸⁷ In Gibbons, New York gave Ogden an exclusive license to operate steamboats within New York-controlled waters.¹⁸⁸ The federal government extended Gibbons a similar license that allowed him to compete with Ogden directly, defeating the purpose of Ogden’s monopoly.¹⁸⁹ Ogden filed suit to protect his exclusive right to navigate his steamboats within New York waters.¹⁹⁰ The Court held that while states have the right to regulate commercial activity that occurs wholly within the state, only Congress can regulate commercial activity that occurs amongst the states.¹⁹¹ The Court defined commerce to include traffic, intercourse, navigation, and commodities associated with interstate commerce.¹⁹² This broad interpretation of commerce gave Congress enormous power, but it also significantly restricted the states’ regulatory ability.

B. Discriminatory Impact

Since its emergence in 1824, the dormant Commerce Clause has experienced different periods of favoritism.¹⁹³ The judge-made doctrine has four traditional categories: (1) discriminatory regulation, (2) unduly burdensome regulation, (3) regulation of conduct that is wholly extraterritorial, and (4) regulation that leads to a patchwork of conflicting laws amongst the states.¹⁹⁴ The dormant Commerce Clause’s primary prohibition is against protectionist behavior.¹⁹⁵ Prior to 1969, the only form of dormant Commerce Clause violations were statutes that enabled a state to discriminate against out-of-state actors.¹⁹⁶ This type of protectionist behavior impedes the flow of commerce and directly infringes on Congress’s explicit power to “regulate commerce . . . amongst the States.”¹⁹⁷ Further, economists theorize that when states take measures to protect their businesses from competition by restricting imports and exports, “overall economic welfare declines as the losses to in-state consumers and out-of-state producers exceed the gains to the protected in-state producers.”¹⁹⁸ Protectionist regulation promotes an unhealthy economy and runs afoul of the dormant Commerce Clause. Therefore, a court will essentially deem per se invalid any state regulation it finds to be clearly protectionist and discriminatory towards out-of-state actors.¹⁹⁹

The Supreme Court has also found that facially-neutral laws that have a discriminatory impact against out-of-state actors are unconstitutional.²⁰⁰ Regardless of whether the intent behind the challenged law was to discriminate against out-of-state actors, “[a] court may find that a state law constitutes ‘economic protectionism’ on proof either of discriminatory effect or of discriminatory purpose.”²⁰¹ This interpretation prevents states from drafting laws that facially appear to have a legitimate purpose but ultimately result in policies that are harmful to the flow of interstate commerce.

C. The Pike Balancing Test

When a state law is not discriminatory—either in its intent or in its impact—the law can still fail under the dormant Commerce Clause if it imposes an excessive burden on interstate commerce that is not outweighed by the putative benefits.²⁰² This inquiry is a fact-intensive analysis that turns on how a court measures the burdens imposed on interstate commerce compared with the benefits bestowed on the state’s residents.²⁰³ The balancing test emerged in Pike v. Bruce Church, Inc.²⁰⁴ where the Supreme Court evaluated an Arizona statute²⁰⁵ that required all cantaloupes grown in Arizona for the purpose of sale to “be packed in regular compact arrangement in closed standard containers approved by the supervisor.”²⁰⁶ Bruce Church shipped its unpackaged cantaloupes from its ranch in Parker, Arizona to its processing plant thirty-one miles away in Blythe, California.²⁰⁷ The Arizona supervisor tasked with enforcing the law commenced an action against Bruce Church, alleging failure to properly package the cantaloupes before shipping them out of state.²⁰⁸ Bruce Church rebutted by claiming that the Arizona law amounted to “an unlawful burden upon interstate commerce.”²⁰⁹ Despite the Arizona statute being non-discriminatory, the Court held that “[w]here the statute regulates evenhandedly to effectuate a legitimate local public interest, and its effects on interstate commerce are only incidental, it will be upheld unless the burden imposed on such commerce is clearly excessive in relation to the putative local benefits.”²¹⁰ This landmark decision gave rise to a new form of dormant Commerce Clause violation: an unduly burdensome regulation.²¹¹

D. Extraterritoriality

When state legislation regulates conduct that occurs outside the state, a court may strike down the law as a violation of the dormant Commerce Clause.²¹² In Edgar v. MITE Corp.,²¹³ the Court struck down the Illinois Business Takeover Act as unconstitutional.²¹⁴ The Act required a tender offeror to notify the Illinois Secretary of State and the offeree twenty days before the tender offeror’s offer became effective.²¹⁵ The Court held that the challenged Act violated the dormant Commerce Clause on two grounds: (1) by regulating extraterritorially and (2) by excessively burdening interstate commerce when compared with the “local interests the Act purport[ed] to further.”²¹⁶ The Illinois Act directly regulated interstate transactions by requiring out-of-state offerors to apprise the Secretary of State of any tendered offers.²¹⁷ The Court hypothesized that a transaction could take place where no Illinois resident would be affected, yet the parties to the transaction would be required to comply with the Illinois Act.²¹⁸ The dormant Commerce Clause precludes any “application of a state statute to commerce that takes place wholly outside of the State’s borders, whether or not the commerce has effects within the State.”²¹⁹ Therefore, the Court found that Illinois exceeded the limits of its authority and impermissibly—though indirectly—”assert[ed] extraterritorial jurisdiction over persons or property.”²²⁰ In evaluating whether a state exceeds the scope of its jurisdiction, courts must invalidate any law with a “sweeping extraterritorial effect” that may amount to one state projecting its regulatory interests onto another state, despite any local benefits.²²¹

Further addressing the extraterritoriality doctrine, in Healy v. Beer Institute,²²² a Connecticut statute required beer suppliers to assert that they did not charge Connecticut wholesalers higher prices than wholesalers in other states.²²³ The Supreme Court held that this law was unconstitutional, as it violated the extraterritoriality test of the dormant Commerce Clause.²²⁴ Writing for the majority, Justice Blackmun stated that any state law that amounted to “directly control[ling] commerce occurring wholly outside the boundaries of a State exceeds the inherent limits of the enacting State’s authority and is invalid regardless of whether the statute’s extraterritorial reach was intended by the legislature.”²²⁵ By requiring wholesalers to certify that they were charging Connecticut customers no more than non-Connecticut customers, the statute impermissibly regulated the price of beer in neighboring states.²²⁶

When conducting an extraterritoriality analysis, courts must weigh several different factors.²²⁷ A court should consider the overall impact of the law, the consequences that law has on interstate commerce, and how the law coexists with the other states’ regulatory schemes.²²⁸ Further, a court’s analysis must also explore the potential effects on interstate commerce should one, many, or all the states adopt similar (or conflicting) legislation.²²⁹

Courts have applied this extraterritoriality analysis in cases primarily related to price-affirmation and price-fixing. For example, in Brown-Forman Distillers Corp. v. New York State Liquor Authority,²³⁰ the Supreme Court struck down a New York law that regulated the price that liquor producers charged wholesalers in New York regardless of the location of the liquor producer.²³¹ The Court acknowledged that, while the New York law regulated “evenhandedly” and New York had a legitimate interest in “assur[ing] the lowest possible prices for its residents,”²³² the regulation amounted to New York “‘project[ing] its legislation into [other States] by regulating the price to be paid’ for liquor in those States.”²³³

However, the dormant Commerce Clause’s extraterritoriality doctrine is amorphous and vague.²³⁴ It is considered to be “unsettled[,] poorly understood,” and inconsistently applied.²³⁵ Over time, courts have limited the scope of the extraterritoriality prong of the dormant Commerce Clause.²³⁶ In Pharmaceutical Research & Manufacturers v. Walsh,²³⁷ the Supreme Court declined to extend its reasoning in Healy to strike down a Maine law that required drug manufacturers to participate in a rebate program for low-income patients or else be subject to “prior authorization” procedures.²³⁸ The petitioner claimed the Maine rebate program amounted to extraterritorial regulation of interstate commerce.²³⁹ The Court declined to strike down the Maine law on dormant Commerce Clause grounds, finding that the reasoning in Healy was not applicable.²⁴⁰ While the Maine regulation did prescribe the terms of transactions that took place outside of Maine, the Act did not regulate the price of drugs, nor did it tie the price of drugs sold in-state to out-of-state prices.²⁴¹ Conversely in Healy, the Connecticut statute amounted to Connecticut regulating the price of beer in other states.²⁴²

The Court’s extraterritoriality doctrine reemphasizes the understanding that a state’s regulatory power is limited by its borders.²⁴³ However, the Court has not struck down state regulations based solely on extraterritoriality grounds in decades.²⁴⁴ While some scholars argue that the extraterritoriality doctrine is “dead,”²⁴⁵ notwithstanding the aforementioned limits, there are three areas where the extraterritoriality doctrine is thought to survive: (1) in cases where a statute links prices between states;²⁴⁶ (2) in cases when one state seeks to project its own legislation into another state or where it is obvious the state’s statute is an attempt to control activities taking place in another state;²⁴⁷ and (3) “in certain cases dealing with early state regulation of the Internet.”²⁴⁸

States cannot be allowed to “force those other States to alter their own regulatory schemes” in order for that state’s scheme to prevail.²⁴⁹ If a state passes a statute that regulates conduct that occurs wholly outside the state, then the statute will likely be deemed unconstitutional.²⁵⁰ When considering whether to strike down a state regulation as unconstitutional, a court must weigh “the nature of the local interest involved, and [ ] whether it could be promoted as well with a lesser impact on interstate activities.”²⁵¹

The extraterritoriality doctrine is likely a supplement to a robust Pike analysis. In both Edgar and Healy, the Supreme Court staked its holdings on alternative grounds to justify finding a dormant Commerce Clause violation.²⁵² Ultimately, when evaluating the dormant Commerce Clause implications of a state’s internet regulation, courts base their reasoning on the statute’s extraterritorial implications, coupled with a vigorous Pike balancing analysis.²⁵³

E. Inconsistent Regulation

The final hurdle a state regulation must surpass is the so-called “inconsistent regulation” prong of the dormant Commerce Clause. Courts interpret the dormant Commerce Clause to prohibit state regulations that “adversely affect interstate commerce by subjecting activities to inconsistent regulations.”²⁵⁴ This is the least-developed category of dormant Commerce Clause jurisprudence.²⁵⁵

The “inconsistent regulation” component of the dormant Commerce Clause analysis does not automatically invalidate any state regulations that are different from one another. Rather, the inconsistent regulation doctrine prevents “nonuniform state regulations [that] might impose compliance costs that are so severe that they counsel against permitting the states to regulate a particular subject matter.”²⁵⁶ These inconsistent regulations are ones where several states have different requirements, thereby raising the costs of compliance for “multijurisdictional firms.”²⁵⁷

While the internet, like navigating interstate commerce, is an area where uniform legislation would be less costly than a patchwork of regulatory laws, this is not necessarily the approach regulators take. One example of regulations that have been found not to violate the dormant Commerce Clause is the co-existing data breach notification laws.²⁵⁸ Currently, all fifty states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted a data breach notification law.²⁵⁹ While each state has different requirements, it is possible—though perhaps expensive—for one company to understand the different compliance requirements, as none of the laws directly conflict.²⁶⁰ Data breach laws have not faced a dormant Commerce Clause challenge; regardless, these laws would likely survive because they provide consumers with valuable information about the safety of sensitive data, and compliance with all the laws is not so costly that it outweighs the benefits.²⁶¹ Like the extraterritoriality prong, the inconsistent regulation prong presents an interesting framework that ultimately is a “variant of [the Pike] balancing analysis.”²⁶²

F. A Dormant Commerce Clause for a Modern World?

In recent decades, dormant Commerce Clause challenges have not been concerned with protectionist statutes, but rather with obscenity and anti-spam regulations. This Section will explore the two leading cases on state internet regulation: American Libraries Ass’n v. Pataki²⁶³ and State v. Heckel.²⁶⁴ These two cases apply a dormant Commerce Clause analysis in the context of an obscenity statute and an anti-spam statute. Although the cases arrive at different outcomes, they provide key insight into the dormant Commerce Clause’s role in limiting the states’ authority to regulate the internet.

1. Obscenity regulations and the dormant Commerce Clause: American Library Ass’n v. Pataki

In Pataki, the Southern District of New York applied a dormant Commerce Clause analysis to a New York penal statute aimed at reducing children’s access to obscene material online.²⁶⁵ New York passed New York Penal Law section 235.21(3), which criminalized using a computer to circulate obscene or “indecent material” to minors.²⁶⁶ Artists, booksellers, and online content distributors were considerably outraged, claiming that this law amounted to impermissibly regulating interstate commerce.²⁶⁷ The Southern District of New York ultimately struck down the statute as unconstitutional.²⁶⁸ Judge Preska, writing for the majority, found that the statute violated the dormant Commerce Clause on three separate grounds.²⁶⁹

First, the court held that the obscenity law unconstitutionally projected New York law onto conduct occurring “wholly outside” the state.²⁷⁰ Taking into account both the internet’s disregard for geographical boundaries and the New York legislature’s intent for the law to govern interstate communications, the court reasoned it was impossible for the law to apply exclusively to intrastate activities.²⁷¹

Second, the court found that the extraterritorial nature of the law ran afoul of the dormant Commerce Clause, as New York “imposed its legislation on the Internet and, by doing so, projected its law into other states whose citizens use the [internet].”²⁷² Relying on the extraterritoriality prong of dormant Commerce Clause jurisprudence, the court found that the law stretched beyond New York’s boundaries to prosecute individuals who may be engaging in otherwise legal activity in their home state without any mechanism to prevent New York residents from accessing their websites.²⁷³ Further, the statute had a “chilling effect,” where those uncertain of the statute’s reach would “steer far wider of the unlawful zone.”²⁷⁴ The court highlighted that the “chilling effect . . . is bound to exceed the actual cases that are likely to be prosecuted.”²⁷⁵ The court claimed that this form of regulation constituted an impermissible overreach of power that undermined the authority of the other forty-nine states.²⁷⁶

The court also found that the New York statute was invalid under the Pike balancing test.²⁷⁷ While the New York statute had a “quintessentially legitimate state objective” of protecting children from exposure to pornography, there was little evidence that the statute would result in actual realized benefits.²⁷⁸ On the other end of the Pike scale, the court found that the law’s “chilling effect,” the possibility of New York extending its prosecutorial reach worldwide, and the costs imposed on website owners to comply with the law, outweighed any minimal benefits bestowed on New Yorkers.²⁷⁹ This “chilling effect” combined with an increase in New York’s prosecutorial power amounted to “an extreme burden on interstate commerce.”²⁸⁰

Finally, the court reasoned that the Act led to an environment where the internet would be filled with inconsistent regulations.²⁸¹ The court claimed that certain types of commerce were “susceptible to regulation only on a national level,” and it included the internet in this category.²⁸² The court’s decision in Pataki received widespread criticism that it had pushed the extraterritoriality doctrine beyond its limits and impermissibly halted states from regulating the internet.²⁸³ Despite this criticism, the Pataki court’s decision led other courts to strike down a variety of internet regulations that stretched beyond a state’s borders to regulate wholly out-of-state conduct.²⁸⁴ Jeff Kosseff, in his Article discussing the need for national cybersecurity legislation, posits that the reasoning in Pataki and subsequent cases prevent a state from regulating “the details of a company’s cybersecurity program merely because the company stores or processes the data of some customers who live in the state.”²⁸⁵

2. Anti-spam regulations and the dormant Commerce Clause: State v. Heckel

The second leading case in state regulation of the internet is State v. Heckel, where the defendants argued that an anti-spam statute in Washington regulated extraterritorially, exposed consumers to inconsistent regulation, and placed an undue burden on interstate commerce.²⁸⁶ However, unlike in Pataki, the Supreme Court of Washington was not convinced and held that any local benefits far outweighed the purported burdens on interstate commerce.²⁸⁷ In Heckel, an Oregon resident sent “between 100,000 and 1,000,000 [spam] messages per week” advertising a booklet entitled “How to Profit from the Internet” for $39.95.²⁸⁸ The Washington attorney general received several complaints about these spam emails, alleging that the emails “contained misleading subject lines and false transmission paths” in violation of the Washington statute.²⁸⁹ Heckel challenged the constitutionality of the Act under the dormant Commerce Clause.²⁹⁰

The Washington Supreme Court engaged in a robust analysis relying primarily on the Pike test.²⁹¹ The court found that the Act evenhandedly regulated against both in-state and out-of-state spammers alike.²⁹² Further, the Act promoted the “legitimate local purpose” of reducing the cost of deceptive spam for Washington residents.²⁹³ The court weighed that interest against the alleged burdens on interstate commerce:

To be weighed against the Act’s local benefits, the only burden the Act places on spammers is the requirement of truthfulness, a requirement that does not burden commerce at all but actually “facilitates it by eliminating fraud and deception.” Spammers must use an accurate, nonmisleading subject line, and they must not manipulate the transmission path to disguise the origin of their commercial messages. While spammers incur no costs in complying with the Act, they do incur costs for noncompliance, because they must take steps to introduce forged information into the header of their message. In finding the Act “unduly burdensome,” the trial court apparently focused not on what spammers must do to comply with the Act but on what they must do if they choose to use deceptive subject lines or to falsify elements in the transmission path.²⁹⁴

The court emphasized that the statute only impeded spammers who were engaging in purposefully deceptive behavior. Only then would the statute require out-of-state spammers to begin the costly process of sorting out Washington residents. However, the court reasoned that it cost very little to use “nonmisleading” subject lines.²⁹⁵ For actors nationwide (both in-state and out-of-state) wanting to solicit business via email without a deceptive intent, simply using an accurate subject line describing the contents of their email would not amount to an undue burden requiring the actors to avoid targeting Washington recipients.²⁹⁶ While the Washington Supreme Court ultimately held that the non-discriminatory statute did not violate the dormant Commerce Clause, it provided sound guidance for distinguishing unburdensome extraterritorial state internet regulation.²⁹⁷

III. Analysis

Although the newly enacted CCPA has not faced a dormant Commerce Clause challenge yet, it raises several constitutionality issues, such as the substantial burden it places on out-of-state businesses, particularly small businesses, its broad application to businesses with less-than-minimal contacts with California, and the potential for creating a patchwork of fifty conflicting and cumbersome data privacy laws.

This Part applies the Pike balancing test with a focus on the extraterritoriality doctrine and the inconsistent-regulation prong of the dormant Commerce Clause.

A. The CCPA Does Not Discriminate Against Out-of-State Actors

The dormant Commerce Clause primarily prohibits discriminatory behavior from one state against out-of-state actors.²⁹⁸ The first step of a dormant Commerce Clause analysis is to ask whether the state law facially discriminates or has a discriminatory impact against out-of-state actors.²⁹⁹ The CCPA does not have protectionist aims as it applies evenhandedly to both in-state and out-of-state actors. The law is particularly aimed at tech companies, which are plentiful in California—perhaps more so than any other state.³⁰⁰ A detailed analysis of the CCPA demonstrates that the CCPA has no discriminatory aims or effects.³⁰¹ While the CCPA would likely be upheld under the first prong of a dormant Commerce Clause analysis, a court will likely find that the CCPA impermissibly burdens interstate commerce.

B. The CCPA Fails the Pike Balancing Test by Imposing Significant and Excessive Burdens on Interstate Commerce that Are Not Outweighed by the Local Putative Benefits

At its core, the Pike test balances the challenged regulation’s local benefits against the incidental burden imposed on interstate commerce.³⁰² A clearly excessive burden will be deemed unconstitutional.³⁰³ A court will likely find a clearly excessive burden on interstate commerce when a statute does not support a legitimate local purpose or if the statute does support a legitimate local purpose but unduly burdens interstate commerce to accomplish that purpose.³⁰⁴ The Pike test is a fact-intensive analysis that focuses on the intent behind the contested regulation and the alleged burden imposed on interstate commerce.³⁰⁵

The CCPA fails the Pike balancing test by imposing significant and excessive burdens on interstate commerce that are not outweighed by the local putative benefits. The CCPA was originally enacted to create meaningful digital privacy protections for California residents and to fill Congress’s gap in federal digital privacy legislation.³⁰⁶ This is a perfectly legitimate local purpose.³⁰⁷ However, in its attempt to accomplish this goal, the CCPA imposes an immense burden on interstate commerce and “[e]ven with the fullest recognition that [the state interest] is an indisputably valid state goal . . . . [California] cannot avoid the second stage of the inquiry simply by invoking [a] legitimate state interest underlying the Act.”³⁰⁸

Despite its legitimate local purpose, the CCPA’s broad material scope and hefty compliance costs create an undue burden that is “clearly excessive in relation to the putative local benefits.”³⁰⁹ The CCPA applies to any business that “collects consumers’ personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California.”³¹⁰ To be subject to the CCPA, a business must meet one of three minimum statutory requirements.³¹¹

One conservative figure estimates that 500,000 U.S. companies will be forced to decide whether to comply with the CCPA or take steps to completely avoid the California marketplace.³¹² This latter “chilling effect” is reminiscent of the issue before the court in Pataki.³¹³ Like the New York Statute in Pataki, the CCPA “casts its net worldwide.”³¹⁴ While the CCPA does not impose criminal liability on noncompliant businesses, it does impose huge financial, administrative, and legal burdens on those businesses subject to the law—the vast majority of which have few means to surmount this burden.³¹⁵ Businesses subject to the CCPA are projected to spend a collective $55 billion in upfront compliance costs.³¹⁶ These huge costs will adversely affect small- and medium-sized businesses that do not have the same resources as larger companies to devote to CCPA compliance.

One might be tempted to argue that the CCPA will not impose significant costs on businesses because the GDPR was such a sweeping regulation that many companies can recycle their GDPR-compliant policies to adhere to the requirements of the CCPA.³¹⁷ This assumption is flawed in several respects. The GDPR and the CCPA are not perfect equivalents.³¹⁸ While they both provide for sweeping change with respect to data privacy rights, each has a unique set of requirements.³¹⁹ Further, many businesses that were not required to comply with the GDPR will now be required to comply with the CCPA.³²⁰ While many U.S.-based companies are GDPR-compliant, these are primarily large companies that have an EU presence or reasonably target their goods and/or services to EU customers.³²¹ These large companies will be able to repurpose their GDPR compliance strategies to fit the CCPA.³²² Further, these large companies are already equipped to “absorb [the CCPA’s] up-front compliance costs” due to the availability of in-house counsel, in-house IT personnel, and significantly larger budgets.³²³ Small businesses will bear the “undue burden” so that only a few Americans can have online privacy.³²⁴

This Comment discusses the rights the CCPA created for Californians.³²⁵ While these rights are significant when compared with the lack of privacy rights in the United States, the lack of significant enforcement provisions creates a question as to whether businesses will actually comply if they do not fall into the category of a “tech giant” like Microsoft, Facebook, or Amazon.³²⁶ The CCPA only creates a private right of action for data breaches;³²⁷ the Attorney General is tasked with enforcing the remaining portions of the CCPA.³²⁸ This private right of action enables a consumer to recover anywhere from $100–$750 or actual damages (whichever is greater) “per consumer per incident” for unintentional violations.³²⁹ Further, the Attorney General can level a civil fine up to $7,500 for willful violations for each violation.³³⁰ These penalties will severely impact smaller businesses but barely rise to a slap on the wrist for companies like Google and Amazon.³³¹ While the private right of action and statutory damages for data breach violations are a step in the right direction, the penalties will likely have little effect on the targeted companies.³³²

In addition to the CCPA lacking “teeth,” many of the CCPA’s new rights and compliance requirements are confusing and present complicated challenges in application.³³³ Open questions such as “when is a personal information category truly deidentified?”; “how can a business truly verify a consumer access request?”; and “when is a business actually required to comply with a consumer’s deletion request?” require significant resources for businesses to answer.³³⁴ The CCPA is not clear, and the California Attorney General does not provide particularly helpful insight into the regulations, which are as long and confusing as the CCPA itself.³³⁵

Much like the state regulators in the “transportation cases,”³³⁶ the Arizona regulators in Pike, and the New York regulators in Pataki, the CCPA’s local benefits of consumer privacy are honorable and legitimate.³³⁷ However, the California legislature failed to consider the second part of the dormant Commerce Clause inquiry: the local benefits must also outweigh the burdens imposed on commerce amongst the several states.³³⁸ The CCPA provides digital privacy rights only to Californians. While those rights go beyond any existing U.S. privacy law, the CCPA itself is complicated and confusing; many businesses will struggle to actually provide those rights to Californians. The CCPA’s putative benefits, while legitimate, fail to outweigh the immense burdens the CCPA imposes on interstate commerce.

C. The CCPA Regulates Conduct that Occurs Wholly Outside of the State

Under the Pike balancing test, the CCPA is likely to fail an extraterritoriality analysis. In addition to imposing undue burdens on interstate commerce, the CCPA regulates conduct that occurs entirely outside of California. The CCPA claims that it does not regulate conduct that exists wholly outside of California.³³⁹ However, in order to satisfy that threshold, the business cannot conduct sales in California, cannot collect data about a California resident (whether or not that resident is currently in California), and cannot sell information about any California resident.³⁴⁰ The vast majority of businesses do not categorize their data by resident location, and many businesses cannot guarantee they do not collect data from California residents.³⁴¹ Rather than risk an audit, many businesses are complying with the CCPA.³⁴² By enacting the CCPA, California impermissibly projects its sovereignty onto other states.³⁴³

The CCPA allows California to control “commerce occurring wholly outside the boundaries of [the] State[,] exceed[ing] the inherent limits of [California’s] authority.”³⁴⁴ In Healy, the Supreme Court held that state regulation that amounts to “directly control[ling] commerce occurring wholly outside the boundaries of a State exceeds the inherent limits of the enacting State’s authority and is invalid regardless of whether the statute’s extraterritorial reach was intended by the legislature.”³⁴⁵ The CCPA’s broad material scope is precisely the impermissible behavior described by Justice Blackmun in Healy.³⁴⁶ By requiring businesses nationwide to comply with the CCPA if they accept “a single dollar from a California resident,”³⁴⁷ California impermissibly enacted a national privacy law.

While the CCPA concerns a different subject matter, its broad reach into out-of-state business practices is analogous to the New York Statute’s broad reach in Pataki. In Pataki, the Southern District of New York reasoned that, taking into account both the internet’s insensitivities to geographical boundaries and the legislature’s intent for the law to govern interstate communications, it was impossible for the New York law to apply exclusively to intrastate activities.³⁴⁸ Similarly, the CCPA’s broad and complicated nature makes it impossible for the law to apply exclusively to intrastate activities. The CCPA is “insensitive to geographical distinctions,”³⁴⁹ as it protects California residents’ data in any state or country in which their data is processed.³⁵⁰ The California legislature intended for the CCPA to protect California residents’ data without relevance to the data’s origin or the collector’s location. Because California residents are often parties to transactions that take place outside of California, the CCPA cannot regulate solely intrastate activities.³⁵¹

Conversely, in Heckel, the Washington Supreme Court reasoned that because the only individuals (both in-state and out-of-state) who were going to face immense compliance costs were bad actors, the Washington law did not violate the dormant Commerce Clause.³⁵² Unlike in Heckel, those wishing to do business in California cannot simply rephrase a subject line to no longer risk violating the CCPA.³⁵³ The CCPA has intricate and nuanced requirements that require significantly more work than revising an email.³⁵⁴ The CCPA requires businesses to implement new data management strategies, provide new training to all employees, and overhaul existing technological systems.³⁵⁵ Both good and bad faith actors alike will be forced to undergo expensive financial and administrative changes to continue to do business that is tangentially connected to California.

D. The CCPA Will Likely Lead to Multiple Conflicting Comprehensive Data Privacy Laws

A multitude of complicated and conflicting data privacy laws is a matter of when, not if. Many states are actively considering a comprehensive privacy law.³⁵⁶ Some of these recently introduced bills are modeled after the CCPA, but many are not.³⁵⁷ In considering whether or not the CCPA will lead to many conflicting laws, a court must consider the full effect of the challenged law.³⁵⁸ Here, the CCPA has global consequences.³⁵⁹ The CCPA has already prompted a patchwork of conflicting comprehensive data privacy laws that will prove unworkable.³⁶⁰ These pending state bills provide a range of protections. Some provide for a “right to know” and a “right to access” but do not provide for a private right of action in the event of a data breach.³⁶¹ Others go beyond the CCPA and provide a general private right of action for any violation of the law.³⁶² Additionally, California passed ground-breaking legislation in seven days.³⁶³ While the current bills are not being pushed through the legislative process at the same speed, it is more than possible for another state to follow in California’s footsteps.

The lack of a comprehensive national privacy law, combined with the loud public cry for increased data protections, will lead the states to develop a patchwork of privacy laws that will prove to be unworkable and costly. This patchwork of pending “nonuniform state regulations [will] impose compliance costs that are so severe that they counsel against permitting the states to regulate [data privacy].”³⁶⁴ The Pataki court’s instincts about internet regulation were correct; the internet is among the categories of commerce that is “susceptible to regulation only on a national level.”³⁶⁵

IV. The United States Needs a National Privacy Law

The dormant Commerce Clause precludes the CCPA from setting national privacy law. However, it is time for the United States to establish national data privacy legislation. Congress must pass a comprehensive privacy law that gives all Americans legitimate data protections. The current U.S. privacy regulatory landscape “does not reflect the reality that the internet and connected services and devices have been integrated into every facet of our society.”³⁶⁶ Countries worldwide are beginning to pass legislation to protect the data rights of their citizens, yet the United States has fallen behind in this global movement.³⁶⁷ Historically, U.S. privacy law has failed to keep pace with rapidly advancing technology.³⁶⁸ Thus far, Congress has passed privacy laws that are industry-specific.³⁶⁹ General data practices are currently governed by the FTC, which prohibits businesses from engaging in deceptive practices.³⁷⁰ Therefore, the FTC can only bring an enforcement action if a business manages consumer data in a way that runs contrary to its own privacy policy, violates existing federal privacy laws, or seriously injures consumers.³⁷¹ Limited accountability of large companies that manage huge amounts of data can have serious consequences ranging from exposing sensitive data³⁷² to compromising U.S. democracy.³⁷³

This segmented approach to privacy is no longer sufficient to protect Americans’ privacy interests. Massive data breaches grace headlines on a fairly regular basis.³⁷⁴ Consumers need legitimate privacy protection in order to live in a digital world.³⁷⁵ The majority of Americans do not feel their data is safe and strongly favor more government regulation surrounding data use.³⁷⁶ To bolster consumer confidence, Congress must pass a national data privacy law.

Lawmakers are not oblivious to the fact that the United States is behind in developing a comprehensive data privacy law.³⁷⁷ Members of Congress have introduced several different bills that each take a different approach to providing Americans with the comprehensive data protections they crave.³⁷⁸ These bills have been introduced by both Democrats and Republicans, signaling to Americans that Congress—on both sides—is aware of the need for more data oversight. However, the various bills disagree on key factors, including a private right of action, carve-outs for small businesses, and federal and state preemption.³⁷⁹ Both political parties must work together to develop a bill that will assuage Americans’ digital privacy worries.

The United States is behind many countries in developing comprehensive data privacy legislation.³⁸⁰ This gap in regulation has fostered consumer digital privacy anxiety, allowed dangerous data breaches, and left the door open for confusing and conflicting state comprehensive data privacy laws that impose unnecessary costs onto businesses while providing a patchwork of data privacy rights to only a select few.³⁸¹ If Congress fails to develop a national privacy law, the patchwork quilt of state privacy regulations will only grow, and, ultimately, consumers will pay the price.³⁸²

Conclusion

The CCPA, while non-discriminatory both facially and as applied, goes beyond the scope of California’s regulatory authority and amounts to unlawful regulation of interstate commerce. The CCPA runs afoul of the dormant Commerce Clause by reaching too far beyond its territorial boundaries and regulating activity that occurs wholly outside California’s borders.³⁸³ It further violates the dormant Commerce Clause by burdening interstate commerce in exchange for putative benefits that fail to justify the onerous costs.³⁸⁴

The Supreme Court deems that a state action regulates interstate commerce when it: (1) facially or effectively discriminates against out-of-state actors;³⁸⁵ (2) fails the Pike balancing test;³⁸⁶ (3) regulates conduct that takes place extraterritorially;³⁸⁷ or (4) prompts inconsistent regulation across the nation.³⁸⁸ By projecting California’s sovereignty across state lines and unduly burdening interstate commerce, the CCPA meets the Court’s definition of an impermissible state action and therefore violates the dormant Commerce Clause’s implicit prohibition on state regulated interstate commerce.

The United States cannot allow one wealthy real-estate developer to singlehandedly shape the nation’s approach to regulating digital privacy—no matter how well-meaning his intentions.³⁸⁹ Alastair Mactaggart’s CCPA is a complicated and cumbersome law that impermissibly amounts to regulating data privacy on a national scale.³⁹⁰ The courts must strike down the CCPA as unconstitutional. However, lawmakers must heed the CCPA’s call for stronger privacy protections. Congressional gridlock and partisan polarization seem to spell doom for any hope of a national privacy law.³⁹¹ If Congress refuses to act, the states will continue to pass confusing, complicated, and conflicting privacy legislation that will ultimately do more harm than good to businesses and consumers alike.

Nice Thought, Poor Execution: Why the Dormant Commerce Clause Precludes California’s CCPA From Setting National Privacy Law

Share this post

Contact Us

Join Our Mailing List