Are California's New Data Privacy Controls Even Legal?

A new paper raises constitutional questions about expansive state-level regulations that reach beyond their borders.


Data privacy hardliners are pretty jazzed about the California Consumer Protection Act (CCPA), which is slated to take effect on the first of the next year. While many outside of the Golden State may not have heard of this bold foray into computing regulation, activists hope that it will soon effectively control how much of the country is allowed to process data. If they can't have an European Union-level General Data Protection Regulation (GPPR), then at least this state law can kind of regulate through the back door without the pesky need to go through Congress.

Of course any strong enough data controls imposed in California would inevitably affect everyone else in the US. Most technology companies are based there, and even those in other states would be fools to lock themselves out of California's population of almost 40 million.

And CCPA supporters know this. In fact, many of them see this as a feature.

The wealthy real estate mogul who bankrolled the campaign for a California data control law, Alastair Mactaggart, testified that "it is incredibly difficult to get any legislation through Congress," and even if Congress could get its act together and pass a data law, it should "not preempt state legislation" like the CCPA. That's easy to say if you drafted the state law that will rule over the rest of the country, but non-Californians who object to such controls will obviously feel differently.

Even California Attorney General Xavier Becerra, whose office will lead CPPA enforcement, frames his mandate in national terms, stating that "Americans should not have to give up their digital privacy to live and thrive in this digital age." That's Americans, not Californians. Hey guy, who died and made you data czar for the entire country?

But these efforts to push state regulation as a de facto federal standard for data privacy may be too clever by half. A gambit that attempts to set up a state law to trump a federal solution would yield immediate constitutional problems.

A new Federalist Society Regulatory Transparency Project paper by my colleague Jennifer Huddleston and TechFreedom's Ian Adams suggests that state data controls like the CCPA raise serious legal questions about potential free speech and dormant commerce clause violations.

There's this thing called "the Constitution…"

In the rush to get a GDPR-style regulatory framework in place in California, no one seemed to stop and ask whether what they were doing was actually legal. Indeed, many of the controls enshrined in the European law are fundamentally at odds with American principles of permissionless innovation and open interstate commerce. Huddleston and Adams point out that state laws like the CCPA may run into constitutional problems concerning speech and interstate trade.

Data is often speech. Laws that regulate speech are subject to a high level of legal scrutiny because of our First Amendment protections. States don't get to ignore the First Amendment just because they really don't like Facebook. If they try to regulate data-as-speech, the courts may promptly strike them down.

How might this look in terms of a state data law? One popular idea is to treat data usage differently depending on whether that data is "for sale" or not. Given the populist anger about data brokers and "monetizing our personal information," it makes sense that this would make its way into a bill. But this could be a constitutional no-no, since the courts have ruled that distinguishing between a "sale" and simple data processing could be a content-based control on speech.

Then there's interstate commerce. The whole point of the federal government is to fend off foreign baddies so that we can freely trade among each other in the states. State laws that discriminate against out-of-state actors or unfairly burden interstate trade obviously throw a monkey wrench into the operation, so an inferred constitutional doctrine called the "dormant commerce clause" puts a stop to states trying to regulate commerce beyond their borders. You know, like the CCPA precisely tries to do.

The internet is an inherently interstate, and indeed international, venture. Imposing rules that make it harder for out-of-state companies to transact with state consumers and businesses violates the dormant commerce clause and will likely be struck down. After all, the courts don't allow states to require trucks to change their mudflaps when they cross between borders. If something as simple as tire protection protectionism is deemed unkosher under the dormant commerce clause, something as fundamental to the national economy as internet commerce will surely warrant similar legal protection.

Huddleston and Adams also point out that it's not like the federal government does not have data privacy laws already. Legislation like the Graham-Leah-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA) already govern data practices relating to financial, health, and children's data. Where broad state laws come into conflict with existing specific federal data law they may be trumped by the federal law rendering them less comprehensive than they initially seemed.

You get the picture. Far from being a slam dunk for bringing GDPR-style privacy controls to the US, state laws like the CCPA may actually fail to pass constitutional muster. And it's probably all for the better, given the considerable appetite for such laws among the states.

Do we really need a more fragmented internet?

California may get all the attention, but it's far from the only state eager to wrest control over data usage. Maine and Nevada have already passed data regulation bills, and Massachusetts and New York are considering their own. Twenty-five states, ranging from Washington to Mississippi, considered data privacy legislation last legislative session. Other state leaders may soon follow, hoping to politically cash in amidst the year of the techlash.

It would be bad enough if California was one of the only states to roll out data controls, or if its data controls were the strongest in the nation, which would effectively become a national standard.

But consider a world where each of the 50 states has their own onerous and contradictory data control policies. Companies would need to build out different services depending on where a user is located. If the costs exceeded the benefits of complying with, say, tiny Rhode Island's hypothetical opt-in data framework, perhaps the Ocean State would just get cut off completely. Only the deep pocketed Googles and Facebooks of the world would be able to operate in such a costly regulatory environment. You can kiss the days of an upstart David toppling the Goliaths from a dingy garage goodbye.

We've already seen this happen with the GDPR. The companies whose controversial data policies spurred the regulations in the first place found their market positions consolidated following the law's implementation. Many websites still appear dark for EU internet users. Meanwhile, it's hard to argue that anyone's "privacy" has been meaningfully enhanced.

We don't need to reproduce this digital balkanization in the States. If Huddleston and Adams are right, the inevitable court cases challenging the constitutionality of state data controls may soon enough prevent this. In the meantime, we can expect consumers and companies to suffer as they deal with the stifling effects of multiple contradictory data control jurisdictions.


NEXT: Thanks to Late-Stage Capitalism, You No Longer Need To Leave Your House

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. So the dems would be more than happy to outlaw VPNs and mandate true identity use on line so that all providers could just block activity based on the true and accurate location of the users.
    That way providers can block CA from all the bad stuff while the rest of the country has freedoms.
    What could go wrong?
    “We’re from the government, and we’re here to help you”

    1. Why not just severely limit access to put anything online, and develop government-run 24-7 “broadcasting”? Put a gigantic screen in every home (with the capacity for video surveillance–to protect us, of course). What could go wrong?

  2. Commifornia clearly thinks they are setting standards for the entire USA via state law and that commerce is INTERSTATE .

    BAM, Taxifornias law is preempted by federal law. Especially since the federal government has all sorts of federal agencies already in place for interstate commerce regulation. See FCC, SEC, FDA, NTSB..

    1. Every time you post it’s very clear you don’t understand wtf you’re talking about.

    2. Poor wearingit troll.

      It’s programmer would love someone to explain how things work.

      1. Data protection is always huge issue and everything should be handled with care just like us atts ladies we care about that on a daily basis

    3. Dormant Commerce Clause and federal preemption are different legal arguments.

      I would love to see the CCPA go down on a federal preemption charge but I think it’s unlikely (outside a few narrow contexts). For federal preemption to win, the federal statute usually has to explicitly say that it is preempting the state statutes. Without that explicit statement, courts generally interpret the federal requirements as a “floor” and allow states to set higher standards. That doesn’t help stop the balkanization problem described in the article.

      That means the dormant Commerce Clause is probably the stronger legal argument – and courts have not been consistent applying about that protection.

  3. The bright side of all these ridiculous California laws are that more and more tech companies will be headquartered or moving their HQ outside that state.

  4. I love that Reason, an ostensibly libertarian magazine, is decrying the fact that BUSINESSES will choose to use one state’s rules across their entire company in order to streamline their operation. Remind me again what libertarian is? Aren’t you supposed to be FOR states’ rights and the power of the free market? But oh no…businesses might choose to do what is best for their business counter to whatever other states’ citizens want…

    Amazing to have the flippant hypocrisy so on display.

    1. You really are a troll who doesn’t understand what “libertarian” means at all.

      Short version = No, libertarians are not “for states’ rights”. Libertarians are for individual people’s rights and against governments’ unconstrained powers whether at state, federal or local levels.

      That said, libertarians do generally view “states’ rights” as the lesser evil when compared to federal coercion. But that does not make all state legislation good or even automatically less-bad than federal legislation.

      And the free market has nothing whatsoever to do with state coercion.

    2. BUSINESSES will choose to use one state’s rules across their entire company in order to streamline their operation.

      Why do they need a state’s rules in order to streamline their operations?

    3. If a business chooses to do something, that’s their right. But being forced to do so by a state operator isn’t choice.

  5. “Only the deep pocketed Googles and Facebooks of the world would be able to operate in such a costly regulatory environment.”

    Or only smaller companies serving a specific market can effectively compete?
    Could it be that a wild patchwork of conflicting state laws is how you prevent “too big to fail”?

    1. Could it be that a wild patchwork of conflicting state laws is how you prevent “too big to fail”?

      Just the opposite. That’s how you get ‘too small to exist’ because it closes off markets to those who cannot comply with multiple layers of often conflicting laws.

  6. If the costs exceeded the benefits of complying with, say, tiny Rhode Island’s hypothetical opt-in data framework, perhaps the Ocean State would just get cut off completely.

    “If the costs exceeded the benefits of complying with, say, tiny Rhode Island’s hypothetical marijuana restrictions, perhaps the Ocean State would just get cut off completely.”

  7. “Are California’s New Data Privacy Controls Even Legal?”

    Silly question. Anything the king/People’s Liberation Front decides to do is legal.

  8. Who cares if its legal?
    As long as our wonderful ruling elites know everything we say and do is monitored, all will be well.
    Just look how monitoring people worked out in Hitler’s Germany and Stalin’s Soviet Union.
    You never saw any counter-revolutionaries there, now did you?

    1. Well, you never saw them twice – – – –

  9. LOL!!! Tech companies will be leaving the state in droves!!!

    1. That or go bankrupt.

  10. Forcing the rest of Police State, Corpocratic USA to obey some minor privacy/data rules imposed by CA (or anyone else) is just fine by me. And yeah, the State can regulate anyone who comes into it’s physical boundaries – no matter how they do it.

  11. California has always done its own thing over the Federal government. Car pollution regs…marijuana laws…etc. Don’t count this out yet.

Please to post comments

Comments are closed.