Are California's New Data Privacy Controls Even Legal?

A new paper raises constitutional questions about expansive state-level regulations that reach beyond their borders.


Data privacy hardliners are pretty jazzed about the California Consumer Protection Act (CCPA), which is slated to take effect on the first of the next year. While many outside of the Golden State may not have heard of this bold foray into computing regulation, activists hope that it will soon effectively control how much of the country is allowed to process data. If they can't have an European Union-level General Data Protection Regulation (GPPR), then at least this state law can kind of regulate through the back door without the pesky need to go through Congress.

Of course any strong enough data controls imposed in California would inevitably affect everyone else in the US. Most technology companies are based there, and even those in other states would be fools to lock themselves out of California's population of almost 40 million.

And CCPA supporters know this. In fact, many of them see this as a feature.

The wealthy real estate mogul who bankrolled the campaign for a California data control law, Alastair Mactaggart, testified that "it is incredibly difficult to get any legislation through Congress," and even if Congress could get its act together and pass a data law, it should "not preempt state legislation" like the CCPA. That's easy to say if you drafted the state law that will rule over the rest of the country, but non-Californians who object to such controls will obviously feel differently.

Even California Attorney General Xavier Becerra, whose office will lead CPPA enforcement, frames his mandate in national terms, stating that "Americans should not have to give up their digital privacy to live and thrive in this digital age." That's Americans, not Californians. Hey guy, who died and made you data czar for the entire country?

But these efforts to push state regulation as a de facto federal standard for data privacy may be too clever by half. A gambit that attempts to set up a state law to trump a federal solution would yield immediate constitutional problems.

A new Federalist Society Regulatory Transparency Project paper by my colleague Jennifer Huddleston and TechFreedom's Ian Adams suggests that state data controls like the CCPA raise serious legal questions about potential free speech and dormant commerce clause violations.

There's this thing called "the Constitution…"

In the rush to get a GDPR-style regulatory framework in place in California, no one seemed to stop and ask whether what they were doing was actually legal. Indeed, many of the controls enshrined in the European law are fundamentally at odds with American principles of permissionless innovation and open interstate commerce. Huddleston and Adams point out that state laws like the CCPA may run into constitutional problems concerning speech and interstate trade.

Data is often speech. Laws that regulate speech are subject to a high level of legal scrutiny because of our First Amendment protections. States don't get to ignore the First Amendment just because they really don't like Facebook. If they try to regulate data-as-speech, the courts may promptly strike them down.

How might this look in terms of a state data law? One popular idea is to treat data usage differently depending on whether that data is "for sale" or not. Given the populist anger about data brokers and "monetizing our personal information," it makes sense that this would make its way into a bill. But this could be a constitutional no-no, since the courts have ruled that distinguishing between a "sale" and simple data processing could be a content-based control on speech.

Then there's interstate commerce. The whole point of the federal government is to fend off foreign baddies so that we can freely trade among each other in the states. State laws that discriminate against out-of-state actors or unfairly burden interstate trade obviously throw a monkey wrench into the operation, so an inferred constitutional doctrine called the "dormant commerce clause" puts a stop to states trying to regulate commerce beyond their borders. You know, like the CCPA precisely tries to do.

The internet is an inherently interstate, and indeed international, venture. Imposing rules that make it harder for out-of-state companies to transact with state consumers and businesses violates the dormant commerce clause and will likely be struck down. After all, the courts don't allow states to require trucks to change their mudflaps when they cross between borders. If something as simple as tire protection protectionism is deemed unkosher under the dormant commerce clause, something as fundamental to the national economy as internet commerce will surely warrant similar legal protection.

Huddleston and Adams also point out that it's not like the federal government does not have data privacy laws already. Legislation like the Graham-Leah-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Children's Online Privacy Protection Act (COPPA) already govern data practices relating to financial, health, and children's data. Where broad state laws come into conflict with existing specific federal data law they may be trumped by the federal law rendering them less comprehensive than they initially seemed.

You get the picture. Far from being a slam dunk for bringing GDPR-style privacy controls to the US, state laws like the CCPA may actually fail to pass constitutional muster. And it's probably all for the better, given the considerable appetite for such laws among the states.

Do we really need a more fragmented internet?

California may get all the attention, but it's far from the only state eager to wrest control over data usage. Maine and Nevada have already passed data regulation bills, and Massachusetts and New York are considering their own. Twenty-five states, ranging from Washington to Mississippi, considered data privacy legislation last legislative session. Other state leaders may soon follow, hoping to politically cash in amidst the year of the techlash.

It would be bad enough if California was one of the only states to roll out data controls, or if its data controls were the strongest in the nation, which would effectively become a national standard.

But consider a world where each of the 50 states has their own onerous and contradictory data control policies. Companies would need to build out different services depending on where a user is located. If the costs exceeded the benefits of complying with, say, tiny Rhode Island's hypothetical opt-in data framework, perhaps the Ocean State would just get cut off completely. Only the deep pocketed Googles and Facebooks of the world would be able to operate in such a costly regulatory environment. You can kiss the days of an upstart David toppling the Goliaths from a dingy garage goodbye.

We've already seen this happen with the GDPR. The companies whose controversial data policies spurred the regulations in the first place found their market positions consolidated following the law's implementation. Many websites still appear dark for EU internet users. Meanwhile, it's hard to argue that anyone's "privacy" has been meaningfully enhanced.

We don't need to reproduce this digital balkanization in the States. If Huddleston and Adams are right, the inevitable court cases challenging the constitutionality of state data controls may soon enough prevent this. In the meantime, we can expect consumers and companies to suffer as they deal with the stifling effects of multiple contradictory data control jurisdictions.