Why the CCPA Should Be DOA.

Photo by Maarten van den Heuvel on Unsplash

America (not just California) is bracing for the first enforcement action under the California Consumer Privacy Act  (“CCPA”) on July 1, 2020 (at the latest).  The CCPA of 2018 went into effect on January 1, 2020 and affects businesses across the nation.  It was born as a stopgap measure to forestall a more stringent referendum initiative.[1]  It was passed after only a week of debate and resulted in legislation that falls short of constitutional muster under numerous constitutional challenge theories due to its drafting errors, overreaching, and lack of clarity.[2]  Despite seven (7) amendments passed by the California Legislature and a plethora of California Attorney General regulations adopted, [3] the CCPA is still unenforceable under the United States Constitution because it is designed to regulate the entire information superhighway.

The Tenth Amendment to the United States Constitution states that all powers not granted to the federal government are reserved for the states and the people.  A judge-created doctrine known as the Dormant Commerce Clause or the Negative Commerce Clauses restricts the states from passing laws that inhibit interstate commerce.  Interstate commerce is regulated by the federal government pursuant to the United State Constitution, Article I, Section 8, clause 3. 

This article will focus on using transportation case law decided under the dormant commerce clause as they apply to the CCPA.  “[T]he Internet is analogous to a highway or railroad. This determination means that the phrase “information superhighway” is more than a mere buzzword; it has legal significance…” Am. Libraries Ass’n v Pataki, 969 F Supp 160, 161 (SDNY 1997).  The CCPA regulates the entire information superhighway and seeks to control interstate commerce.   “The Constitution …. was framed upon the theory that the peoples of the several states must sink or swim together, and that in the long run prosperity and salvation are in union and not division.” Baldwin v. G.A.F. Seelig, 294 U.S. 511, 523 (1935). 

There are numerous articles describing the details of the CCPA and this article is not intended as a guide to the CCPA.  In general, the CCPA creates extensive new data privacy rights for California resident, but as always, the devil is in the details.  Californians’ new rights follow them outside the state on business or pleasure travel and the law also creates statutory damages for data breaches.  This will no doubt lead to extensive litigation once was the starting gun fires in July 2020. 

California is the world’s fifth largest economy and is home to approximately 40 million residents.[4]  The CCPA applies to in-state and out-of-state businesses that are in anyway connected to California residents and meet certain thresholds.  The most worrisome of these thresholds is that a mere 140 website visits from unique California residents a day, will trigger the application of the CCPA and ostensibly its penalties.  The CCPA has the potential to ensnare companies that depend on web commerce and to ensnare any company who does business with a company subject to the CCPA in the form of business client inquiries targeting the proper processing and handling of personal information by that company.[5] 

Clearly the CCPA’s extensive reach creates dormant commerce clause concerns.  Dormant commerce clause analysis starts by examining whether the primary purpose of the CCPA discriminates on its face against out-of-state actors.  If it discriminates it is invalid.  This CCPA is neutral on its face. 

Accordingly, the court then uses a four-part balancing inquiry to examine the law further, asking:  Does the statute regulate evenhandedly?  Does the statute effectuate a legitimate purpose?  Are the effects on interstate commerce incidental? Is the Burden created clearly in excess in relation to local putative benefits?  Pike v. Bruce Church, Inc., 397 U.S. 137 (1970).

“It is unnecessary to review in detail the evolution of the principles of Commerce Clause adjudication. The Clause is both a “prolific sourc[e] of national power and an equally prolific source of conflict with legislation of the state[s].” H. P. Hood & Sons, Inc. v. Du Mond, 336 U.S. 525, 534, 69 S.Ct. 657, 663, 93 L.Ed. 865 (1949). The Clause permits Congress to legislate when it perceives that the national welfare is not furthered by the independent actions of the States. It is now well established, also, that the Clause itself is “a limitation upon state power even without congressional implementation.” Hunt v. Washington Apple Advertising Comm’n, 432 U.S. 333, 350, 97 S.Ct. 2434, 2445, 53 L.Ed.2d 383 (1977). The Clause requires that some aspects of trade generally must remain free from interference by the States. When a State ventures excessively into the regulation of these aspects of commerce, it “trespasses upon national interests,” Great A & P Tea Co. v. Cottrell, 424 U.S. 366, 373, 96 S.Ct. 923, 928, 47 L.Ed.2d 55 (1976), and the courts will hold the state regulation invalid under the Clause alone.”

Even if a law passes the Pike balancing test, the court must take one final step and determine if the law concerns a subject matter that even in the absence of federal legislation “imperatively demand[s] a single uniform rule, operating equally on the commerce of the United States….”  Cooley v. Bd. of Wardens, 53 U.S. 299, 326 (1851) (Daniels, J., concurrence).  In the 19th and 20th centuries, the clause has mainly been used to prevent economic protectionism by states and to promote a consistent national common market. 

Kassel v Consol. Freightways Corp. of Delaware, 450 US 662, 669, 101 S Ct 1309, 1315, 67 L Ed 2d 580 (1981).

The Supreme Court “transportation cases” used the dormant commerce clause to strike down laws that limit the length of trucks (Kassel, supra; Raymond Motor Transportation, Inc. v. Rice, 434 U.S. 429 (1977)), but not a South Carolina law that regulated the weight of trucks (South Carolina State Highway Department v. Barnwell Bros., 303 U.S. 177, 180 (1938)), and struck down an Illinois law regulating the type of mud flaps used by trucks (Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520, 526-27, 529-30 (1959)), along with the limitation on the number of railroad car allowed on trains (Southern Pacific Co. v. Arizona, 325 U.S. 761, 770-71 (1945) .  The difference in the rulings in every case was the sufficiency of the evidence demonstrating a safety issue. “Although courts afford great deference to state regulations in the field of highway safety as challengers must overcome a “strong presumption of validity,” the Supreme Court has established that maintaining a cohesive and unburdened national highway network is a substantial countervailing interest.”[6] 

“Those who would challenge such bona fide safety regulations must overcome a “strong presumption of validity.” Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520, 524, 79 S.Ct. 962, 964, 3 L.Ed.2d 1003 (1959). …The extent of permissible state regulation is not always easy to measure. It may be said with confidence, however, that a State’s power to regulate commerce is never greater than in matters traditionally of local concern. Washington Apple Advertising Comm’n, supra, 432 U.S., at 350, 97 S.Ct. at 2445. For example, regulations that touch upon safety—especially highway safety—are those that “the Court has been most reluctant to invalidate.””

Kassel v Consol. Freightways Corp. of Delaware, 450 US 662, 670 (1981).

The California Legislature’s stated safety concern under the CCPA is that:

“The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”

There is no doubt that safety concerns are a driving force behind the CCPA legislation but when California Attorney General Xavier Becerra was asked to frame his mandate he stated that “Americans should not have to give up their digital privacy to live and thrive in this digital age (emphasis added).”[7] Attorney General Becerra said “Americans” not “Californians”.  California took it upon itself to regulate the information superhighway without consulting the rest of us. 

From the earliest days of transportation cases, a distinction was drawn between areas of law requiring local expertise and areas of law requiring a unified national policy.  In Cooley v. Bd. of Wardens, 53 U.S. 299 (1851), the Court was asked to decide whether port fees could be charged at the state level in absence of federal legislation.  The Court found that local ports needed local supervision and that even though it affected interstate commerce, it was constitutional.  The Court also noted that an 1789 Act passed by Congress granting states power in this field of law was evidence of historical local control of port fees. 

Unlike the situation in Cooley, supra, the information superhighway requires a unified national policy.  Local control is not only unnecessary but hampers national productivity and commerce.  Moreover, to further the analogy to Cooley, the CCPA is trying to control commerce in every port on the information superhighway.  But now there is no reason for local control of ports….each port is now the same.  Furthermore, there is no history of local control of the information superhighway and Congress did not delegate authority specifically to the states.  Congress simply failed to act.  That alone is not a sufficient reason to forestall application of the dormant commerce clause.

The CCPA is a trespass against national interests.  We all have a stake in privacy rights and one state cannot and should not control the application of privacy rights to an entire nation.  The dormant commerce clause was created exactly for this purpose.  The real question is whether the Court is ready to act in the absence of Federal legislation.  There are several introduced bills but none are gaining traction due to the current political environment and the 2020 election.  Only time will tell what will transpire but it does not seem unrealistic to expect a challenge to the law from an out of state business hampered with expenses due to the CCPA.

[1] New Online Privacy Legislation in California Could Head Off Proposed November Referendum, Marty Swant – https://www.adweek.com/digital/new-online-privacy-legislation-in-california-could-head-off-proposed-november-referendum/

[2] California Passes Landmark Consumer Privacy CCPA-What it Means for Businesses


[3] CCPA Update: California Governor Signs Seven Amendments to the CCPA

Alysa Hutnik-Alex Schneider-Katie Townley-Gonzalo Mon – https://www.adlawaccess.com/2019/10/articles/ccpa-update-california-governor-signs-six-amendments-to-the-ccpa/

[4] California now has the world’s 5th largest economy CBS News – https://www.cbsnews.com/news/california-now-has-the-worlds-5th-largest-economy/

[5] Prof. Eric Goldman, An Introduction to the California Consumer Privacy Act (CCPA)  (2018) https://iapp.org/media/pdf/resource_center/Intro_to_CCPA.pdf

[6] Keep on Truckin’, Uber: Using the Dormant Commerce Clause to Challenge Regulatory Roadblocks to TNCs, Boris Bindman https://scholarlycommons.law.wlu.edu/cgi/viewcontent.cgi?article=1023&context=wlulr-online

[7] Are California’s New Data Privacy Controls Even Legal? Andrea O’Sullivan – https://reason.com/2019/12/17/are-californias-new-data-privacy-controls-even-legal/.

Published by Julie D. Blake

Julie D. Blake, Counsel Ms. Blake joined Pastore & Dailey LLC in 2013. Prior to 2013, Ms. Blake worked at national and regional law firms and even operated her own rural law office for five years. Her twenty years of experience in business and commercial litigation paired with a new focus on pragmatic cybersecurity and privacy law services, is a unique combination of skills. Ms. Blake earned a B.A. in history at the University of Virginia in Charlottesville, Virginia and a J.D. from Suffolk University Law School in Boston, where she was a McLaughlin Appellate Advocacy Competition winner. She expects an LLM in 2021 from Drexel University School of Law in Cybersecurity and Privacy Law.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: