Could application of the U.S. Constitution’s interstate commerce clause — generally leaving nationwide business exchange to Congress to regulate — de-rail the California Consumer Privacy Act (CCPA)?
That’s the question posed in a legal review by a University of Chicago pre-law student, Zoe Kaiser. The review, completed this month, examines the issues, but doesn’t reach a firm conclusion.
She cites a legal doctrine called the “Dormant Commerce Clause” which argues that the Constitution’s grant to Congress of the right to regulate interstate commerce precludes state action in that area. The doctrine is established, but its application has not been consistent, with one legal analyst calling it ‘a nuclear bomb of a legal theory.’”
“Throughout the 19th and most of the 20th century, this clause has mainly served to ward off economic protectionism by the states and to secure a national common market,” Kaiser writes.
She analyzes whether the CCPA (1) places a burden on interstate commerce, (2) subjects businesses to an inconsistent patchwork of regulations, or (3) has effects on transactions taking place outside of California. She finds it would likely be viewed by courts seeking to balance harm to interstate commerce versus local benefit.
A key question Kaiser explores — if CCPA is seen as creating excessive or inconsistent regulation — i.e., more strict on privacy than a future federal statute or regulation — could it be struck down on that basis alone as restrictive of interstate commerce?
Kaiser considers court cases that suggest state regulation of the internet will always impose an impermissibly high burden on interstate commerce, because states, unlike the internet, are bounded by physical geography. However, she suggest such precedents may be out of date because web users can be distinguished by IP number as to their location, so regulation can be targeted to exchanges originating in a state.
One of her tentative conclusions is that because the Internet is global, an attempt to regulate it even by a state has inevitable global consequences. Since laws made in Europe — the GDPR — affect commerce in California or the United States already, the negative impact of any single state’s laws is liable to be overstated.
An argument in favor of the CCPA is that if it forces companies to improve their privacy policies in a way that impacts their operations globally — a net benefit, says Kaiser, not just to the public, but to the companies themselves. She quotes a Feb. 2019 law-firm newsletter which concluded: “In fact, compliance will likely be a competitive advantage that you can present over your peers.”
“For companies that have already invested in complying with the GDPR, therefore, additional CCPA prep is not exceedingly onerous,” Kaiser writes. “Moreover, the ‘inconsistent regulation’ argument loses weight, considering that any company that has worked on compliance for one data-protection law is better placed to achieve compliance in others.”
Kaiser says a factor weighing in favor of the CCPA surviving a constitutional challenge is that its terms do not discriminate in favor of California business over out-of-state business, particularly so since California is home to many tech companies that do business in data sale.
Moreover, she argues, in considering the balance between harm to interstate commerce and the “putative local benefit” of regulation, privacy is an issue with greater perceived local benefit not just due to the proliferation of tech companies in California, but due to the fact that the California State Constitution grants an “inalienable” right to privacy. This suggests that California places a higher premium on this issue, since such wording does not appear in all state constitutions. The courts should honor the historic role of the states as “laboratories” for democracy and not intercede, she concludes.