Add to collection(s) Add to saved
  1. No category
Uploaded by rebeccah7.rh

PERSONAL DATA VULNERABILITY CO (1)

advertisement 
Disclaimer: This is a machine generated PDF of selected content from our products. This functionality is provided solely for your
convenience and is in no way intended to replace original scanned PDF. Neither Cengage Learning nor its licensors make any
representations or warranties with respect to the machine generated PDF. The PDF is automatically generated "AS IS" and "AS
AVAILABLE" and are not retained in our systems. CENGAGE LEARNING AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY
AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY,
ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Your use of the machine generated PDF is subject to all use restrictions contained in The Cengage Learning
Subscription and License Agreement and/or the Gale Academic OneFile Terms and Conditions and by using the machine
generated PDF functionality you agree to forgo any and all claims against Cengage Learning or its licensors for your use of the
machine generated PDF functionality and any output derived therefrom.
PERSONAL DATA VULNERABILITY: CONSTITUTIONAL
ISSUES WITH THE CALIFORNIA CONSUMER PRIVACY ACT.
Author: Alexandria J. Saquella
Date: Wntr 2020
From: Jurimetrics Journal of Law, Science and Technology(Vol. 60, Issue 2)
Publisher: American Bar Association
Document Type: Article
Length: 14,606 words
Abstract:
The Cambridge Analytica scandal as well as closely connected disinformation campaigns, which analyze social media users'
personal data to implement targeted propaganda, showcase the growing problem of data collection and its vulnerability to misuse. As
a result, the laissez-faire perspective on regulating the internet and data collection has fallen to the wayside as efforts to protect
consumer data through regulation gain international traction. Leading in the charge to protect consumers' personal information is the
European Union with its passage of the General Data Protection Regulation, which went into full force May 2018. Following suit, and
central to this Comment, is California's recent passage of the California Consumer Privacy Act (CCPA).
Generally, the CCPA provides California consumers the right to request that businesses disclose to the consumer what personal
information is being collected or sold by the business. Subject to some limitations, consumers may also request the business refrain
from selling their personal data or delete their personal information. The Act further establishes requirements for companies with
respect to their management of private user data, and it provides civil penalties and a private right of action for certain violations and
breaches.
This Comment examines whether it is the job of individual state legislatures or Congress to enact legislation for the purpose of
protecting consumer data. This Comment analyzes how the First Amendment, preemption, and the Dormant Commerce Clause
come into conflict with the CCPA. The benefits and the drawbacks of empowering states to act as laboratories for democracy are also
examined. This Comment articulates the view that one robust and comprehensive federal law should be enacted and have
preemptive effect. The federal government can provide important data protection and privacy thresholds, and states should have the
flexibility to provide additional enforcement mechanisms to meet their local needs.
CITATION: Alexandria J. Saquella, Comment, Personal Data Vulnerability: Constitutional Issues with the California Consumer
Privacy Act, 60 JURIMETRICS J. 215-45 (2020).
Full Text:
I. THE CALIFORNIA CONSUMER PRIVACY ACT: AN INTRODUCTION
A. Current Events Impacting Consumer Privacy
Until recently, the sharing of consumer data has been trending with U.S. citizens, while the control and protection of it has been an
afterthought. Multiple instances of consumer data disclosure and marketing without the knowledge or consent of consumers have
concerned policy makers internationally, nationally, and even at the state level. What is more surprising is the type of information
gathered and sold, ranging from day-to-day product preferences to political leanings and even extremely personal information like
whether an individual has a sexually transmittable disease.
The discussion on data security and privacy came to a head during the Facebook-Cambridge Analytica scandal. In 2013, a Facebook
application developer created a quiz on Facebook, which allowed him to harvest data from 87 million user profiles. (1) The developer
disclosed this information to Cambridge Analytica, a political consulting firm, which used the personal information to influence voters
in the United States through various disinformation advertisements and targeting techniques during the 2016 election. A more recent
misuse of consumer information occurred when Grindr, a social network and dating application aimed at gay, bisexual, and
transgender men, disclosed the personal sexual preferences of users as well as their H.I.V. status to third-party software companies.
(2)
Even more alarming than the type of information gathered are companies' deliberate attempts to conceal data breaches. On October
8, 2018, a Wall Street Journal article revealed that a software glitch led to the exposure of hundreds of thousands of Google users'
private data collected through the Google+ social network. (3) The Journal claimed that an internal memorandum, prepared by
Google's legal and policy staff and shared with senior executives, demonstrated Google's plan not to notify users of the breach. The
intent was to avoid triggering "immediate regulatory interest" and comparisons to the Facebook-Cambridge Analytica scandal. (4)
Though the United States has previously taken a self-regulated, libertarian approach when it comes to governance of the internet, the
growing concern of data privacy and the need to hold companies accountable for unrestrained personal data disclosure has led
California politicians to enact legislation controlling the way companies handle a consumer's personal information while also giving
consumers rights to restrict the way their data is used. The legislation, known as the California Consumer Protection Act (CCPA),
raises an interesting question regarding the role of states in enacting laws that will have a national (and even international) impact.
Part I of this Comment provides a general background of personal data usage and protection, the current laws regarding personal
data, and the CCPA. Part II discusses and analyzes a First Amendment challenge to the CCPA. Part III provides an overview of
preemption law, examines the possibility of federal preemption of the CCPA, and analyzes whether the CCPA is federally preempted.
Part IV provides an overview of the Dormant Commerce Clause, examines the regulation of the internet and online sales, and
analyzes whether the CCPA violates the Dormant Commerce Clause. Part V discusses policy considerations in upholding the CCPA
while Part VI discusses policy considerations demonstrating the need for preemptive federal legislation. Lastly, this Comment
concludes with a call to action on the issue of data protection and privacy legislation.
B. Personal Data Collection by the Private Sector
Personal data is collected in the private sector for a variety of reasons. Data is knowledge about the consumer, which may provide
companies with a competitive advantage. (5) For instance, access to contextualized personal data allows companies to better
understand consumer demands and adjust their digital presence and services accordingly. (6) Consumer data allows companies to
individualize the goods and services they provide to consumers while also using collected information to deliver targeted
advertisements. (7) Recently, the collection of personal data has become an enormous business in which companies or data brokers
that create detailed profiles of consumers stand to profit from selling these profiles to advertisers or other companies. (8) Though the
seamless exchange of personal information may make many data-conscious individuals uneasy, data disclosure has many benefits.
For instance, the use and disclosure of data is essential for effective law enforcement investigations, (9) employer background
checks, and financial fraud prevention efforts. (10) Also, some companies store customers' personal information for verification
purposes. (11) Today, banking institutions use voice recognition and fingerprint data to authorize a user to access their financial
information while also protecting them from fraudulent attempts to steal their information. (12) Sharing data may even have a
humanitarian benefit when private companies disclose personal data to other organizations, such as nongovernmental organizations
(NGOs). A report developed in collaboration with Facebook stressed the public value associated with data collaboratives. (13) For
example, the report references the 2015 floods in Malawi that left more than 230,000 displaced, and the Red Cross with the
overwhelming task of allocating aid to places that were virtually unrecorded by the country's map. (14) To prevent this problem from
happening in the future, as part of its "Missing Maps" project, Facebook shared population density data with the Red Cross to find
and map people who were critically vulnerable to natural disasters and health emergencies. (15)
C. The General Data Protection Regulation
The General Data Protection Regulation (GDPR) is an E.U. regulation addressing data protection and privacy. (16) Its passage
occurred in 2016, and it went into full effect May 25, 2018. While recent in its passage, the privacy principles observed in the GDPR
are not new to the European framework. (17) Before the GDPR and during the internet's infancy in 1995, the European Union passed
the European Data Protection Directive (EDPD) that set out the foundational rules for processing personal data. (18) As early as
2009, the European Commission began reevaluating the EDPD's effectiveness in protecting data in an increasingly globalized world.
(19) In 2011, in an effort to harmonize data protection laws in Europe, the European Commission announced its plan to implement a
regulation directly applicable to all E.U. member states. (20) After five years of countless discussions, studies, negotiations, proposed
legislation, and amendments, the GDPR was adopted in 2016. (21) Dr. Andrea Jelinek, Chair of the European Data Protection Board,
has stated that the European Union is familiar with data protection. (22) The GDPR is an evolution of the previous directive rather
than a revolution. (23)
The two basic principles behind the implementation of the GDPR were (1) the desire to give E.U. citizens more control over their
personal data and (2) the desire to give businesses a clear and simple legal standard, which would operate uniformly across Europe.
(24) The GDPR applies to all companies processing and holding the personal data of individuals residing in the European Union,
regardless of the company's location. (25) It requires, among other things, that users give affirmative consent before a business may
process their data. (26) Affirmative consent or a consumer's ability to "opt in" is a proactive approach that effectively prevents initial
data collection. This is not to be confused with the "opt-out" approach, which allows the initial processing of an individual's data,
potentially subjecting it to misuse, until a consumer says otherwise. (27) Users are given the right to move data from one business to
another, to access and get a copy of their data held by a business, and to be forgotten (when a user's personal information is
deleted). (28) Further, the regulation mandates that businesses be more transparent by only collecting and processing data for a welldefined purpose, clearly informing users about harmful data breaches, as well as transfers of personal data. (29) Lastly, the GDPR
authorizes strict enforcement through the European Data Protection Board and allows the imposition of fines up to [euro]20 million or
four percent of a company's worldwide turnover, whichever is greater. (30)
D. Legislation About Data Protection Among the United States
Unlike Europe's global approach to personal data handling, the United States' state-based legislation is sectoral in that it covers
personal data, but only in specific instances. (31) For example, there are various state laws covering consumer data in times of
breach or disposal, but until recently--aside from the CCPA--there were virtually no state laws broadly covering consumer data and
limiting a company's ability to collect, disclose, and sell that data. (32) The primary focus among states has been breach-related
regulation as opposed to regulating data disposal or requiring companies to implement data use policies. Recently, all 50 states have
enacted legislation requiring private or government entities to notify individuals of security breaches involving personally identifiable
information. (33) In terms of data disposal, about 35 states have passed data disposal laws, which regulate the way entities destroy
personal information. (34) At least 22 states have laws that require businesses collecting and maintaining personal information
belonging to citizens of the applicable state to implement reasonable security policies and procedures to protect personal information
from unauthorized access, use, and disclosure. (35)
States have proven to be reluctant in giving up their power to enact and enforce laws dealing with security breach notification when it
comes to personal data. In March 2018, a coalition of 32 attorneys general signed a letter voicing their concern over a federal House
of Representatives discussion draft bill entitled the Data Acquisition and Technology Accountability and Security Act. (36) The
attorneys claimed the bill would preempt all state breach and data security laws, including those that require companies to notify
consumers of a breach. (37) In the letter, the AGs expressed that there is a place for both state and federal agencies to protect
consumers' important personal information. (38) Still, states "have proven themselves to be active, agile, and experienced enforcers
of their consumer's data security and privacy," while the federal government has less experience in the privacy arena. (39) The letter
goes on to say that with the increased threat data security risks, states are uniquely situated to rapidly and effectively respond to
protect their consumers. (40) As of today, the discussion draft has not had much movement; however, the idea of a preemptive law
on the breach notification side as well as the consumer protection side is looming.
E. The CCPA
In an attempt to take a more globalized approach to protecting consumer data, like the GDPR but unlike previous U.S. state-based
legislation, the California Legislature passed the California Consumer Privacy Act (CCPA) on June 28, 2018. The original idea of a
consumer privacy law in California stemmed from a statewide ballot initiative led by a California citizen named Alastair Mactaggart.
(41) After having spent nearly $3.5 million to certify the initiative, Mactaggart made a deal with the California legislature to pass a
substantially similar bill in exchange for his withdrawal of the initiative from the ballot. (42) As a result, the California Legislature
quickly drafted the Act (AB 375) in a seven-day period. (43) Unlike the thoroughly deliberated GDPR, this hurried process led to a
lengthy and complicated law in need of amendments. The Act is established under the California Constitution, which, unlike the
United States Constitution, explicitly states that privacy is an inalienable right of all people. (44) The Act declares that fundamental to
this right of privacy is the ability of individuals to control the use and sale of their personal information. (45) The basic principles of the
Act are the right to knowledge of the information collected, disclosed, and sold; the right to say "no" to the sale of personal
information; and the right not to be discriminated against for exercising the consumer's right provided in the Act. (46)
To summarize, the Act applies to any company "doing business in California" that collects California consumers' personal information
and meets one of three requirements: (1) has at least $25 million in annual revenues, (2) derives 50 percent or more of its revenues
from selling consumer data, or (3) possesses the personal data of more than 50,000 "consumers, households, or devices." (47)
Assuming that "doing business in California" applies to any business collecting California consumers' data, the International
Association of Privacy Professionals (IAPP) conservatively estimated that the CCPA will apply to about 507,280 companies in the
United States. (48) A vast majority of these companies will be small- to medium-sized enterprises. (49)
The Act further seeks to protect consumers' "personal information." (50) Defined broadly, "personal information" is "information that
identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly,
with a particular consumer or household." (51) During a Federal Senate Committee hearing on consumer data privacy, Mactaggart
explained that the purpose behind the broad definition was to capture every possible device gathering information while also ensuring
that the definition stays relevant as technology continues to advance. (52) As can be seen, the Act regulates the way businesses
handle their consumers' data while also granting consumers some rights to control when businesses can collect and sell their
personal data.
With regard to data collection, the act requires a business, upon request of consumer, to disclose categories and specific pieces of
personal information that the business has collected about the consumer. (53) Additionally, at or before collection of a consumer's
personal information, a business must inform consumers of the categories of personal information to be collected and the purposes
the information is to be used. (54) The act provides an erasure right to consumers, which allows them to request that a business
delete any personal information collected about the consumer. (55) There are circumstances, however, in which a business may
refuse deletion. Among other things, a business may refuse deletion to find, prevent, or prosecute security breaches; exercise free
speech; or comply with another legal obligation. (56) Another, and probably the most concerning of these exceptions, is a business's
ability to refuse deletion to "complete the transaction for which the personal information was collected, provide a good or service
requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the
consumer...." (57) This catchall exception seems to swallow the entire right. For example, where a business and consumer continue
a relationship, under this exception, the company may refuse deletion and retain the personal data.
In terms of personal information, which is sold or disclosed for a commercial purpose, upon a consumer's request, a business must
disclose to the consumer the categories of personal information collected about the consumer, sold about the consumer and the
categories of third parties to whom the information was sold. (58) The Act further grants the consumer the right to opt out of these
sales. (59) This right effectively allows Californians to tell companies to stop selling their personal information. Still, as mentioned
above, the opt-out approach is more reactive than proactive when it comes to data privacy and protection because the personal data
is nevertheless subjected to potential misuse until the consumer officially opts out. Further, in contrast with the GDPR, which applies
an opt-in approach to any data processing, the CCPA only allows consumers to opt out from their data being sold. The Act also
provides an antidiscrimination clause forbidding a business from discriminating against consumers who exercise their rights under the
Act. (60) The legislation gives rule-making authority to the California Attorney General's office to adopt additional regulations to
further the purpose of the Act. (61) It also gives the California Attorney General's office the right to enforce and place civil penalties
(62) in addition to giving citizens a private right of action in case of a data breach. (63)
In response to the quick legislation and to remedy some of the drafting errors, the legislature passed SB 1121 on August 31, 2018,
which makes more technical than substantive changes. (64) Importantly, the bill includes exemptions for personal information used
pursuant to federal laws like the Gramm-Leach-Bliley Act (GLBA), Driver's Privacy Protection Act (DPPA), and the Fair Credit
Reporting Act. (65) The bill also creates an exemption for health care information collected by covered entities and providers
governed by the Confidentiality of Medical Information Act established pursuant to the Health Insurance Portability and Availability Act
(HIPAA). (66) In other words, personal data otherwise subject to federal law will not be subject to the CCPA. This clarification
indicates the legislature's attempt to avoid federal preemptive effect. This intention is further demonstrated by the amendment's
preemption clause explaining that the law will not apply in the event its application is preempted by, or is in conflict with, the United
States Constitution. (67) Another substantive change in SB 1121 is a provision stating that the rights afforded to consumers and the
obligations imposed on any business under the CCPA would not apply if it infringes on the noncommercial activities of a person or
entity as described in part of the California's Constitution referring to free press. (68) Though this provision was likely designed to
avoid a First Amendment challenge, there are still serious First Amendment implications especially when it comes to the CCPA's
restrictions on dissemination of accurate and publicly available information.
II. DOES THE CCPA VIOLATE THE FIRST AMENDMENT?
A novel argument that may be raised by businesses wishing to avoid compliance with the CCPA is the burden the law places on
companies' First Amendment rights. (69) The Act likely violates First Amendment principles by restricting a business's ability to
disseminate accurate and publicly available information. Under the Act, a California resident's choice to opt out of sales blocks a
business from selling personal information. Personal information is broadly defined, however, a recent amendment excluded "publicly
available information" from the meaning of personal information. (70) Still, the Act's definition of "publicly available" is too narrow to
exclude all public data where it only includes information that is lawfully made available from federal, state and local governments.
(71) Besides government provided information, this gives individuals the ability to veto the inclusion of data, which is already available
through the public domain, in databases, and publications that many businesses use and provide to its customers for important
purposes. These purposes include, conducting background checks or rating services that obtain information critical to business
analysis.
The First Amendment, which was incorporated through the Fourteenth Amendment to apply to states, prohibits laws that abridge
freedom of speech. Content-based regulations that target speech based on its communicative content are "presumptively invalid."
(72) Courts review such regulations with a strict scrutiny standard, which requires that a statute be narrowly tailored to promote a
compelling government interest. (73)
However, in Sorrell v. IMS Health the Supreme Court of the United States held that "the creation and dissemination of information is
speech for first amendment purposes." (74) The Court found a Vermont law violated the First Amendment when it restricted the sale
or disclosure of records of a doctor's prescription habits without the doctor's consent. (75) The Court further held the law was a
content-based restriction of commercial speech where it prohibited disclosure for marketing but not for other purposes such as
"educational communications." (76) Similarly, the CCPA applies a content-based limitation where it pertains to businesses selling a
certain kind of data referred to as "personal information." It thus imposes a burden based on the content of the speech and the
identity of the speaker.
As seen in Sorrell, courts apply intermediate scrutiny to laws proposing a commercial transaction. (77) This level of scrutiny requires
the law, which limits commercial speech, to directly advance a substantial government interest and is not more extensive than is
necessary to serve the government interest. Because the Statute will capture both commercial and noncommercial communications,
(78) the Act's limitations will likely be assessed under the strict scrutiny standard.
California has attempted to meet the burden by identifying privacy as a compelling state interest. The legislature points to the
California Constitution, which expressly makes privacy an "inalienable" right of all people. More specifically, legislative history
indicates concerns arose from businesses' regular collection and disclosure of personal information obtained through consumers'
online activities, which left individuals vulnerable to security breaches and other risks. (79) Additionally, the CCPA's declaration
claims that the increase in consumers' personal data shared with businesses, businesses' collection of data without consumer
knowledge, unauthorized disclosure of personal information, and the general loss of privacy make personal data more susceptible to
misuse. (80) The Act outlines potentially devastating effects on individuals, including "financial fraud, identity theft... reputational
damage, emotional stress, and even potential physical harm." (81)
Though these justifications likely meet the compelling interest threshold, the Act goes far beyond what is necessary to meet this
interest and is therefore not narrowly tailored. The CCPA declaration section specifically points to the Cambridge Analytica scandal
as an example of the types of data breaches the state wished to avoid. (82) Yet, the law as it stands today would include a variety of
small- to medium-sized businesses that are not, by any stretch of the imagination, data-mining firms or large technology companies
like Facebook. This broad inclusion of all types of businesses indicates a lack of narrowly tailored regulations. Additionally, the state's
interest, as demonstrated by the legislative history, is to protect California consumers. But the Act's definition of consumers is
excessively broad because it includes all California residents, even those who are not engaging in business-consumer transactions or
who are not U.S. citizens. The broad definition of consumers supersedes the stated justification to protect California consumers.
The CCPA also fails to be narrowly tailored in that it restricts the sale of more than private information. The State's articulated interest
in preventing financial fraud, identity theft, and loss of privacy is not advanced by restricting the distribution or sale of publicly
available information. It is difficult to see how an individual becomes more susceptible to financial fraud or identity theft by the sale of
information already found in the public domain. As noted earlier, where the CCPA only excludes federal, state, and local government
records from the definition of personal information, data that has been widely disclosed through media sources is not included in the
exception. Effectively, an individual's public posts on Facebook, Instagram, or TikTok and then ingested into a business' data stores
is still protected by the CCPA as personally identifiable information despite meeting the general definition of publicly available
information in other laws.
Additionally, most people understand that a substantial amount of information can be obtained about them with a simple Google
search or through a public records database. If anything, it is in the best interest of the public to allow businesses to facilitate access
to information already in the public domain. Under these restrictions, however, a private investigator collecting public information for a
customer would be required to disclose his activities to the investigator's subject, who could then require him to stop selling the data.
Given these points, there is a strong argument that CCPA's limitations on speech are not narrowly tailored to meet the government's
compelling interest in privacy. As a result, the CCPA would fail to satisfy the strict scrutiny standard.
III. IS THE CCPA PREEMPTED?
As the law exists today, it is unlikely the CCPA will be preempted by any federal law. This is supported by the fact that there is no
broad federal privacy law that expressly preempts states from passing legislation on the topic. Technically, the CCPA could be
preempted by certain industry specific federal laws. However, the CCPA provides anti-preemption clauses excluding its application in
case it conflicts with one of those federal statutes. An argument could be made that the existence of the Federal Trade Commission
(FTC) demonstrates Congress's implied intention that only the federal government may legislate on consumer protection issues.
However, the FTC's rulemaking inaction without an express federal statute granting its power diminishes this argument. Still, recent
discussions and developments in Washington on federal consumer data protection law with preemptive effect indicate that the
demise of the CCPA is not completely out of the question.
A. Preemption Law
By virtue of the Supremacy Clause of the Constitution, which holds that federal law is supreme to all other law, preemption is a legal
doctrine that is applied when a state law comes into conflict with a federal law. (83) When such a conflict exists, courts are obliged to
follow federal law as opposed to state law. (84) Preemption can be expressed or implied. (85) Expressed preemption is the clearest
indication of Congress's intent, because the federal statute specifically declares that the federal law will supersede any state law
contrary to it. (86) However, when an explicit expression by Congress does not exist, courts will evaluate whether the federal law
impliedly preempts state law. (87)
Implied preemption may apply in three instances: field preemption, conflict preemption, and obstacle preemption. (88) Field
preemption of state law occurs when the scheme of federal law is so pervasive as to make reasonable the inference that Congress
left no room for the states to supplement it. (89) The best example of field preemption is immigration. The Supreme Court found in
Arizona v. United States that a state's statute imposing criminal penalties on noncitizens present or working in the state who have
failed to register with the federal government was impliedly preempted because Congress had already enacted a full set of standards
governing the registration of noncitizens. (90) The Court reasoned that Congress intended to occupy the field for regulation of such
registration. (91)
Conflict preemption occurs when there is a conflict between state law and federal law, making compliance with both sets of laws
physically impossible. (92) On the other hand, where it is possible to comply with both state and federal regulations, a federal statute
may not have preemptive effect. (93) For instance, in Florida Lime & Avocado Growers, Inc. v. Paul, a state passed regulations for
avocado's oil-content into law. (94) When a preexisting federal statute covered avocados but did not discuss the oil-content, the Court
found that the state law was not preempted. (95) The Court reasoned that because it was possible to comply with both state and
federal regulations, the state law was not in conflict with the federal law. (96)
Lastly, even if federal and state laws are mutually exclusive, state law will be preempted if it impedes the achievement of a federal
objective. (97) This is obstacle preemption. As an example, in Crosby v. National Foreign Trade Council, the Court found that a
Massachusetts' law, which prohibited the state from buying products or services from any person or company doing business with
Burma, interfered with the congressional objectives and the executive branch's foreign affairs power granted to it by Congress. (98)
The Court reasoned that through multiple federal acts, Congress authorized the U.S. President to impose or lift economic sanctions
against Burma, and the state's law would impede Congress's federal objective to leave such powers to the U.S. President. (99)
B. Federal Law on Consumer Data Privacy
When it comes to legislation on general privacy and data protection, federal laws are far from comprehensive. Instead, Congress has
legislated privacy and data protection on a sectoral basis. Specifically, in the health care sector Congress passed the Health
Insurance Portability and Accountability Act (HIPAA) to provide data privacy and security for medical information. Congress has also
sought to protect data in the financial sector when it passed laws like the Gramm Leach Bliley Act and the Fair and Accurate Credit
Transactions Act. An example of a sectoral federal law with broader reach is the Children's Online Privacy Protection Act (COPPA),
which governs all online data collection of children aged 13 and younger. (100) A large majority of these federal privacy statutes
include an express preemption clause, making clear Congress's intent to exercise its constitutionally delegated authority by setting
aside the laws of the states. To that end, some of these federal preemption provisions also include exceptions leaving room for states
to regulate on the federal topic under certain circumstances. For instance, a federal Privacy Rule promulgated under HIPAA allows
states to pass laws that relate to the privacy of individually identifiable health information so long as the state's rule is more stringent
than HIPAA standards. (101) On the other hand, some federal laws, like COPPA, have taken a stricter approach by completely
preempting any state law inconsistent with federal regulation while still allowing the state attorneys general to enforce federal law
through civil actions. (102)
C. The Federal Trade Commission
The Federal Trade Commission (FTC) was established in 1914 through the Federal Trade Commission Act (FTCA) signed by
President Woodrow Wilson. (103) Its mission is the promotion of consumer protection and the elimination and prevention, through
investigation and prosecution, of anticompetitive business practices. (104) Although the FTC's original role was to enforce key
antitrust statutes like the Clayton Act and Sherman Antitrust Act, the FTC soon took on more responsibility. Today, the Commission
enforces a variety of specific consumer protection statutes. (105)
The FTCA empowers the FTC to prevent "unfair or deceptive acts" in or affecting commerce. (106) By way of this enabling clause,
the Commission is authorized to enforce and pursue adjudications against individual respondents as well as participate in rulemaking.
(107) In terms of preemptive effect, Congress can delegate to a federal agency the power to preempt state requirements when
Congress adopts enabling legislation. (108) The FTCA provides preemptive language in regards to state enforcement. (109) In
summary, a state attorney general is allowed to pursue a civil action under the FTCA so long as the Commission has not already
instituted an action. (110) Congress has passed additional laws preempting states from legislating on an issue while specifically
directing the FTC to enforce and enact additional rules in the relevant field. (111) Since 2000, the FTC has promulgated numerous
rules covering specific areas as directed by Congress including the Health Breach Notification Rule, (112) the COPPA rule, (113) and
the Disposal Rule (114) under the Fair Credit Transactions Act of 2003 (FACTA). The United States Supreme Court impliedly upheld
this rulemaking power in National Petroleum Refiners Assoc. v. FTC. (115)
D. What Does CCPA Say About Preemption?
Senate Bill 1121, which was signed into law on September 23, 2018 to amend the CCPA, included mostly procedural changes, but it
also included some substantive changes such as the addition of anti-preemption language and further specification of existing federal
law exemptions under the CCPA. (116) The supplemented anti-preemption clause states, "[t]his title is intended to supplement
federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the
California Constitution." (117) The amendment went a step further by asserting that CCPA does not apply to personal information
collected, processed, sold, or disclosed pursuant to numerous federal laws, such as Gramm-Leach-Bliley Act (GLBA) and Driver's
Privacy Protection Act (DPPA). (118) It also exempts HIPAA-covered entities and healthcare providers "to the extent the provider or
covered entity maintains patient information in the same manner as medical information or protected health information." (119) This
proves California legislators' effort to safeguard and avoid preemption of existing privacy laws.
E. Recent Federal Law Developments
On two separate occasions, the U.S. Senate Committee on Commerce, Science, and Transportation (Committee) has met to discuss
implementing comprehensive federal legislation on privacy consumer data protection. The first Committee meeting occurred on
September 26, 2018, in which stakeholders and privacy executives from AT&T, Amazon, Google, Twitter, Apple, and Charter
Communications were present. (120) There was a consensus among the companies that a comprehensive federal law was needed
to protect all U.S. consumers. (121) A majority of these companies demonstrated the preference that the prospective federal law
have a preemptive effect to avoid a patchwork of different privacy state laws, which they contended would confuse consumers and
make it more difficult for companies to comply (especially small- to medium-sized businesses). (122) The companies also agreed the
FTC or a comparable agency should oversee and enforce the federal law; however, most executives were hesitant to support giving
the FTC rulemaking authority under the comprehensive law. (123) During the meeting, privacy executives also voiced their concerns
about the CCPA. (124)
On October 10, 2018, the Committee met with privacy and data protection scholars. (125) At the beginning of the meeting, Senator
Markey set the tone by stating the goal for drafting comprehensive federal data protection legislation "is to give Americans meaningful
control over their personal information while maintaining a thriving competitive data ecosystem in which innovators and entrepreneurs
can continue to develop and flourish." (126) All the privacy scholars were in consensus that a strong comprehensive federal law was
needed to govern consumer data privacy. Different from the September meeting, though, was the idea that a federal law should not
preempt states' attempts to pass similar legislation. Specifically, Mactaggart requested that the federal law not have preemptive effect
over the securities and protection provided under the CCPA. Along those same lines, Laura Moy, Executive Director at the
Georgetown Law Center on Privacy & Technology, argued that in a data-driven economy a federal law should create a floor rather
than a ceiling, which would enable states the opportunity to provide greater protections to consumers within their state. Another
difference in opinion from the privacy executives in the September Committee hearing was the view that the FTC should have robust
power, including rulemaking authority. Further, there was also a plea to give state attorneys general legislative rights under any
similar, non-preempted, state law passed. The guests reasoned that giving broad power to the FTC and state AGs would ensure the
law stays relevant as technology progresses.
F. Analysis of Preemption
Currently, federal law does not expressly preempt the CCPA, nor is there any comprehensive federal statute dealing with data
protection for consumers while placing restrictions on businesses. Without such a law there is no express preemptive language or
proof of congressional intent to prevent California from passing legislation providing further privacy to Californians as it is empowered
to do so under the California Constitution. Congress has only legislated on specific situations of data privacy and protection, like
children's online privacy, health care information protection, and drivers' privacy. Though these specific laws provide expressed
preemption clauses, they are likely too narrow to come into conflict with the CCPA. (127) Even if there was a conflict, the CCPA has
taken steps to avoid preemption through its inclusion of an anti-preemption provision. This clause conditions that in the case of a
conflict, the CCPA will not apply. Further, the CCPA states that it will not apply to personal information or businesses that are
governed by specified federal laws. Though federal and possibly preemptive legislation may be in the works, unless Congress was to
call a special session, it is improbable that a comprehensive data protection law will be passed any time soon. (128)
It is also unlikely that federal law impliedly preempts the CCPA through the doctrine of field preemption. The sectoral nature of federal
privacy and data protection laws tend to indicate Congress's intent not to occupy the data protection and privacy field. Unlike Arizona
v. United States, where the Court found Congress occupied the field regarding the immigration registration process, Congress has
not enacted a full set of standards governing consumer data privacy indicating occupancy.
It is also doubtful that federal law impliedly preempts the CCPA through the doctrine of conflict preemption. Although the subject
matter of the CCPA may be related to other federal data privacy laws, there are two anticipated outcomes, which ensure preemption
will not be implied. It is either (1) physically possible to comply with the CCPA and related federal acts or (2) it is impossible to comply
with both, but there is appropriate exemption language in the CCPA to avoid the conflict. COPPA, for instance, requires that
companies inform parents about whether the company discloses or sells a child's information to third parties and then obtain the optin consent of a parent or guardian. Unlike the CCPA, COPPA only applies to information collected from children under the age of 13.
However, businesses will be able to comply with both COPPA and CCPA because the CCPA contains similar language also requiring
the opt-in consent of a parent or guardian for the business to sell a 13-year-old's personal information. Like the Florida Lime case,
where the state enacted oil-based standards for avocados when there was already a federal law regulating avocados, it is not
impossible to comply with two similar but consistent federal and state regulations. The Driver's Privacy Protection Act (DPPA) and the
Gramm-Leach-Bliley Act (GLBA) are examples of federal statutes that would likely conflict with the CCPA, because, like the CCPA,
they both regulate the use and disclosure of personal information in different ways and for different reasons (personal information
regarding drivers and financials). Yet, as already stated above, the CCPA enumerates the above federal acts and explicitly states that
personal information regulated by those laws are exempt from the CCPA regulations.
Lastly, it is unlikely that federal law will impliedly preempt the CCPA under the obstacle preemption doctrine; however, a reasonable
argument can be made regarding the FTC and Congress's objective to leave certain consumer data protection enforcement powers
to that Agency. On the one hand, from a textual perspective, the FTCA gives the FTC general authority to prescribe, "interpretive
rules... with respect to unfair or deceptive acts or practices in or affecting commerce... and [] rules, which define with specificity acts
or practices which are unfair or deceptive acts or practices in or affecting commerce." (129) The FTC's significant role in consumer
protection and its broad authority under the FTCA could indicate Congress's objective to empower the FTC, not the individual states,
to enforce and make rules on issues of consumer data protection and privacy. Like the Crosby v. National Foreign Trade Council,
where the court found a state law prohibiting trade with Burma impeded a federal objective empowering the President to develop a
comprehensive and cohesive strategy toward human-rights circumstances in Burma, the CCPA impedes Congress's grant of power
to the FTC to appropriately regulate and enforce consumer protection among all the states.
On the other hand, the FTC is an enforcement body only given authority in cases of unfair and deceptive practices. The CCPA does
not inhibit FTC enforcement but instead provides additional privacy rights to California consumers where the federal government has
not. Additionally, the FTCA's preemption clause only discusses the conflict of a state's enforcement power as opposed to a state's
regulation on the topic. This clause may indicate Congress's intent to allow states to continue regulating privacy issues even where
the FTC promulgates similar rules under the FTCA. (130) Some commentators have reasoned that "Congress has chosen not to
invalidate state laws in advance of substantive administrative rulemaking, possibly recognizing that a rational balancing of state and
federal interests on a given issue can take place only after the federal agency has promulgated its rules on the issue." (131) Though
there are FTC rules related to data protection, many of them result from a sectoral federal statute directing the FTC to promulgate
rules in a specific area. Generally, no FTC rule broadly addresses privacy and data protection. It follows that a state's regulation of
privacy does not obstruct the FTC's ability to enforce the FTCA and other federal sectoral laws. Also, it is unlikely that the mere
existence of the FTC is enough to preempt a state law dealing with data protection. Moreover, states have passed a variety of laws
dealing with data security, breach, and disposal, none of which have been preempted by the FTC rules.
Furthermore, unlike Crosby v. National Foreign Trade Council, a grant of power to an agency like the FTC from Congress has more
strings attached than a grant of power to the President. Indeed, when an agency issues a final rule, it must be sent to Congress and
the Government Accountabilities Office for review before it can take effect. (132) Not to mention, if the House and Senate pass a
resolution of disapproval and the President signs it, the rule becomes void. (133) The President's power, conversely, is more difficult
to override, especially those enumerated in the Constitution. Generally speaking, the CCPA is not impliedly preempted through the
doctrine of obstacle preemption because the FTC's authority to develop rules regarding consumer protection is restrained by
congressional direction, and currently established rules have only regulated specific areas of consumer protection and privacy.
Though the FTC generally occupies the federal privacy and data protection space, it is unlikely that any current FTC rule will preempt
the CCPA. This theory is further supported by a multitude of state laws related to data protection that have not been struck down due
to preemption.
IV. DOES THE CCPA VIOLATE THE DORMANT COMMERCE CLAUSE?
The CCPA likely violates the Dormant Commerce Clause. This is supported by Supreme Court precedent discussing the Dormant
Commerce Clause and other federal courts' treatment of state internet legislation. Importantly, the CCPA meets all the criteria for a
Commerce Clause violation: the act concerns interstate commerce, it regulates conduct outside California's borders, the act's
burdens outweigh the public benefit, and it subjects the commerce (data and personal information) to potential inconsistent
regulations.
A. Dormant Commerce Clause Law
The Commerce Clause of the United States Constitution is an affirmative grant of power to Congress stating, "Congress shall have
Power... To regulate Commerce... among the several States...." (134) The term dormant was first used in connection with the
Commerce Clause in the seminal case Gibbons v. Ogden. (135) Justice Johnson's concurring opinion in Gibbons recognized that the
Commerce Clause had a negative or "dormant" aspect. (136) Along those lines, subsequent cases construed the Commerce Clause
as granting Congress an affirmative right to regulate interstate commerce, and inversely restricting individual states from doing so
even when Congress has not passed a law, or in other words, lies dormant. (137) Specifically, courts have found that the Commerce
Clause restricts individual states' interference with the flow of interstate commerce in two ways: (1) the Clause prohibits discrimination
aimed directly at interstate commerce, and (2) the Clause bars state regulations that, although facially nondiscriminatory, unjustifiably
burden interstate commerce. (138) Further, courts have long held that state regulation of certain types of commerce, which by their
unique nature demand cohesive national treatment, is offensive to the Commerce Clause. (139) In deciding whether a state statute
violates the Dormant Commerce Clause, courts will weigh the burden of out-of-state impacts against the state's interest in protecting
its citizens. (140)
B. Regulation of the Internet and Online Sales
In 1997, American Library Association v. Pataki was a landmark case, which found that states could not regulate the flow of
information over the internet. (141) Instead, this type of regulation must be left to Congress. The New York statute struck down by the
District Court made it illegal to distribute material harmful to minors over the internet. The Court explained that material, including
communication, on the internet is interstate commerce, which can only be regulated by Congress under the Commerce Clause.
Courts have continued to follow American Library's lead, yet some courts have chosen to uphold state statutes that regulate internet
communications to discourage fraud or deception. (142) When it comes to state breach notification laws and laws requiring
companies to obtain a general policy for collecting consumers' personal information, courts have refrained from striking down state
laws. (143) One of the main concerns with state regulation of personal data collection, like the internet, is the potential for stifling
innovation. Specifically, such state regulations may force companies to expend immense resources to comply with a patchwork of
state laws and create confusion among consumers about their rights. (144) Additionally, the Dormant Commerce Clause has been
liberalized by cases like South Dakota v. Wayfair. In a 5-4 decision, the court found that individual states can require businesses,
without a physical presence in the state, to pay sales taxes on transactions occurring within that state. (145) The court found this did
not offend the Dormant Commerce Clause where the law was not retroactive, it applied only to businesses with a large amount of
transactions within the state, and South Dakota was among many other states that passed similarly situated laws. (146) Thus, the
court concluded the law did not create an undue burden for businesses. (147) Consequently, there is a fair argument that the
Supreme Court may take a similar approach to state consumer data and privacy regulation.
C. Analysis of the Dormant Commerce Clause
1. Does the CCPA Concern Interstate Commerce?
Yes. Data collection, disclosure, and sales regulated by the CCPA are interstate transactions. Much of the personal data disclosed
and sold occurs across state lines. Though the CCPA regulates data collected and disclosed on and off the internet, today, most data
collection processes and sales occur electronically. Electronically stored information can cross state lines with ease as purchases or
disclosures of data occur. These interstate transactions are also dealing with commerce. Data and personal information collected are
"goods" for trade, just as apples being carried by train are goods moving from one state to another. The only difference is the method
of transport. In this case, the internet is the conduit rather than a train. Even if the transaction is simply disclosure without a sale or
commercial concern, courts have held that the Dormant Commerce Clause applies to activities undertaken without a profit motive.
(148) The Court has further emphasized that it is immaterial whether the transportation is commercial in character. (149)
2. Does the CCPA Overreach by Enacting a Law That Seeks to Regulate Conduct Occurring Outside Its Borders?
Yes. CCPA will force any out-of-state business that has California consumers to comply with California restrictions. Even though the
Act is only meant to protect Californian's data, the Act does not limit itself to California based companies. In fact, all companies
located in or outside California will be forced to comply with California's law if they have or plan to receive California consumers'
personal information and meet other relevant requirements. This sort of state regulation is distinguishable from California's special
regulatory power under the Clean Air Act, otherwise known as "iterative federalism." (150) There, a federal statute empowered the
EPA to regulate air pollution from motor vehicles but carved out an exemption allowing California to apply its regulations. (151) While
other states are not permitted to set their own standards, they may opt to follow California's motor vehicle emissions regulations
instead of those implemented by the EPA. (152) Here, and in the case of privacy-related legislation, California has not been granted
special authority through a federal statute. Furthermore, states will be forced to comply under the CCPA, while in the Clean Air Act
example states can choose to follow either the California or federal emissions standard.
The CCPA also regulates the sale or the disclosure of data belonging to a California consumer even if the transaction occurs
predominantly outside the state. The California Legislature sought to eliminate this problem in S.B. 1121 where it excluded
commercial conduct that takes place "wholly outside of California." (153) The law states, "commercial conduct takes place wholly
outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the
consumer's personal information occurred in California, and no personal information collected while the consumer was in California is
sold." (154) However, many out-of-state companies will still be implicated under this narrow definition of "wholly outside of California."
(155) As an example, assuming a California consumer's personal data is collected while he/she is in California, a Florida company
could be subject to the CCPA if it discloses that consumer's data to a company headquartered in New York. Though the information
belongs to a California consumer, the sale or disclosure occurs in either Florida or New York, not California. With this in mind, the
CCPA will likely control such interstate commerce.
3. Do the Burdens Resulting from the CCPA Exceed Any Local Benefit?
Yes. In determining whether burdens resulting from the CCPA outweigh California's benefit, the Supreme Court has set out a
balancing test applicable to indirect regulations of interstate commerce in Pike v. Bruce Church. (156) Pike requires a two-step
inquiry: (1) whether the state law furthers a legitimate state interest and (2) whether the burden imposed on interstate commerce is
excessive in relation to the local benefit. (157) In American Library Association v. Pataki, the district court evaluated New York's
compelling interest in the protection of children against pedophilia. The court found this was indisputably a valid state goal; however,
the finding of a legitimate local concern will not end the analysis. (158) Similarly, the concern for California citizen's privacy and data
protection, especially after recent data breaches and inadvertent disclosures, is a legitimate state interest. Still, we must balance the
Act's benefits against its burdens on interstate commerce. The CCPA gives California consumers multiple rights when it comes to
their personal information. Importantly, the Act gives consumers the right to know all the data collected about them by a business,
and they have the right to say no to the sale of their information. California consumers also have a private right of action to sue
companies who possess their data when that data is stolen or disclosed because of an unauthorized breach. The Act further enables
the California Attorney General to enforce the act through civil action and penalties.
On the other hand, the burden on interstate commerce is excessive. California is a huge marketplace for companies, and the reliance
on California consumers by out-of-state companies is significant. (159) Here, the Act burdens not only the companies within
California, but it is projected to impact companies across the United States that possess data belonging to California consumers.
Assuming an out-of-state company meets the requirements set out by the Act, (160) the company will be forced to comply or will be
subject to suit by California consumers (in the case of a data breach) or civil action on behalf of the California Attorney General for
any violation of the act. The CCPA's broad definition of personal information makes it more difficult for companies to determine which
consumers are residents of California where the CCPA must be applied. (161) As a result, states may be forced to apply CCPA rules
to all their consumers if deciphering California consumer's data from other consumers is too burdensome. Proponents for the CCPA
may argue that compliance should not be difficult where large companies are already complying with the more stringent GDPR.
However, the CCPA does not just affect large companies. The Act will likely impact many small- to medium-sized companies that
collect data. For example, online commercial services, where consumers from California share their name, address, email, and credit
card information to purchase items, will have to comply regardless of their revenues, so long as they have obtained data from 50,000
plus California residents. Although companies like Amazon or Facebook can absorb the costs to comply, start-ups or smaller online
retail companies may lack sufficient resources. Unlike previous data related state laws, like breach notification and general policy
requirements for data collection where burdens were minimal, (162) the CCPA's burden on interstate commerce will likely outweigh
any benefit to California consumers.
4. Does the Act Unconstitutionally Subject Interstate Personal Data Use, Disclosure, and Sale to Inconsistent Regulations?
Yes. The Supreme Court has held there are certain types of commerce that demand uniform treatment. In these situations, state
regulation is prohibited, and a comprehensive federal law is encouraged. Specifically, the Supreme Court addressed the
constitutionality of an Arizona statute, which limited the length of trains within the state to a certain amount of freight cars. (163) This
law effectively burdened interstate commerce because it forced trains to separate freight cars before entering Arizona and then
reassemble the cars upon departure from Arizona. (164) Where other state laws did not regulate the length of trains, the court
reasoned that the likelihood of confusion or difficulty, which burdened interstate operations, demonstrated the need for uniformity
among states. (165) The Court concluded that the Arizona Statute was an unconstitutional regulation of interstate commerce
reserved to Congress. (166) More recently, in American Library, the District Court found that internet regulation demands consistent
treatment because regulation by different states would likely subject internet users to conflicting obligations. (167) The Court
reasoned these conflicting obligations could even exist where state regulations are identical because the laws may be interpreted
differently in each state. (168)
Similar to both cases, the regulation of personal data (use, disclosure, and sale) in the CCPA is the type of commerce that requires a
cohesive national scheme of regulation. Such a scheme would provide notice to companies and limit confusion or difficulty when it
comes to compliance. By contrast, leaving the lawmaking to states would result in inconsistent laws, imposed by multiple states with
different priorities. Companies attempting to comply with a patchwork of various state laws would be forced to expend immense
resources to keep up with different requirements if other states choose to pass legislation like the CCPA. In conclusion, the CCPA will
likely subject personal data usage to inconsistent regulations, which would burden interstate commerce.
V. POLICY REASONS TO UPHOLD THE CCPA
A. States as Laboratories of Democracy
Not only do states have broad power in legislating general welfare concerns within its jurisdiction under the Tenth Amendment, but
also there is a long-held federalism principle that states should be able to act as laboratories of democracy. In other words, states
should be able to enact a range of policies to test which legal schemes are successful while also learning from the experiences of
other states. (169) This principle applies in the context of states' attempts to regulate privacy and data protection. California is known
for its experimental laws in the privacy arena. For instance, in 2002, California was the first state to pass a law requiring companies to
notify consumers of a data breach that meets a certain caliber. (170) As of March 2018, all other states, inspired by California's
legislation, have followed suit passing various breach notification laws. (171) As data breaches have continued over the years,
lawmakers in at least 31 states are considering different measures that would amend existing security breach laws to further
strengthen consumer protection in the event of a data breach. (172) Other states have also been the source of numerous privacy
innovations, including laws on identity theft victim rights, limitations on the use of Social Security numbers, cell phone data privacy,
cybersecurity, and cyber-exploitation. (173) Many benefits can come from regulatory variation as opposed to one comprehensive
federal law as indicated by the data breach example given above. (174) Regulatory variation among states provides an opportunity
for learning about the impacts of differing policies. (175) Learning can occur through observing the practices of other states, state
experimentation of alternative policies or studying transitions of policy over time. (176) Even if a comprehensive federal law is
necessary, the passage of various state laws may be essential to make thoughtful decisions on what policy is best for a federal law.
Hasty convergence of a federal law without allowing the states to experiment could result in a suboptimal or arbitrary federal law that
provides no real privacy protection to consumers or severely burdens companies. (177)
B. Federal Government Entrenchment and the Importance of State Attorneys General
The federal government's inability to pass a comprehensive privacy law supports the argument that states are the most adept in
regulating on the topic. (178) Further, it is also unlikely that one will see federal movements on privacy legislation or enforcement
anytime soon. (179) State attorneys general play a vital role by encouraging privacy legislation at the state legislatures, implementing
programs to inform consumers or companies of how to comply, and also enforcing the state laws in place. (180) Attorneys general
have also argued against federal regulation that would preempt their involvement in data protection regulation. In a letter to the U.S.
House of Representatives Committee on Financial Services, a coalition of 32 attorneys general voiced their concern about the
proposed Data Acquisition and Technology Accountability and Security Act's attempt to take away state enforcement power in cases
of data breach, data security violation, and breach notification. (181) The attorneys general effectively argued that their investigative
ability, after a breach, to determine whether companies took adequate precautions to protect consumer data, is crucial to provide
more transparency for consumers. (182) Though large scale breaches may occur nationwide, they nonetheless victimize residents of
each state, giving AGs' the right to enforce appropriate state laws. (183) Congress's gridlock and the Trump administration's lack of
privacy prioritization demonstrate that states should and must fill in the gaps as technology continues to outpace the federal
legislation and enforcement. Even if the federal government passes preemptive legislation, states should still play a role in
enforcement through the state attorneys general, who have proven through experience that they are best equipped to rapidly and
effectively respond to data protection violations. (184)
VI. POLICY REASONS TO ENCOURAGE A PREEMPTIVE FEDERAL LAW
As stated in the preemption section above, large technology companies like AT&T, Amazon, Google, Twitter, Apple, and Charter
Communications are supportive of a comprehensive federal privacy law that would preempt similar state laws. (185) The concern is
that various state laws will create inconsistent privacy rights, which could confuse consumers and place an undue burden on
companies to comply with the privacy laws of each state. (186) Since the passage of the CCPA, other states have followed suit
introducing analogous models to their respective legislatures. (187) In 2019 alone, nine states proposed or passed something similar
to the CCPA. (188) Though these bills, also known as "CCPA copycat bills," derive similar privacy principles from the CCPA and the
GDPR, they all have notable differences, (189) which will make compliance for companies all the more difficult. Large technology
companies contend that the states' passage of a patchwork of evolving laws will put a large strain on businesses that will need to
expend an immense amount of resources to come into compliance with each state. (190) As a result, many companies with a
national or an international presence may choose to follow the most stringent standard to save resources and avoid various state
sanctions. These expenditures, in turn, stifle innovation as companies' resources go towards compliance objectives rather than
pioneering projects to better serve consumer needs.
Today, data protection and privacy breaches do not respect state boundaries. The usage, storage, disclosure, and sale of data is
rarely restricted to one state. With that in mind, data protection and privacy are federal issues and should be legislated accordingly.
To avoid a patchwork of state laws, stakeholders from the industry, privacy field, and the public should come together to compromise
on federal legislation. Though one could argue that experimentation among the states is necessary before passing a federal law, the
European Union's GDPR and CCPA models likely provide sufficient testing to inform the federal government of the laws' successes
and drawbacks.
In today's digital era, the exploitation of personal data is at an all-time high. It seems every month there is a new scandal making
headlines concerning a technology company's misuse of personal information. The lack of regulation in an attempt to provide
technology companies with room to innovate is now facing the repercussions of a serious need for consumer privacy. The CCPA is
an example of this. The CCPA provides various protections to California consumers and limits the way companies can store,
disclose, and sell consumer's information. However, the CCPA still has its deficiencies, which raises questions about its ability to
provide sufficient protection. (191) To start, the CCPA was hastily drafted within a seven-day period and contained little input from the
community and the most affected stakeholders. (192) A California consumer's right under the opt-out provision is not nearly as strong
as an opt-in system, like the GDPR, because it still subjects a consumer's data to misuse during the time before a consumer decides
to opt-out. Additionally, a consumer's right to have his/her information deleted is limited by multiple exceptions by which a company
can refuse under certain circumstances. Though this law is likely not preempted by any existing federal law because of the CCPA's
anti-preemptive language, congressional discussion of a potential comprehensive federal law having preemptive effect is looming.
(193) Even if the law is not preempted, it may face serious First Amendment and Dormant Commerce Clause challenges threatening
its authority.
If Congress is successful in passing an all-inclusive data privacy law, it should provide preemptive effect with enforcement authority
by a federal agency as well as state attorneys general. Taking a similar approach as COPPA, which provides strict preemption when
a state regulation is inconsistent, a federal law should require high data protection and privacy thresholds. In other words, a federal
law should act as a ceiling as opposed to a floor. Allowing states to enact more stringent laws that are inconsistent with the federal
law will perpetuate the patchwork of laws conundrum. Such disparate laws create confusion among consumers and place financial
burdens on businesses that inevitably will be forced to comply with the strictest law if they have consumers in multiple states.
Furthermore, there needs to be a robust enforcement mechanism. It seems only fitting that the FTC enforces the Federal law,
because a large part of the agency's mission is to promote consumer protection. However, this job may be too large for an
understaffed and underfunded agency. To ensure adequate enforcement, federal legislation should allow enforcement by state
attorneys general who can quickly and effectively respond to violations without the need of bureaucratic approval.
What is certain is the growing distrust the American people have for companies collecting their information. (194) To regain this trust,
company stakeholders, consumers, privacy scholars, and legislators must come together to find a balance between reasonable
regulations and the freedom to innovate. The federalism doctrine encompasses not only the federal government and the states
separately, but the way the two work together.
Alexandria J. Saquella (*)
(*)J.D. Candidate, Sandra Day O'Connor College of Law, Arizona State University. The author would like to thank Professor Kimberly
Holst, Professor Stefanie Lindquist, and Mr. Will Bracker for their assistance and valuable feedback during the drafting process of this
Comment. She would also like to thank her parents, Jan and Alan Saquella, and her companion, Tyler Koressel, for their endless love
and support.
(1.) Sheera Frankel et al., Facebook Data Collected by Quiz App Included Private Messages, N.Y. Times (Apr. 10, 2018),
https://www.nytimes.com/2018/04/10/technology/facebook-cambridge-analytica-private-messages.html [https://perma.cc/FC5VR43C].
(2.) Natasha Singer, Grindr Sets Off Privacy Firestorm After Sharing Users' H.I.V.-Status Data, N.Y. TIMES (Apr. 3, 2018),
https://www.nytimes.com/2018/04/03/technology/grindr-sets-off-privacy-firestorm-after-sharing-users-hiv-status-data.html
[https://perma.cc/5V24-VQNU].
(3.) Douglas MacMillan & Robert McMillan, Google Exposed User Data, Feared Repercussions of Disclosing to Public, WALL ST. J.,
(Oct. 8, 2018), https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194
[https://perma.cc/W85T-TZCK].
(4.) Id.
(5.) Adam C. Uzialko, How Businesses Are Collecting Data (and What They're Doing with It), BUS. NEWS DAILY (Aug. 3, 2018, 2:25
PM), https://www.businessnewsdaily.com/10625-businesses-collecting-data.html [https://perma.cc/7P45-UPF4].
(6.) Id.
(7.) Id.
(8.) Id.
(9.) MICHAEL J. D. VERMEER ET AL., IDENTIFYING LAW ENFORCEMENT NEEDS FOR ACCESS TO DIGITAL EVIDENCE IN
REMOTE DATA CENTERS 1 (2018),
https://www.rand.org/content/dam/rand/pubs/research_reports/RR2200/RR2240/RAND_RR2240.pdf [https://perma.cc/QG8M-8GPC].
(10.) EUROFINAS & ASS'N OF CONSUMER CREDIT INFO. SUPPLIERS, FRAUD PREVENTION AND DATA PROTECTION: A
EUROFINAS--ACCIS REPORT ON FIGHTING FRAUD IN CONSUMER LENDING 25 (2011),
http://www.eurofinas.org/uploads/documents/Non-visible/Eurofinas-Accis_ReportOnFraud_WEB.pdf [https://perma.cc/FKT4-AL5M].
(11.) Uzialko, supra note 5.
(12.) Id.
(13.) STEFAAN G. VERHULST & ANDREW YOUNG, THE POTENTIAL OF SOCIAL MEDIA INTELLIGENCE TO IMPROVE
PEOPLE'S LIVES: SOCIAL MEDIA DATA FOR GOOD 21 (Sept. 24, 2017), http://datacollaboratives.org/static/files/social-mediadata.pdf [https://perma.cc/2BEX-7UGC] ("Data collaboratives are an emerging and increasingly common form of public-private
partnership in which actors from different sectors exchange information [to improve people's lives].").
(14.) Id. at 23.
(15.) Id.
(16.) See generally Commission Regulation 2016/679, 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32016R0679 [https://perma.cc/3JNG-CDZW].
(17.) Ernst-Oliver Wilhelm, A Brief History of the General Data Protection Regulation, INT'L ASS'N PRIVACY PROFS.,
https://iapp.org/resources/article/a-brief-history-of-the-general-data-protection-regulation/ [https://perma.cc/T6BF-QZMX].
(18.) Id. Unlike an E.U. regulation, which is a binding legislative act applied across the European Union, a directive sets out a goal
that E.U. countries must achieve by devising their own individual laws. Regulations, Directives and Other Acts, EUR. UNION (May
24, 2018), https://europa.eu/european-union/eu-law/legal-acts_en [https://perma.cc/3K66-S5F2].
(19.) Wilhelm, supra note 17.
(20.) Id.
(21.) Id.; European Commission Press Release IP/15/6321, Agreement on Commission's EU Data Protection Reform Will Boost
Digital Single Market (Dec. 15, 2015), https://europa.eu/rapid/press-release_IP-15-6321_en.htm [https://perma.cc/9W7M-YBBA].
(22.) Consumer Data Privacy: Examining Lessons from the European Union's General Data Protection Regulation and the California
Consumer Privacy Act: Hearing Before the S. Comm. on Commerce, Sci., & Transp., 115th Cong. 2 (Oct. 10, 2018),
https://www.commerce.senate.gov/services/files/892B1917-02CE-4F38-8DCE-C8DABCFE4180 [https://perma.cc/YJ4R-A45K]
(statement of Andrea Jelinek, Chair, European Data Protection Board).
(23.) Id. at 4.
(24.) What Are the Most Common Questions Asked About GDPR?, GDPR (Apr. 24, 2017), https://eugdpr.com/news/commonquestions-asked-gdpr/ [https://perma.cc/JW3W-TV2Q].
(25.) GDPR FAQs, EU GDPR, https://eugdpr.org/the-regulation/gdpr-faqs/ [https://perma.cc/2FV2-TW9C].
(26.) A New Era for Data Protection in the EU--What Changes After May 2018, at 1, EUROPEAN COMMISSION,
https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-changes_en.pdf [https://perma.cc/ZT3Y-ZEZ8]
[hereinafter A New Era for Data Protection] (factsheet enumerating changes required by the GDPR that went into effect in May 2018).
Consent is one of six lawful grounds for processing data. Lee Matheson, Top 10 Operational Responses to the GDPR--Part 2: Lawful
Bases for Processing, INT'L ASS'N PRIVACY PROFS. (Feb. 7, 2018), https://iapp.org/news/a/top-10-operational-responses-to-thegdpr-part-2-lawful-bases-for-processing/ [https://perma.cc/44XZ-AUPL]. The others are contract, legal obligations, vital interests of
data subject, public interest and legitimate interests. Id. If none of these five grounds are applicable, the company must receive
consent. Id.
(27.) The "opt-out" approach is taken by the CCPA, but only in the context of selling a consumer's data. CAL. CIV. CODE [section]
1798.120(b) (West, Westlaw through Ch. 1 of 2020 Reg. Sess.).
(28.) A New Era for Data Protection, supra note 26, at 3.
(29.) Id. at 2-3.
(30.) Id. at 3; Commission Regulation 2016/679, art. 83(5), 2016 O.J. (L 119) 1, 82, https://eur-lex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:32016R0679 [https://perma.cc/3JNG-CDZW].
(31.) This same approach is also reflected at the federal level, to be discussed in more detail later in this article.
(32.) Caroline O. Outten, Here We Go Again? NY Considers Consumer Privacy Bill, NAT'L L. REV. (Jan. 28, 2019),
https://www.natlawreview.com/article/here-we-go-again-ny-considers-consumer-privacy-bill [https://perma.cc/9GUR-GEDP]. Though
this may change as other states like New York, Vermont, South Carolina, and Iowa have proposed legislation akin to the CCPA. Id.
(33.) 2018 Security Breach Legislation, NAT'L. CONF. ST. LEGISLATURES (Feb. 8, 2019),
http://www.ncsl.org/research/telecommunications-and-information-technology/2018-security-breach-legislation.aspx
[https://perma.cc/FXW3-63PB] (NCSL provides comparative information on state laws).
(34.) Data Disposal Laws, NAT'L. CONF. ST. LEGISLATURES (Jan. 4, 2019), http://www.ncsl.org/research/telecommunications-andinformation-technology/data-disposal-laws.aspx [https://perma.cc/MC3E-PHBV].
(35.) Id.
(36.) Letter from Lisa Madigan, Att'y Gen., State of Ill., to members of the Comm. on Fin. Servs., U.S. House of Representatives
(Mar. 19, 2018), http://www.illinoisattorneygeneral.gov/pressroom/2018_03/Committee_Leaders_letter.pdf [https://perma.cc/C3F5F4QL].
(37.) Id.; see also Data Acquisition and Technology Accountability and Security Act, H.R. ___, 115th Cong., (2d Sess. 2018) (draft
bill), https://financialservices.house.gov/uploadedfiles/03.07.2018_data_s_bill.pdf [https://perma.cc/5MDD-YRC7].
(38.) Letter from Lisa Madigan, supra note 36.
(39.) Id.; see also Danielle Keats Citron, The Privacy Policymaking of State Attorneys General, 92 NOTRE DAME L. REV. 747,
748-50 (2016) (discussing the role of state attorneys general to enforce privacy laws).
(40.) Letter from Lisa Madigan, supra note 36.
(41.) Eric Goldman, An Introduction to the California Consumer Privacy Act (CCPA) 1 (July 9, 2018) (unpublished research paper),
https://ssrn.com/abstract=3211013; see also Ben Adler, California Passes Strict Internet Privacy Law with Implications for the
Country, NAT'L PUB. RADIO (June 29, 2018, 5:05 AM), https://www.npr.org/2018/06/29/624336039/california-passes-strict-internetprivacy-law-with-implications-for-the-country [https://perma.cc/KC39-GHCT].
(42.) Adler, supra note 41.
(43.) Id.
(44.) A.B. 375, 2018 Leg. (Cal. 2018).
(45.) Id.
(46.) Id.
(47.) CAL. CIV. CODE [section] 1798.140(c)(1) (West, Westlaw through Ch. 1 of 2020 Reg. Sess.).
(48.) Rita Heimes & Sam Pfeifle, New California Privacy Law to Affect More Than Half a Million US Companies, INT'L ASS'N
PRIVACY PROFS. (July 2, 2018), https://iapp.org/news/a/new-california-privacy-law-to-affect-more-than-half-a-million-us-companies/
[https://perma.cc/6X5A-MWXR].
(49.) Id.
(50.) See generally CAL. CIV. CODE [section] 1798.100 (Westlaw).
(51.) Id. [section] 1798.140(o)(1).
(52.) Consumer Data Privacy: Examining Lessons from the European Union's General Data Protection Regulation and the California
Consumer Privacy Act: Hearing Before the S. Comm. on Commerce, Sci., & Transp., 115th Cong. (Oct. 10, 2018),
https://www.commerce.senate.gov/services/files/9CC53419-6E09-4075-98BA-4C4F2D46A686 [https://perma.cc/99WN-5TUR]
[hereinafter Mactaggart Statement] (statement of Alastair Mactaggart, Chair, Californians for Consumer Privacy). Mactaggart further
explained the definition did not distinguish between sensitive and non-sensitive information because as technology changes over
time, information that may not have been sensitive in the past may be sensitive later. Id.
(53.) CAL. CIV. CODE [section] 1798.100(a) (Westlaw).
(54.) Id. [section] 1798.100(b).
(55.) Id. [section] 1798.105(a).
(56.) Id. [section] 1798.105(d).
(57.) Id. [section] 1798.105(d)(1).
(58.) Id. [section] 1798.115(a).
(59.) Id. [section] 1798.120(a). To explain the rationale of an opt-out approach, Mactaggart stated in the federal senate committee
hearing that consumers are already paying companies with their wallet or their eyeballs, so consumers should have the right to
decide whether the personal information collected about them can be sold. Mactaggart Statement, supra note 52.
(60.) [section] 1798.125(a)(1).
(61.) Id. [section] 1798.185(a); see also Letter from Xavier Becerra, Att'y Gen., State of Cal., to Assemb. Chau & Sen. Hertzberg, Cal.
State S. & Cal. State Assemb. (Aug. 22, 2018) (voicing concern with the rulemaking deadline of one year, calling it "simply
unattainable").
(62.) [section] 1798.155(b). California's Attorney General may impose a $2,500 penalty for each violation of the CCPA or up to
$7,500 per each intentional violation and a violating entity may be subject to an injunction. Id.
(63.) Id. [section] 1798.150(b).
(64.) S.B. 1121, 2018 Leg. Reg. Sess. (Cal. 2018).
(65.) Id.
(66.) Id.
(67.) Id.
(68.) Id.
(69.) Goldman, supra note 41, at 2 (quoting CAL. CIV. CODE [section] 1798.185(a)(7) (West, Westlaw through Ch. 1 of 2020 Reg.
Sess.); Jeff Kosseff, Ten Reasons Why California's New Data Protection Law Is Unworkable, Burdensome, and Possibly
Unconstitutional (Guest Blog Post), TECH. & MARKETING L. BLOG (July 9, 2018),
https://blog.ericgoldman.org/archives/2018/07/ten-reasons-why-californias-new-data-protection-law-is-unworkable-burdensome-andpossibly-unconstitutional-guest-blog-post.htm [https://perma.cc/7YNK-K33E].
(70.) Assem. B. No. 874, 2019-2020 Leg. Reg. Sess., [section] 1(o)(2) (Cal. 2019),
https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB874 [https://perma.cc/794X-55L7].
(71.) Id.
(72.) R.A.V. v. City of St. Paul, 505 U.S. 377, 382 (1992) (citing, e.g., Consolidated Edison Co. of N.Y. v. Public Serv. Comm'n of
N.Y., 447 U.S. 530, 536 (1980)).
(73.) E.g., United States v. Playboy Entm't Grp., 529 U.S. 803, 813 (2000) (citing Sable Communications of Cal., Inc. v. FCC, 492
U.S. 115, 126 (1989)).
(74.) Sorrell v. IMS Health Inc., 564 U.S. 552, 570 (2011).
(75.) Id. at 557; Kosseff, supra note 69.
(76.) Sorrell, 564 U.S. at 564.
(77.) Id. at 571-72.
(78.) An example of noncommercial communications encapsulated by the law could include photographers or business posting
articles on an internal news blog.
(79.) Internet Service Providers: Customer Privacy: Hearing on A.B. 375 Before the S. Judiciary Comm., 2018 Leg. 2017-2018 Reg.
Sess. 1-2 (Cal. 2018).
(80.) See CAL. CIV. CODE [section] 1798.1 (West, Westlaw through Ch. 1 of 2020 Reg. Sess.).
(81.) Assem. B. No. 375, 2017-2018 Leg. Reg. Sess., [section] 2(f) (Cal. 2018),
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375 [https://perma.cc/CPQ3-44BH].
(82.) Id. [section] 2(g).
(83.) ERWIN CHEMERINSKY, CONSTITUTIONAL LAW PRINCIPLES AND POLICIES 392 (Vicki Been et al. eds., 3d ed. 2006).
(84.) Id.
(85.) Id. at 393.
(86.) Id. at 396.
(87.) Id. at 393.
(88.) Id. at 394-395.
(89.) Id. at 394.
(90.) Arizona v. United States, 567 U.S. 387, 401 (2012).
(91.) Id.
(92.) CHEMERINSKY, supra note 83, at 393.
(93.) Id. at 409-10.
(94.) Florida Lime & Avocado Growers, Inc. v. Paul, 373 U.S. 132, 142 (1963).
(95.) Id.
(96.) Id. at 145.
(97.) CHEMERINSKY, supra note 83, at 412.
(98.) Crosby v. Nat'l Foreign Trade Council, 530 U.S. 363, 373-74 (2000).
(99.) Id. at 374-76.
(100.) See also Driver's Privacy Protection Act, 18 U.S.C. [section] 2721 (2018).
(101.) 45 C.F.R. [section] 160.203 (2002) (Another HIPAA preemption exception provides that a state law, contrary to HIPAA, will not
be preempted if the Secretary of Health and Human Services decides the state law is necessary to prevent fraud and abuse related
to the provision of or payment for health care.).
(102.) Children's Online Privacy Protection Act, 15 U.S.C. [section] 6502(d) (2006); 15 U.S.C. [section] 6504(a)(1) (2018). States that
have enforced COPPA include New Jersey and Texas]. Press Release, Office of the Att'y Gen., New Jersey Attorney General and
Division of Consumer Affairs File Federal Suit Against App Developer Accused of Collecting, Transmitting Children's Personal
Information Without Parental Notification or Consent (June 6, 2012), https://www.nj.gov/oag/newsreleases12/pr20120606a.html
[https://perma.cc/Q5KS-7F4G]; Jacqueline Klosek & Dale Fulton, Are You in Compliance with COPPA? Recent State Actions Raise
the Stakes, INT'L ASS'N. PRIVACY PROFS. (June 1, 2008), https://iapp.org/news/a/2008-06-compliance-with-coppa-recent-stateactions-raise-the-stakes/ [https://perma.cc/3Y3X-BHEC].
(103.) Our History, FED. TRADE COMM'N, https://www.ftc.gov/about-ftc/our-history [https://perma.cc/HW5N-9JSN].
(104.) Id.; About the FTC, FED. TRADE COMM'N, https://www.ftc.gov/about-ftc [https://perma.cc/MRP2-AMZ8].
(105.) A Brief Overview of the Federal Trade Commission's Investigative, Law Enforcement, and Rulemaking Authority, FED. TRADE
COMM'N (July 2008), https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority [https://perma.cc/SLY7-BJRY] [hereinafter FTC
Authority Overview] (Two of the federal acts listed above in the Federal Law on Consumer Data Privacy section, the Children's Online
Privacy Protection Act and the Fair and Accurate Credit Transactions Act, are enforced by the FTC).
(106.) 15 U.S.C. [section] 45(a)(2) (2018); see also [section] 45(a)(1) (When it comes to consumer protection, the FTC enforces
Section 5(a) of the FTC Act, which provides that "unfair or deceptive acts or practices in or affecting commerce... are... declared
unlawful."); [section] 45(n) (A "practice is unfair" when it "causes or is likely to cause substantial injury to consumers which is not
reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."); see
also FTC Authority Overview, supra note 105 [https://perma.cc/SLY7-BJRY].
(107.) FTC Authority Overview, supra note 105; see also 5 U.S.C. [section] 553 (2018) (federal agency rulemaking power).
(108.) JAMES T. O'REILLY, FEDERAL PREEMPTION OF STATE AND LOCAL LAW: LEGISLATION, REGULATION, AND
LITIGATION 8 (2006), http://apps.americanbar.org/abastore/products/books/abstracts/5010047samplechp_abs.pdf
[https://perma.cc/9G5R-GFBY].
(109.) 15 U.S.C. [section] 45b (e)(1), (4) (2018).
(110.) Id.
(111.) FED. TRADE COMM'N, PRIVACY & DATA SECURITY: UPDATE 2019, at 2-3, 13-14 (2020),
https://www.ftc.gov/system/files/documents/reports/privacy-data-security-update-2019/2019-privacy-data-security-report-508.pdf
[https://perma.cc/Z8VC-HG6F] (For instance, federal statutes like the Children's Online Privacy Protection Act and the Fair and
Accurate Credit Transactions Act also authorize the commission's rulemaking power, which furthers the legislation's purpose or
goals.); see also FTC Authority Overview, supra note 105.
(112.) FED. TRADE COMM'N, supra note 111, at 13. The breach notification rule requires certain web-based businesses to notify
customers when their electronically stored health information has been breached. Id.
(113.) Id. ("The COPPA Rule requires websites and apps to get parental consent before collecting personal information from children
under 13.").
(114.) Id. at 14. Directed by the Fair and Accurate Credit Transactions Act, the FTC enacted the Disposal Rule requiring companies
to dispose of credit reports and information derived from consumers in a safe and secure manner to protect against unauthorized
access to or use of the information. Id.; see also Disposing of Consumer Report Information? Rule Tells How, FED. TRADE COMM'N
(June 2005), https://www.ftc.gov/tips-advice/business-center/guidance/disposing-consumer-report-information-rule-tells-how
[https://perma.cc/ZV7B-4KUX].
(115.) Nat'l Petroleum Refiners Ass'n v. FTC, 482 F.2d 672, 698 (D.C. Cir. 1973), cert. denied 415 U.S. 951 (1974) (finding the FTC
had the authority to require octane labels on gasoline pumps).
(116.) S.B. 1121, 2018 Leg. Reg. Sess. (Cal. 2018).
(117.) Id.
(118.) Id.
(119.) CAL. CIV. CODE [section] 1798.145(c)(1)(B) (West, Westlaw through Ch. 1 of 2020 Reg. Sess.).
(120.) Examining Safeguards for Consumer Data Privacy, U.S. SENATE COMMITTEE ON COM. SCI. & TRANSP. (Sept. 26, 2018),
https://www.commerce.senate.gov/public/index.cfm/hearings?ID=2FF829A8-2172-44B8-BAF8-5E2062418F31
[https://perma.cc/8QBY-UHJH] (webcast).
(121.) Examining Safeguards for Consumer Data Privacy: Hearing Before the S. Comm. on Commerce, Sci., & Transp., 115th Cong.
(Sept. 26, 2018), https://www.commerce.senate.gov/services/files/B42B3943-1409-44F4-9AA9-91AD21FFB43A
[https://perma.cc/C9T7-9NKK] (statement of Leonard Cali, Senior Vice President Global Public Policy, AT&T) [hereinafter Cali
Statement].
(122.) Id.
(123.) Examining Safeguards for Consumer Data Privacy: Hearing Before the S. Comm. on Commerce, Sci., & Transp., 115th Cong.
(Sept. 26, 2018), https://www.commerce.senate.gov/services/files/5D32673E-D11D-4EE1-A7F3-8B03E407128D
[https://perma.cc/Q3Q9-KRKE] (statement of Keith Enright, Chief Privacy Officer, Google).
(124.) Cali Statement, supra note 121. Tech company representatives voiced concern over the CCPA's unclear standards, making it
difficult for companies to comply. Id. Specifically, AT&T Senior Vice President of Global Public Policy, Len Cali, said he was
concerned about how the non-discrimination clause would affect loyalty programs. Id. Additionally, he stated he was concerned about
the implementation of a notice and consent process. Id.
(125.) Consumer Data Privacy: Examining Lessons From the European Union's General Data Protection Regulation and the
California Consumer Privacy Act, U.S. SENATE COMMITTEE ON COM. SCI. & TRANSP. (Oct. 10, 2018),
https://www.commerce.senate.gov/public/index.cfm/hearings?ID=3A98134B-6CCE-4491-B22B-BC831C3DFF5D
[https://perma.cc/WSE4-VE3S] (witness statements include those of Alastair Mactaggart, Board Chair, Californians for Consumer
Privacy; Dr. Andrea Jelinek, Chair, European Data Protection Board (overseeing the GDPR); Laura Moy, Executive Director,
Georgetown Law Center on Privacy & Technology; and Nuala O'Connor, President & CEO, Center for Democracy & Technology)
(webcast).
(126.) Id.
(127.) See Thomas v. Nationwide Children's Hosp., Inc., No. 2:14-CV-1236, 2018 WL 1512908, at *4 (S.D. Ohio Mar. 27, 2018)
(Where HIPAA specifically permitted the disclosure of privileged medical records to comply with judicial proceedings--but an Ohio
physician-patient privilege statute did not provide such an exception [providing stronger protections]--the court found the state law
was not preempted because the state legislation did not come into conflict with HIPAA.).
(128.) See Divonne Smoyer & Aaron Lancaster, State AGs: The Most Important Regulators in the U.S.?, INT'L ASS'N PRIVACY
PROFS. (Nov. 26, 2013), https://iapp.org/news/a/state-ags-the-most-important-regulators-in-the-us/# [https://perma.cc/KS7V-EJYS];
Cf. Angelique Carson, Will the US States Pick Up the Slack Left by Trump-Era Policy Reversals?, INT'L ASS'N PRIVACY PROFS.
(June 13, 2017), https://iapp.org/news/a/will-u-s-states-pick-up-the-slack-left-by-trump-era-policy-reversals/ [https://perma.cc/8QVRKEVW] (discussing the Trump administration's deprioritization of privacy regulation).
(129.) 15 U.S.C. [section] 57a(a)(1)(A-B) (2018).
(130.) Cf. 15 U.S.C. [section] 6502(d) (2018). (Other federal statutes, like COPPA, have provided preemptive effect while delegating
enforcement and rulemaking power to the FTC.).
(131.) Susan Bartlett Foote, Administrative Preemption: An Experiment in Regulatory Federalism, 70 VA. L. REV. 1429, 1437 (1984).
(132.) MAEVE P. CAREY, CONG. RESEARCH SERV., RL32240, THE FEDERAL RULEMAKING PROCESS: AN OVERVIEW 15
(2013), https://fas.org/sgp/crs/misc/RL32240.pdf [https://perma.cc/AYD2-B322].
(133.) Id. at 16.
(134.) U.S. CONST. art. I, [section] 8, cl. 1, 3.
(135.) Gibbons v. Ogden, 22 U.S. (9 Wheat.) 1, 71 (1824).
(136.) Id. at 89 (Johnson, J., concurring).
(137.) CHEMERINSKY, supra note 83, at 419.
(138.) Id. at 430, 437.
(139.) American Library Ass'n v. Pataki, 969 F. Supp. 160, 169 (S.D.N.Y. 1997).
(140.) CHEMERINSKY, supra note 83, at 437.
(141.) See 969 F. Supp. at 184.
(142.) PSINet, Inc. v. Chapman, 108 F. Supp.2d 611, 627 (W.D. Va. 2000) (claimants showed state statute criminalizing sale, rental
or loan to juveniles of sexually harmful material would likely violate Commerce Clause); State v. Heckel, 143 Wash.2d 824, 840
(Wash. 2001) (Washington's Commercial Electronic Mail Act, which prohibited misrepresentation in subject line or transmission path
of commercial e-mail messages did not unconstitutionally substantially burden interstate commerce.); see also MaryCLE, LLC v. First
Choice Internet, Inc., 166 Md. App. 481 (Md. Ct. Spec. App. 2006).
(143.) See Anthony Glosson, California Lawmakers vs. the Dormant Commerce Clause, ANTHONY GLOSSON BLOG (Feb. 13,
2014, 4:46 AM), http://anthonyglosson.com/california-lawmakers-vs-the-dormant-commerce-clause/ [https://perma.cc/M9XT-VE7G]
(To date, no court has struck down a state data-breach notification law based on the Dormant Commerce Clause analysis.).
(144.) Examining Safeguards for Consumer Data Privacy, supra note 120 (Members of Congress discussed state privacy laws like
CCPA that may be a violation of Commerce Clause.).
(145.) South Dakota v. Wayfair, Inc., 138 S. Ct. 2080, 2099 (2018).
(146.) Id. at 2088-89.
(147.) Id. at 2099.
(148.) Edwards v. California, 314 U.S. 160, 172-73 (1942).
(149.) Id. at 172 n.1.
(150.) See generally Ann E. Carlson, Iterative Federalism and Climate Change (Aug. 1, 2008) (unpublished manuscript),
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1115556## [https://perma.cc/P7H5-YRXA] (Under iterative federalism
schemes, federal law singles out a state or particular group of states for special regulatory power rather than treating all fifty states as
legally homogeneous.).
(151.) Nicholas Bryner & Meredith Hankins, Why California Gets to Write Its Own Auto Emissions Standards: 5 Questions Answered,
CONVERSATION (Sept. 9, 2016), http://theconversation.com/why-california-gets-to-write-its-own-auto-emissions-standards-5questions-answered-94379 [https://perma.cc/EK4Q-TL9K].
(152.) Id.
(153.) CAL. CIV. CODE [section] 1798.145(a)(6) (West, Westlaw through Ch. 1 of 2020 Reg. Sess.).
(154.) Id.
(155.) Lothar Determann, Broad Data and Business Regulation, Applicable Worldwide, INT'L ASS'N PRIVACY PROFS.,
https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of-2018/ [https://perma.cc/ZH3R-7J9V].
(156.) 397 U.S. 137, 142 (1970).
(157.) Id.
(158.) Id.; see Hunt v. Wash. State Apple Advert. Comm'n, 432 U.S. 333, 350 (1977) ("[A] finding that state legislation furthers
matters of legitimate local concern, even in the health and consumer protection areas, does not end the inquiry.").
(159.) Jeff Roberts, Here Comes America's First Privacy Law: What the CCPA Means for Business and Consumers, FORTUNE
(Sept. 13, 2019, 3:30 AM), https://fortune.com/2019/09/13/what-is-ccpa-compliance-california-data-privacy-law/
[https://perma.cc/RE4V-73T9]. California has the largest population in the United States. At approximately 39.25 million, California
makes up 12% of the entire U.S. population. See Quick Facts: California, U.S. CENSUS BUREAU (July 1, 2018),
https://www.census.gov/quickfacts/ca [https://perma.cc/5H3A-AQB3].
(160.) The company (1) has $25M+ in annual revenues, (2) derives 50%+ of its revenues from selling consumer data, or (3)
possesses the personal data of more than 50,000 "consumers, households, or devices." CAL. CIV. CODE [section] 1798.140(c)(1)
(West, Westlaw through Ch. 1 of 2020 Reg. Sess.).
(161.) [section] 1798.140(o)(1) ("personal information" is information that identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household).
(162.) See Glosson, supra note 143.
(163.) Southern Pac. Co. v. State of Ariz. ex rel. Sullivan, 325 U.S. 761, 763 (1945).
(164.) Id. at 781-782.
(165.) Id. at 779.
(166.) Id. at 783-84; see also Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520, 528 (1959) (Illinois statute requiring the use of contour
mudguard on trucks in Illinois demonstrated need for coordinated federal legislation).
(167.) American Library Association v. Pataki, 969 F. Supp. 160, 181 (S.D.N.Y. 1997). One example of state regulations that provided
conflicting obligations was an Illinois statute that required the use of contour mudguards on trucks in Illinois and an Arkansas law that
required straight or conventional mudguards in Arkansas. Bibb, 359 U.S. at 528 (striking down the Illinois law as imposing an undue
burden on interstate commerce).
(168.) American Library Association, 969 F. Supp. at 182.
(169.) Coined by Justice Louis Brandeis in his dissent of New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) ("It is one of the
happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel
social and economic experiments without risk to the rest of the country.").
(170.) Glosson, supra note 143.
(171.) 2018 Security Breach Legislation, supra note 33.
(172.) Id. ("For example, since the Equifax data breach in 2017, several states introduced legislation that would provide for free credit
freezes for victims of data breaches.... Other bills would amend breach laws to expand the definition of 'personal information,' to set
specific timeframes within which a breach must be reported, or require reporting to the state's attorney general. In addition, several
bills would require notification in the case of breaches of student information.").
(173.) Joanne McNabb, Can Laboratories of Democracy Innovate the Way to Privacy Protection?, CENTURY FOUND. (Apr. 5,
2018), https://tcf.org/content/report/can-laboratories-democracy-innovate-way-privacy-protection/?session=1 [https://perma.cc/ALE2DH7Z].
(174.) Unlike the federal government, states are unique in that they have broad and general powers to regulate all necessary laws to
protect the general health, safety, and welfare of the persons and property within their jurisdictions. Glosson, supra note 143.
(175.) Jonathan B. Wiener & Alberto Alemanno, The Future of International Regulatory Cooperation: TTIP As a Learning Process
Toward a Global Policy Laboratory, 78 LAW & CONTEMP. PROBS. 103, 106 (2015) (surveying a range of mechanisms applied to
international regulatory cooperation, with examples including the United States-European Union and United States-Canada).
(176.) Id.
(177.) Id.
(178.) McNabb, supra note 173. Proposals on data security regulation, laying out standards on companies' handling consumer data,
have been consistently opposed by the tech industry. Id. The U.S. Chamber of Commerce even opposed a voluntary program of
cybersecurity for critical infrastructure companies developed in response to Executive Order 13636 by President Obama. Id.
(179.) Carson, supra note 128 (discussing the Trump administration's rolling back of Federal Communication Commission privacy
rules).
(180.) Divonne Smoyer & Aaron Lancaster, State AGs: The Most Important Regulators in the U.S.?, INT'L ASS'N PRIVACY PROFS.
(Nov. 26, 2013), https://iapp.org/news/a/state-ags-the-most-important-regulators-in-the-us/ [https://perma.cc/2FXE-FSDS]. California
Attorney General Harris collaborated with six application developers to create a best practices guide urging developers to consider
consumer privacy in the development process. Id. Connecticut AG George Jepsen, among other AGs, investigated Google for its
Street View mapping project, which violated people's privacy by collecting passwords, e-mail addresses, and other information from
nearby computers. Id. In a settlement of $7 million with 38 Attorneys General, Google conceded to its violation. Id. See generally
Citron, supra note 39 (discussing the role of state attorneys general to enforce privacy laws).
(181.) Letter from Lisa Madigan, supra note 36.
(182.) Id.
(183.) Id.
(184.) Id.
(185.) See Examining Safeguards for Consumer Data Privacy, supra note 120.
(186.) Id.
(187.) Rachel R. Marmor et al., "Copycat CCPA" Bills Introduced in States Across Country, DAVIS WRIGHT TREMAINE: PRIVACY
& SECURITY L. BLOG (Feb. 8, 2019), https://www.privsecblog.com/2019/02/articles/california-consumer-protection-actccpa/copycat-ccpa-bills-introduced-in-states-across-country/ [https://perma.cc/NJ8U-QCHR].
(188.) Id. The states include Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, Rhode Island, and
Washington. Id.
(189.) Id.
(190.) Id.
(191.) As of June 19, 2019, fourteen bills seeking to amend the CCPA before it takes effect have been introduced and are advancing
through the California State Legislature. David M. Stauss, The California Consumer Privacy Act: Everything We Know with Six
Months to Go, SECURITY MAG. (June 19, 2019), https://www.securitymagazine.com/articles/90393-the-california-consumer-privacyact-everything-we-know-with-six-months-to-go [https://perma.cc/3D8B-YHJX]. Some notable proposed amendments set out to clarify
that the CCPA does not cover de-identified or aggregate consumer information, explain that personal information does not extend to
employee information, and exclude loyalty programs from CCPA coverage. Id.
(192.) Goldman, supra note 41.
(193.) Kate Patrick, Draft Internet Privacy Bill Is Done, but Not Without Criticism, GOV'T TECH. (Dec. 18, 2018),
http://www.govtech.com/security/Draft-Internet-Privacy-Bill-Is-Done-But-Not-Without-Criticism.html [https://perma.cc/5W7U-PJJ6].
(194.) Nuala O'Connor, Reforming the U.S. Approach to Data Protection and Privacy, COUNCIL ON FOREIGN RELATIONS (Jan.
30, 2018), https://www.cfr.org/report/reforming-us-approach-data-protection [https://perma.cc/AH6W-JQQR].
Please Note: Illustration(s) are not available due to copyright restrictions.
Copyright: COPYRIGHT 2020 American Bar Association
http://www.law.asu.edu/jurimetrics/JurimetricsJournal/AbouttheJournal.aspx
Source Citation (MLA 9th Edition)
Saquella, Alexandria J. "PERSONAL DATA VULNERABILITY: CONSTITUTIONAL ISSUES WITH THE CALIFORNIA CONSUMER
PRIVACY ACT." Jurimetrics Journal of Law, Science and Technology, vol. 60, no. 2, Wntr 2020, pp. 215+. Gale Academic
OneFile, link.gale.com/apps/doc/A628079309/AONE?u=cazc_main&sid=bookmark-AONE&xid=cfd9a440. Accessed 11 Nov.
2023.
Gale Document Number: GALE|A628079309
Related documents
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Discussion 1 Computer Organization 1. 2.
Discussion 1 Computer Organization 1. 2.
Download
advertisement