Will the New California Consumer Privacy Act Stand?
In June 2018, California passed a new regulation titled the California Consumer Privacy Act (CCPA). Scheduled to go into effect in 2020, this new privacy law goes much further than any other federal or state law – being compared to the recently released GDPR EU privacy regulation. A big difference in the CCPA is the concept of presumed damages - meaning the new law makes it possible to make a claim against a company who has put a consumer’s personal information at risk based on the exposure alone, regardless of whether the claimants can show that the incident resulted in actual damages. However, the bigger question is how the law will affect other states, the federal government, and companies doing business with California residents.
The other 49 states
Because of the scope of the CCPA, the question of what the other 49 states will do is important. Will the states do nothing, adopt California’s law in its entirety or, create their own privacy laws with their own unique spin? If all or most of the states do nothing, companies will need to be able to track California consumer data separately and setup policies and technology to comply with the state law. Alternatively, they could use a “high water” strategy and treat all contacts as if they were California citizens.
On the other hand, if states create their own (slightly different) privacy regulations, businesses worldwide will be faced with trying to comply with 50 different privacy regulations as well as the increasing number of foreign privacy laws – an extremely costly process.
The question of how the federal government will respond to the CCPA is important as well. Will the feds pass a new sweeping federal privacy regulation themselves – in essence invalidating the California law, or will they challenge the CCPA in court first?
Will the Feds fight back?
Many pundits expect the U.S. Congress toeventually pass a national privacy law. However, if the CCPA is left unchallenged, businesses will be forced to spend huge amounts of money to ensure compliance with the new regulation. Because of this, it is believed that the feds will challenge the regulation before it becomes law. But what would be the grounds be to challenge the law?
Article 1, Section 8, Clause 3, of the U.S. Constitution empowers Congress "to regulate Commerce with foreign nations, and among several States, and with the Indian tribes." The term “commerce” used in the Constitution means business or commercial exchanges in any of its forms between citizens of different states. There are two important definitions in the Commerce Clause; Intrastate or domestic commerce is trade that occurs solely within the geographic borders of one state. Because it does not move across state lines, intrastate commerce is subject to the exclusive control of the state, not the federal government.
Interstate commerce, or commerce among states, is the free exchange of commodities between citizens of different states across state lines in which the federal government does have jurisdiction. It is in the interstate commerce clause where it is believed the feds will challenge the CCPA.
The key provision in the Commerce Clause is that it authorizes Congress to regulate commerce to ensure that the flow of interstate commerce is free from local restraints imposed by the states.
Under what grounds can the CCPA be challenged under the Commerce Clause?
The Supreme Court has identified four general areas in which the Commerce Clause gives Congress exclusive authority. They are:
- Congress may regulate the channels of interstate commerce.
- Congress may regulate the instrumentalities of interstate commerce.
- Congress may regulate things that move across state lines.
- Congress may regulate activities that have a substantial effect on interstate commerce.
Channels of Interstate Commerce
Channels of interstate commerce include roadways, waterways, and airways. The Commerce Clause gives Congress the power to regulate activity in these areas even when the activity itself is solely within a particular state.
In today’s business environment, channels of interstate commerce no doubt include electronic channels, i.e., physical telephone lines, the internet, and satellite communications. In this case, the argument can be made that a state law limiting the free flow of electronic data across state lines is invalid.
Instrumentalities of Interstate Commerce
The instrumentalities of interstate commerce category include people as well as vehicles, machines, etc., which are employed or used in the carrying out of commerce. Congress has the authority to regulate these instrumentalities.
In this case, instrumentalities of interstate commerce could as well include electronic transmission of data across state lines.
Articles Traveling in Interstate Commerce
Congress may regulate any items or objects which themselves move in interstate commerce. In other words, if the subject of federal regulation is something that has been placed in the stream of interstate commerce, including the transmission electronic of data.
Again, the transmission of electronic data across state lines can be said to be in the stream of interstate commerce.
Activities that have a substantial effect on interstate commerce
Congress may regulate activity that has a substantial economic effect on interstate commerce. Also relevant is whether the regulated activity (CCPA) is one that has been traditionally the province of the states and not the federal government.
It can obviously be argued that the CCPA will have a substantial negative economic effect on businesses trying to do business in California.
The CCPA is set to become law on January 1, 2020. To stop the massive amounts of money that will need to be spent over the next year, the federal government needs to formally challenge the CCPA soon to at least delay implementation (and cost) until sometime in the distant future when the federal government can pass a national privacy law
For information on how Archive360 can help you address the CCPA, you can contact us here. To watch our prerecorded webinar on the California Consumer Privacy Act, click the banner below.
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.