When it takes effect next month, the CCPA is almost certain to become an immediate spark for litigation. While requests for access/deletion and individual or threatened claims start to fill in-house legal departments’ inboxes and the practical realities of compliance seize resources, a more fundamental question will need to be answered: Is the CCPA constitutional?
Whether in the form of a declaratory judgment action filed in early January or as part of the normal-course litigation that the CCPA will create, certain aspects of the CCPA are ripe for constitutional challenge and could stall, if not derail, the CCPA before it even gets started.
In this post, we look at two of the constitutional vulnerabilities of the CCPA: whether its cross-border implications violate the dormant commerce clause, and whether the vague definition of “personal information” is unconstitutionally void.
Dormant Commerce Clause
The Constitution’s Commerce Clause restricts States from regulating commerce or imposing regulations that impact conduct wholly in another state and/or that create an inconsistent framework across state lines. While States have the power to regulate conduct outside their borders in certain circumstances, the CCPA creates a unique challenge that includes areas that arguably over-reach.
The Commerce Clause protects against inconsistent legislation arising from the projection of one state’s regulatory regime into the jurisdiction of another State. The critical inquiry is whether the practical effect of the regulation is to control conduct beyond the State’s borders. While state-specific data privacy laws are not new, the breadth and scope of the CCPA creates an issue of first impression.
While California has the right and power to protect California consumers, the practical effect of the CCPA is to control business practices outside the state. Significantly, the CCPA significantly over-reaches in its applicability to corporate affiliates, subsidiaries, and commonly-owned companies of California businesses, regardless of those entities’ own contacts with the state.
Given how uniquely the CCPA defines and regulates “personal information,” “service providers,” “third parties,” and “sale,” the CCPA comprehensively restricts companies’ collection of personal information on their websites that is not readily limited to California data. If a company wants to avoid triggering a “sale,” the CCPA requires companies to make material changes to what information they collect or which other entities collect on their websites, as well as how business relationships are structured and memorialized, which cannot be readily limited to California resident personal information.
The practical effect of the CCPA on these issues is likely to affect entire industries and cost hundreds of millions, if not billions, of dollars, including affecting business practices and industries not limited to conduct occurring within California.
State Regulation of the Internet
While courts have taken different approaches to the permissible breadth and scope of a state’s internet regulations, the recent trend in the Ninth Circuit has put the onus on companies to either comply with CA’s laws or develop technology that allows them to block access to their websites in CA.
For example, in Greater Los Angeles Agency on Deafness, Inc. v. Cable News Network, Inc., the Ninth Circuit found CNN needed to find a way to provide closed captioning to CA visitors to its website, as mandated by a CA statute. Similarly, in Nat’l Fed’n of the Blind v. Target Corp., the District Court found a retailer needed to make its website accessible to blind visitors to comply with CA law. The Court offered that Target could make a CA-specific website or block CA visitors; thus, if it chose to alter its entire website to comply with CA law that did not mean California was regulating out-of-state conduct. One can expect the relevant courts will likely argue companies must comply across the board or find technological solutions.
That said, even with technology that can block or filter by California IP address, the CCPA may still regulate the conduct of non-California residents given its overall comprehensive structure regulating a company’s operational practices and business relationships that are not readily limited to California residents. Unless and until a federal privacy law with preemptive effect is passed, the CCPA will push the Courts to consider the limits of one state’s ability to regulate conduct on the internet.
What is Personal Information?
Given the rushed nature of the process that led to the CCPA’s passage, it is not surprising that it includes half-formed and vague definitions or directives. Unfortunately, one of the most troubling terms is the core concept of “personal information.” The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Significantly, that definition includes “household” information, which (counter-intuitively) means that information about other people falls into the definition of “personal information.”
Other than government-provided information, seemingly anything could qualify as “personal information” under the CCPA because, if combined with other data, it is capable of being linked to an individual consumer. For example, studies have confirmed that by knowing only a person’s birthdate, zip code, and gender gives you an 87% chance of making an accurate identification.
Void for Vagueness
A statute is void for vagueness if it fails to give a person of ordinary intelligence fair notice that his or her contemplated conduct is forbidden by the statute. Papachristou v. City of Jacksonville, 405 U.S. 156, 162 (1972). The failure to define terms has proven a fatal flaw in other regulatory schemes. For example, in Entm’t Software Ass’n v. Blagojevich, a trade association successfully challenged an Illinois statute that regulated violent video games, including because the definition of “sexually explicit” was found to be unconstitutionally overbroad.
The definition of “personal information” certain seems ripe for challenge on these grounds. Other CCPA definitions that may be similarly infirm, include: “business,” “third party,” “sale,” and “aggregate consumer information,” particularly given the materially different obligations, restrictions, and liability exposure if a company misinterprets these vague terms.
These two issues are likely to be significant obstacles to the implementation and application of the CCPA. Unfortunately, it may be some time before the Courts offer clarity on these questions. While any declaratory judgment action may involve a request to stay implementation of the statute, it is not guaranteed that additional time will be available. In the meantime, companies need to ensure their practices, procedures, and policies comply with the CCPA or open themselves up to increased risk and penalties.