On June 1, 2020, the California Attorney General submitted the final text of the California Consumer Privacy Act (CCPA) regulations to the California Office of Administrative Law (OAL) for approval, which are substantially the same as the draft regulations released on March 11, 2020.  Despite the ongoing development of the regulations, the CCPA took effect on January 1, and the enforcement of the CCPA is slated to begin on July 1, 2020, regardless of whether the OAL approves the final text.

As a company that does business in one or more states outside of California, you may be asking whether it is fair that your company has to comply with a California law?  On a very general level, CCPA applies to companies that collect, share, or sell California consumers’ personal data, and (a) have annual gross revenue in excess of $25 million, or (b) possess the personal information of 50,000 or more consumers, households, or devices, or (c) earn more than half of its annual revenue from selling consumers’ personal information.  That means that a company based solely in Boston (or any other non-Californian city), with annual gross revenue in excess of $25 million, could be subject to CCPA simply because a California resident orders some products.

What seems unfair may very well render CCPA unconstitutional.  The basis for this constitutionality challenge is the Dormant Commerce Clause, which is judge-created doctrine, negatively implied by the Commerce Clause of the United States.  (The Commerce Clause grants Congress (not the States) the power “To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes” (Article I, Section 8, Clause 3).)  Under the second prong of the Pike Balancing Test, the Court considers whether the burden imposed by the state law on interstate commerce is clearly excessive in relation to the putative local benefits.

In performing this balancing test, there are several considerations that could sway the outcome, including extraterritoriality, inconsistent regulation, and the question of what renders a burden on interstate commerce “clearly excessive”?

  • Extraterritoriality is the idea that Commerce Clause precludes the application of a state statute to commerce that takes place wholly outside the state’s borders, whether or not the commerce has effects within the State.
  • Inconsistent regulation is the idea that a company should not be subject to regulations from different states, calling for different, inconsistent actions with respect to the same subject matter. (This may become a bigger issue as more states pass privacy legislation.)
  • What renders a burden on interstate commerce “clearly excessive” looks at exactly what needs to be burdened. For example, would a substantial decrease in the number of transactions constitute a “clearly excessive” burden?  What about just a decrease in the profitability of companies doing business, given the additional expenses they face as a result of CCPA?

Some thought leaders on this issue have posited that Courts may, instead of striking down state privacy laws, respect the role of states as “laboratories,” pointing out that state statues in other areas, such as Internet regulations, have not been struck down under the Dormant Commerce Clause despite similar concerns.