Catalyzing Privacy Law

71
University of Colorado Law School University of Colorado Law School Colorado Law Scholarly Commons Colorado Law Scholarly Commons Articles Colorado Law Faculty Scholarship 2021 Catalyzing Privacy Law Catalyzing Privacy Law Anupam Chander Georgetown University Law Center Margot E. Kaminski University of Colorado Law School William McGeveran University of Minnesota Law School Follow this and additional works at: https://scholar.law.colorado.edu/articles Part of the Constitutional Law Commons, European Law Commons, First Amendment Commons, International Trade Law Commons, Internet Law Commons, Legislation Commons, Privacy Law Commons, and the State and Local Government Law Commons Citation Information Citation Information Anupam Chander, Margot E. Kaminski, and William McGeveran, Catalyzing Privacy Law, 105 MINN. L. REV . 1733 (2021), available at https://scholar.law.colorado.edu/articles/1336. Copyright Statement Copyright protected. Use of materials from this collection beyond the exceptions provided for in the Fair Use and Educational Use clauses of the U.S. Copyright Law may violate federal law. Permission to publish or reproduce is required. This Article is brought to you for free and open access by the Colorado Law Faculty Scholarship at Colorado Law Scholarly Commons. It has been accepted for inclusion in Articles by an authorized administrator of Colorado Law Scholarly Commons. For more information, please contact [email protected].

Transcript of Catalyzing Privacy Law

Page 1: Catalyzing Privacy Law

University of Colorado Law School University of Colorado Law School

Colorado Law Scholarly Commons Colorado Law Scholarly Commons

Articles Colorado Law Faculty Scholarship

2021

Catalyzing Privacy Law Catalyzing Privacy Law

Anupam Chander Georgetown University Law Center

Margot E. Kaminski University of Colorado Law School

William McGeveran University of Minnesota Law School

Follow this and additional works at: https://scholar.law.colorado.edu/articles

Part of the Constitutional Law Commons, European Law Commons, First Amendment Commons,

International Trade Law Commons, Internet Law Commons, Legislation Commons, Privacy Law

Commons, and the State and Local Government Law Commons

Citation Information Citation Information Anupam Chander, Margot E. Kaminski, and William McGeveran, Catalyzing Privacy Law, 105 MINN. L. REV. 1733 (2021), available at https://scholar.law.colorado.edu/articles/1336.

Copyright Statement Copyright protected. Use of materials from this collection beyond the exceptions provided for in the Fair Use and Educational Use clauses of the U.S. Copyright Law may violate federal law. Permission to publish or reproduce is required. This Article is brought to you for free and open access by the Colorado Law Faculty Scholarship at Colorado Law Scholarly Commons. It has been accepted for inclusion in Articles by an authorized administrator of Colorado Law Scholarly Commons. For more information, please contact [email protected].

Page 2: Catalyzing Privacy Law

1733

Article

CatalyzingPrivacyLaw

AnupamChander,†MargotE.Kaminski,††andWilliamMcGeveran†††

Introduction..........................................................................................................1734 I.Superregulators..............................................................................................1738 A. TheDelawareEffect............................................................................1740 B. TheCaliforniaEffect...........................................................................1742 C. TheBrusselsEffect..............................................................................1744

II.GDPRVersusCCPA......................................................................................1746 A. EuropeanDataProtectionVersusU.S.Consumer

Protection................................................................................................1747 B. SubstantiveSimilarities....................................................................1749 C. SubstantiveDifferences....................................................................1755

III.CatalyzingPrivacy......................................................................................1762

† ProfessorofLaw,GeorgetownUniversityLawCenter;J.D.,YaleLawSchool;B.A.,HarvardUniversity.Copyright©2021byAnupamChander.

†† AssociateProfessorofLaw,UniversityofColoradoLawSchool;Director,Pri-vacyInitiative,SiliconFlatironsCenter.J.D.,YaleLawSchool;B.A.,HarvardUniversity.Copyright©2021byMargotE.Kaminski.

†††AssociateDeanforAcademicAffairsandJuliusE.DavisProfessorofLaw,Uni-versityofMinnesotaLawSchool.J.D.,NewYorkUniversityLawSchool;B.A.,CarletonCollege.Copyright©2021byWilliamMcGeveran.

TheauthorsaregratefulforinsightfulcommentsbystudentsintheTechnologyLawColloquiumatGeorgetownandtheLawandEconomicsWorkshopatMinnesota,by professors and students at Cardozo School of Law, and by professors at facultyworkshopsatLoyola,Villanova,andWilliam&Marylawschoolsandatthe2019Pri-vacyLawScholarsConferencehostedatBerkeleyLaw.WethankinparticularWilliamBuzbee,LauraDickinson,RogerFord,LydiadelaTorre,MegJones,ChristinaMulligan,OrlaLynskey,PaulOhm,NeilRichards,andJorisvanHoboken.Wealsothankoursu-perbeditorsattheMinnesotaLawReview,especiallyMatthewCavanaugh,AlinaYasis,andMelanie Griffith. Anupam Chander gratefully acknowledges a Google ResearchAwardforrelatedresearch.WilliamMcGeverangratefullyacknowledgesfundingbytheWargoResearchScholarFund.WereceivedexcellentresearchhelpfromShiwenCai,LydiaDavenport,XingeHe,AnnaKvinge,RominaMontellanoMorales,PaigePa-pandrea,CarolineSchmitz,andlibrarianHeatherCasey.Theviewsherein(andaller-rors)aretheauthors’alone.

Page 3: Catalyzing Privacy Law

1734 MINNESOTALAWREVIEW [105:1733

A. BrusselsastheWorld’sPrivacyCatalyst...................................1765 B. ButSeetheUnitedStates.................................................................1767

1. StateLaws.......................................................................................1769 2. FederalLaws.................................................................................1777

C. CaliforniaasU.S.PrivacyCatalyst................................................1781 D. ConstraintsonCalifornianCatalysis...........................................1793

1. TheDormantCommerceClause...........................................1794 2. Preemption....................................................................................1797 3. TheFirstAmendment................................................................1800

Conclusion.............................................................................................................1802

INTRODUCTIONWhentheGeneralDataProtectionRegulation(GDPR)tookeffect

inMay2018,itpositionedtheEuropeanUnionastheworld’sprivacychampion.1Aflurryofemailsupdatingprivacypolicieslandedinin-boxesacrosstheglobe,attestingtotheinternationalreachoftheEu-ropean rule.2 Amonth later, California enacted the California Con-sumer Privacy Act (CCPA), establishing the nation’smost stringentomnibusprivacyprotections,effectiveasofJanuary1,2020.3Califor-nia,thehomeofmanyoftheworld’slargestdata-basedenterprises,4emergedasadarkhorsecontenderintheprivacyregulatorrace.Inthepastyear,stateafterstateconsideredbroaddataprivacylegisla-tion,5andelevencomprehensivefederalprivacybillswereintroducedinCongress.6

1. AdamSatariano,G.D.P.R.,aNewPrivacyLaw,MakesEuropeWorld’sLeadingTechWatchdog,N.Y.TIMES(May24,2018),https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.html[https://perma.cc/24RK-ZMJV]. 2. Brian Fung,Why You’re Getting Flooded with Privacy Notifications in YourEmail,WASH.POST(May25,2018,3:15PM),https://www.washingtonpost.com/news/the-switch/wp/2018/05/25/why-youre-getting-flooded-with-privacy-notifications-in-your-email[https://perma.cc/MGR2-XYGW]. 3. See CAL.CIV.CODE §§ 1798.100–.199 (2018); DaisukeWakabayashi, SiliconValley FacesRegulatoryFight on ItsHomeTurf,N.Y.TIMES (May13, 2018), https://www.nytimes.com/2018/05/13/business/california-data-privacy-ballot-measure.html[https://perma.cc/7XTE-3LU3]. 4. HankTucker,World’sLargestTechnologyCompanies2020:AppleStaysonTop,Zoom and Uber Debut, FORBES (May 13, 2020, 5:30 AM), https://www.forbes.com/sites/hanktucker/2020/05/13/worlds-largest-technology-companies-2020-apple-stays-on-top-zoom-and-uber-debut[https://perma.cc/L473-BYT3]. 5. SeeinfraPartIII.B.1. 6. SeeConsumerOnlinePrivacyRightsAct,S.2968,116thCong. (2019)(Sen.MariaCantwell);OnlinePrivacyActof2019,H.R.4978,116thCong.(2019)(Rep.AnnaEshoo);DesigningAccountingSafeguardsToHelpBroadenOversightandRegulationsonDataAct, S.1951,116thCong. (2019) (Sen.MarkWarner);DoNotTrackAct, S.

Page 4: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1735

What is catalyzingU.S. privacy law? The conventionalwisdomholdsthatEuropeissettingtheglobalstandardforinformationpri-vacy.Thereismuchtruthtothis—some142countriesandcountingnowhaveabroaddataprivacylaw,typicallymodeledontheGDPR.7Scholarswritinginsightfullyabouttheglobalracetoinformationpri-vacyhavetrackedthespreadofdataprivacylawsacrosstheworld,notingEurope’sinfluenceonthesedevelopments.8Inarecentarticle,PaulSchwartzobservesthattheEuropeanUnionpioneeredinterna-tionalprivacylawtoenablecommerceamongnationswithintheblocitself.9HearguesthatothercountrieslargelyadoptedtheEuropean

1578,116thCong.(2019)(Sen.JoshHawley);PrivacyBillofRightsAct,S.1214,116thCong.(2019)(Sen.EdwardMarkey);BalancingtheRightsofWebSurfersEquallyandResponsibly(BROWSER)Actof2019,S.1116,116thCong.(2019)(Sen.MarshaBlack-burn);InformationTransparency&PersonalDataControlAct,H.R.2013,116thCong.(2019)(Rep.SuzanDelBene);OwnYourOwnDataAct,S.806,116thCong.(2019)(Sen.JohnKennedy);DataAccountabilityandTrustAct,H.R.1282,116thCong.(2019)(Rep.BobbyRush);SocialMediaPrivacyProtectionandConsumerRightsActof2019,S.189,116thCong.(2019)(Sen.AmyKlobuchar);AmericanDataDissemination(ADD)Actof2019,S.142,116thCong.(2019)(Sen.MarcoRubio);seealsoDataCareActof2018,S.3744,115thCong.(2018)(Sen.BrianSchatz);MindYourOwnBusinessActof2019,S.2637,116thCong.(2019)(Sen.RonWyden)(updatingSen.Wyden’s2018ConsumerDataProtectionAct);CustomerOnlineNotification forStoppingEdge-providerNet-workTransgressions(CONSENT)Act,S.2639,115thCong.(2018)(Sen.Markey).InJune2020,SenatorSherrodBrownreleasedthe“DataAccountabilityandTranspar-encyAct of 2020” as a discussiondraft.DataAccountability andTransparencyAct,SIL20719,116thCong(2020). 7. Theexactnumberofcountrieswithcomprehensivedataprotectionlawsde-pends on one’s characterization of any particular law and keeps changing asmorecountriesadoptnewlaws.WhileGrahamGreenleafidentifies142countriesandjuris-dictionswithsuchlaws,GrahamGreenleaf&BertilCottier,2020EndsaDecadeof62NewDataPrivacyLaws,in163PRIV.L.&BUS.INT’LREP.24,24–25(2020),theUnitedNationsConferenceonTradeandDevelopment(UNCTAD)counts128.DataProtectionand Privacy LegislationWorldwide, U.N.CONF. ONTRADE&DEV., https://unctad.org/page/data-protection-and-privacy-legislation-worldwide[https://perma.cc/W47P-RHL2].MostrecentlawsaremodeledontheGDPR.See,e.g.,NigeriaDataProtectionRegulation(2019),https://nitda.gov.ng/wp-content/uploads/2020/11/NigeriaDataProtectionRegulation11.pdf. Among other differences, the Nigerian lawpermitsfinesuptotwopercentofglobalturnover,notthefourpercentpermittedbytheGDPR.Compareid.§2.10(a),withGeneralDataProtectionRegulation2016/679,art.83(5),2016O.J.(L119)1,83[hereinafterGDPR]. 8. See,e.g.,GrahamGreenleaf,GlobalConvergenceofDataPrivacyStandardsandLaws:SpeakingNotesfortheEuropeanCommissionEventsontheLaunchoftheGeneralDataProtectionRegulation(GDPR)inBrusselsandNewDelhi,25May2018(U.N.S.W.L.Rsch.Series,PaperNo.18-56,2018),https://ssrn.com/abstract=3184548. 9. PaulM.Schwartz,GlobalDataPrivacy:TheEUWay,94N.Y.U.L.REV.771,810(2019)(“[TheEU’s]powerinthisregardfirstdevelopedinresponsetoissuesthatitfacedinternally.ItneededtoharmonizethedataprocessingpracticesofEUmemberstates. The inward-facing elements of EU data protection law then became an im-portantfactorinitsadaptabilitytotherestoftheworld.Hereisaglobaldiffusionstory

Page 5: Catalyzing Privacy Law

1736 MINNESOTALAWREVIEW [105:1733

Union’sdataprivacymodel,reflectingits“successinthemarketplaceofideas.”10

Schwartz cites the CCPA as an example of Europe’s success inspurringotherjurisdictionstoenactsimilarlaws.11Journalistsreport-ing on the CCPA’s enactment, too, have frequently referred to it as“GDPRlite”12and“California’sversionofGDPR.”13Andasthepushforfederal legislation intensifies,manycharacterize it asanational re-sponsetotheGDPR.14

ThisArticlechallengesthisemergingconsensus.DespitedecadesofEuropeanprivacylaw,theUnitedStatesshowedlittleappetiteuntilnowforbroadprivacy legislation.15 Instead,normentrepreneurs inCaliforniahelpedestablishanewprivacyframeworkthat,asweshow,differs significantly—and consciously—from theEuropeanmodel.16OurclosecomparisonofthenewCaliforniaandEuropeanlawsrevealsthat theCCPA isnot simplyGDPR-lite: it is bothmoreand lessde-mandingonvariouspoints.17 Itoffersa fundamentallydifferent re-gimefordataprivacy.Andthenumerouslegislativeproposalsinstate

thatbeginswitharesponsetointernalpoliticalconsiderations.”);seealsoMichaelD.Birnhack,TheEUDataProtectionDirective:AnEngineofaGlobalRegime,24COMPUT.L.&SEC.REP.508,510(2008). 10. Schwartz,supranote9,at818. 11. Id.at816(“Ideasmatter.Eventhoughtheadequacyrequirementprovidesanimpressivefulcrumforinternationalinfluence,theglobalsuccessofEUdataprotectionisalsoattributabletothesheerappealofhighstandardsfordataprotection.Thisap-pealcannotalonebeexplainedbytheforceofEUmarketpowerorevenspecificEUnegotiating strategies. To illustrate, this Article can point to an example from theUnitedStates,namely,theenactmentoftheCaliforniaConsumerPrivacyAct(CCPA)of2018.”).Global legalconvergencecan indeedbe theresultofnormativeagreement.See,e.g.,AnupamChander&RandallCosta,ClearingCreditDefaultSwaps:ACaseStudyinGlobalLegalConvergence,10CHI.J.INT’LL.639,640(2010)(arguingthatinthewakeofthe2008/2009financialcrisis,theUnitedStatesandEurope“convergedonasimilarclearingstructurelargelybecauseofitscompellinglogic”). 12. See, e.g.,KayvanAlikhani,RegulatoryDisruption: IsYourBusinessReadyToComply with the CCPA?, FORBES (June 6, 2019, 9:15 AM), https://www.forbes.com/sites/forbestechcouncil/2019/06/06/regulatory-disruption-is-your-business-ready-to-comply-with-the-ccpa[https://perma.cc/Y56A-BDRE]. 13. See,e.g.,GeorgeP.Slefo,MarketersandTechCompaniesConfrontCalifornia’sVersionofGDPR,ADAGE(June29,2018),https://adage.com/article/digital/california-passed-version-gdpr/314079[https://perma.cc/U7M7-7BKN]. 14. See,e.g.,ElizabethSchulze,TheUSWantsToCopyEurope’sStrictDataPrivacyLaw—butOnly Someof It, CNBC (May23,2019,1:16AM),https://www.cnbc.com/2019/05/23/gdpr-one-year-on-ceos-politicians-push-for-us-federal-privacy-law.html[https://perma.cc/3KEP-JXBQ]. 15. Seeinfranote20andaccompanyingtext. 16. SeeinfraPartII. 17. SeeinfraPartII(comparingtheGDPRandtheCCPA).

Page 6: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1737

housesshowgreaterfealtytoCalifornia’smodelthantotheEuropeanantecedent.18BillspendingbeforeCongressreflectpressurenotfromBrussels,butfromSacramento.

Thus,Californiahasemergedasakindofprivacysuperregulator,catalyzingprivacylawintheUnitedStates.Ratherthanthesuprana-tionalEU,thesubnationalstateofCalifornia—and,morespecifically,asmallnetworkofdeterminedindividualswithinthatstate—isnowdrivingprivacyinasignificantpartoftheworld.TheemergenceoftheCCPAdemonstratesthecentralroleoflocalnetworksandnormentre-preneurship,contestingonthegroundofwhatwecall“dataglobali-zation.”19

Wearethuswitnessingaparadigmshiftinthepolicyconversa-tionarounddataprivacylaw.Untilnow,therulesoftransatlanticpri-vacyrestedonawkwardnegotiatedmechanismstotransferdatabe-tweentwoseeminglyirreconcilableregimes.20Nowwearewitnessingwhatmightbecharacterizedasaregulatoryraceonbothsidesoftheocean.21

ThisArticleisthefirsttocriticallyevaluatetherelationshipbe-tweenCalifornia’sprivacy law,Europe’sdataprotection regulation,andpossiblefuturestateandfederalprivacylaw.22Thisstudyisalsoof practical interest, answering questions for individuals and

18. Seesourcescitedsupranote6. 19. SeediscussioninfraPartIII.C(explaininghowdataglobalizationhelpedpro-peltheCCPAtoitscurrentstatus). 20. SeeDirective95/46/EC,1995O.J. (L281)31 (establishingpre-GDPRrulesregulatingtheprocessingandmovementofpersonaldata);PAULM.SCHWARTZ&JOELR.REIDENBERG,DATA PRIVACY LAW:A STUDY OFUNITED STATESDATA PROTECTION 1–2(1996)(comparingEuropeancountries’comprehensivedataprotectionlawstoothercountries’lessthoroughlaws).ButseeKennethA.Bamberger&DeirdreK.Mulligan,PrivacyontheBooksandontheGround,63STAN.L.REV.247,281–82(2011)(arguingthat the regimes are more similar than different in practice); see also WilliamMcGeveran, Friending the Privacy Regulators, 58 ARIZ. L. REV. 959, 1025 (2016)(demonstrating similarities in enforcement betweendifferent data privacy regimesdespitedifferencesinthelawonthebooks). 21. See,e.g.,SaraMerken,StatesFollowEU,CaliforniainPushforConsumerPri-vacy Laws (1), BLOOMBERG L., https://news.bloomberglaw.com/privacy-and-data-security/states-follow-eu-california-in-push-for-consumer-privacy-laws-1 (Feb. 6,2019,3:02PM). 22. Thefocusofourstudyisonregulationofthedataprotectionpracticesofpri-vateparties,ratherthanontheprotectionofprivacyagainstintrusionsbythestate—ontheregulationof“surveillancecapitalism”ratherthanonmoretraditionalstatesur-veillance.SeeShoshanaZuboff,BigOther:SurveillanceCapitalismandtheProspectsofanInformationCivilization,30J.INFO.TECH.75,75(2015)(defining“surveillancecapi-talism”asa“newformofinformationcapitalism[that]aimstopredictandmodifyhu-manbehaviorasameanstoproducerevenueandmarketcontrol”).

Page 7: Catalyzing Privacy Law

1738 MINNESOTALAWREVIEW [105:1733

businessesalike:Forbusinesses,whoselawsshouldIfollow?Forin-dividuals, who will protect my privacy? Studying these questionsleads,inturn,toanothersetofinquiriesaboutthewaysinwhichca-talysisfromtheGDPRandCCPAgovernprivacyoutsideeitherEuropeorCalifornia.WhenEurope’slawsmeetCalifornia’s,whowins?Ifin-deedEuropeanorCalifornianregulationwillbeappliedgloballydefacto,whythenshouldanyoneelselegislate?

Theanswerstoallofthesequestionshaveimplicationsnotonlyfortheshapeofinformationprivacylawbutforunderstandinginter-jurisdictionalregulatorydynamicsinthedigitaleconomy.Whiledatasharessomecharacteristicswithcars,pollution,andcorporatechar-ters—allthesubjectofpriorglobalizationsoflegalcomplianceandle-galrules23—italsodiffersbecauseofitssimultaneousandinstantane-ous global effects. Data disobeys borders and operates at Internetspeed.Equally important, theanswerstothesequestionsshedlighton the prospects of countries across theworld as they vie for ad-vantageintheinformationage.Ultimately,ouraccountofprivacyca-talysisteststheoperationofbothfederalismandinternationalregu-latorycompetitioninthetwenty-firstcentury.

Ouranalysisproceedsasfollows.PartIsituatesourdiscussionofregulatorycatalysis indataprivacywithinthebroaderframeofthetheoryofregulatorycompetition,borrowinglessonsfromareassuchascorporateandenvironmentallaw.PartIIcomparesthesubstanceoftheGDPRandtheCCPAandthewaysinwhichtheirstructurespro-motecatalysisinotherjurisdictions.PartIIIturnstotheracefordataprivacylaw.WearethefirsttodisentanglethecatalyticeffectsonU.S.federalandstatelawscomingfrombothBrusselsandSacramentoandtoshowthattheresultingproposalsaredistinctlyAmericanandoweagreaterdebttotheCCPAthantotheGDPR.Asitoncedidwithpio-neeringenvironmentalregulation,Californiahasemergedasasuper-regulatoragain,thistimewithrespecttodataintheinformationage.

I.SUPERREGULATORSU.S.privacylawcanbeperiodizedaspre-CCPAandpost-CCPA.

UntiltheCCPA,nostateorfederalstatuteintheUnitedStatesimposedprivacyprotectionsacrossallindustrysectorsandtechnologiesinthemannerthatEuropeandataprotectionlawhaddonefordecades.Eversince the CCPA, Congress and state legislatures across the country

23. Seegenerally,e.g.,RobertV.Percival,TheGlobalizationofEnvironmentalLaw,26PACEENV’TL.REV.451(2009).

Page 8: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1739

havebeenconsideringhugenumbersofdataprivacyproposalsofthatscope.24

Whatispromptingthisnewinterestincomprehensivedatapri-vacylawintheUnitedStates?ManypointtotheEU’sGDPR.Afterall,theGDPRwent into effect inMay2018 tomuch fanfare. CountriesaroundtheworldchangedtheirlawstoconformmorecloselywiththeGDPR, drawnby hopes of achieving a finding of “adequacy,”whichwould facilitate their data trade with European economies.25 TheGDPRalsopromptedglobalcompaniestoestablishexpensivecompli-anceprogramsandinfrastructure.26Itmakessense,atfirstglance,tothinkthatEuropehas,throughtheGDPR,drivenU.S.statesandthefederalgovernmenttotakeprivacyseriouslyatlast.Ifso,thisdevel-opmentwould fitneatlywith the largerphenomenon that is some-timescalledthe“BrusselsEffect.”27

Butifthisisthecase,whydidittakesolong?AnuBradfordcoinedthephrasebackin2012,28andtheEUpromulgateditsoriginaldataprotectiondirectivein1995.29IfEuropeanlawpromptedsoul-search-ingamongAmericanlawmakers,itsvoyageacrosstheAtlanticprovedquiteslow.

ThisPartsummarizesoverlappingtheoriesofregulatorycompe-titionandcatalysis,drawnfromvariedsubjectmatterareas,includingcorporateandenvironmentallaw.Inallofthesedomains,earlyclaimsofaracetothebottomspurredbyglobalizationhavebeenchallengedbyscholarswhosuggestedalternativeregulatorydynamicsthatmightleadtoaracetothetoporaracetotheoptimum.30Oftentheseeffectsarenamedfortheplaceswheretheywerefirstdetected:Delaware,

24. Seesupranote6(listingrecentdataprivacybillsconsideredbyCongress). 25. Schwartz,supranote9,at783–86. 26. SeeMehreenKhan,CompaniesFaceHighCostToMeetNewEUDataProtectionRules, FIN.TIMES (Nov. 19, 2017), https://www.ft.com/content/0d47ffe4-ccb6-11e7-b781-794ce08b24dc. 27. MarkScott&LaurensCerulus,Europe’sNewDataProtectionRulesExportPri-vacyStandardsWorldwide,POLITICO(Jan.31,2018,12:00PM),https://www.politico.eu/article/europe-data-protection-privacy-standards-gdpr-general-protection-data-regulation[https://perma.cc/2RWQ-X4WB]. 28. AnuBradford,TheBrusselsEffect,107NW.U.L.REV.1,23(2012)(describingspreadofEU-styleprivacyprotectionsinthewakeoftheEU’s1995DataProtectionDirective). 29. Directive95/46/EC,1995O.J.(L281)31. 30. See,e.g.,RalphK.Winter,Jr.,StateLaw,ShareholderProtection,andtheTheoryof the Corporation, 6 J.LEGAL STUD. 251, 254 (1977) (“[C]ompetitive legal systemsshouldtendtowardoptimalitysofarastheshareholders’relationshiptothecorpora-tionisconcerned.”).

Page 9: Catalyzing Privacy Law

1740 MINNESOTALAWREVIEW [105:1733

California,orBrussels.31 Indifferentways, these three jurisdictionshaveemergedas“superregulators.”LaterintheArticlewewillcon-siderwhichof thesesuperregulatoreffectshavecatalyzeddatapri-vacyrulesacrosstheUnitedStates.

A. THEDELAWAREEFFECTRegulatory competition has been investigated in the greatest

depth in corporate law.32 An early view argued that corporationswouldcharterthemselves inthemostpermissivestate, leadingU.S.states to competewitheachother toofferevermore lax corporatelaw.33Somedubbedthisthe“DelawareEffect,”34becausetwo-thirdsofallFortune500companiesareincorporatedinthatstate.35

Acriticallegalrulemaderegulatorycompetitionpossible.Statelawsdefertoacorporation’sdecisiononitsstateofincorporation—knownasthe“internalaffairs”doctrine.36Thus,acorporationoperat-ingprincipally inCalifornia orKansas can incorporate inDelawareandbeassuredthatrelationsbetweenitsshareholders,directors,andofficerswillbegovernedbyDelawarelaw.37Withoutthis“internalaf-fairs”rule,acorporationmighthavetoconformtothecorporatelaw

31. SeeinfraPartsI.A–C. 32. See,e.g.,WilliamL.Cary,FederalismandCorporateLaw:ReflectionsuponDel-aware,83YALEL.J.663(1974). 33. JusticeLouisBrandeisexplainedtheliberalizationofcorporatelawthroughthisdynamic:

LesserStates,eagerfortherevenuederivedfromthetrafficincharters,hadremoved safeguards from their own incorporation laws.Companies wereearly formedtoprovidecharters forcorporations instateswherethecostwaslowestandthelawsleastrestrictive....Theracewasonenotofdiligencebutoflaxity.

LiggettCo.v.Lee,288U.S.517,557–59(1933)(citationsomitted). 34. See,e.g.,Bradford,supranote28,at5. 35. See DEL.DIV. OFCORPS., ANNUALREPORTSTATISTICS (2018), https://corpfiles.delaware.gov/Annual-Reports/Division-of-Corporations-2018-Annual-Report.pdf[https://perma.cc/8BRQ-QFLX].Andthisdoesnotapplyonlytolarge,establishedcor-porations:in2017,overeightypercentofinitialpublicofferingsintheUnitedStatesusedDelawareasacorporatehome.Id. 36. Rogersv.Guar.Tr.Co.ofN.Y.,288U.S.123,130(1933)(“Ithaslongbeenset-tleddoctrinethatacourt—stateorfederal—sittinginoneStatewillasageneralruledeclinetointerferewithorcontrolbyinjunctionorotherwisethemanagementoftheinternal affairsof a corporationorganizedunder the lawsof anotherStatebutwillleavecontroversiesastosuchmatterstothecourtsoftheStateofthedomicile.”);Van-tagePointVenturePartners1996v. Examen, Inc., 871A.2d1108, 1112 (Del. 2005)(“Theinternalaffairsdoctrineisalong-standingchoiceoflawprinciplewhichrecog-nizesthatonlyonestateshouldhavetheauthoritytoregulateacorporation’sinternalaffairs—thestateofincorporation.”). 37. SeeVantagePointVenturePartners1996,871A.2dat1112.

Page 10: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1741

ofallofthejurisdictionsinwhichitoperates.Theinternalaffairsdoc-trinethusallowsacompanytoestablishasingleregulatorforthecor-poratelawaffairsofthecorporation.38

TheclassicanalysespositedthatDelawarehadcorneredthemar-ketforincorporationsthroughdubiouseffortstofavorcorporateof-ficersanddirectors.39RalphWinterfamouslyrejectedthisclaimofaninevitableracetothebottom,arguingthatcorporateleaderswerenotinfactfreetochoosethemostpermissivejurisdictionbecauseshare-holders would penalize them for failing to maximize shareholdervalue.40 Where some had derided Delaware’s efforts as “law forsale,”41RobertaRomanoarguedthatDelaware’seffortswerepartofthegeniusofAmericanlaw.42Insteadofseekingtoracetothebottomtoattractcorporatecharters,Delawarecourts,fortheirpart,sawtheirrole as providing special corporate law expertise.43 Regulatory

38. Withrespecttocorporatelaw,theEuropeanUniondidnotembraceasimilarapproachtothatintheUnitedStatesuntilrecently.Ratherthandeferringtothestateofincorporation,manyEUstatessoughttoestablishwherethe“realseat”ofthecor-porationlay.WernerF.Ebke,TheRealSeatDoctrineintheConflictofCorporateLaws,36INT’LL.1015,1015–16(2002).SuchanapproachwouldnotdefertothemailboxincorporationavailableinDelaware.Seeid.Thisrulewouldstilltypicallyresultinasingleregulator—butthiswouldmakegamingthelawmoredifficult.MatthewG.Dore,DéjàVuAllOverAgain?TheInternalAffairsRuleandEntityLawConvergencePatternsinEuropeandtheUnitedStates,8BROOK.J.CORP.FIN.&COM.L.317,317–18(2014).Onewouldactuallyhavetolocateone’sheadquarters(themanagementandcontrolcenter)inthejurisdictionwiththefriendliestlaws,ratherthansimplyfilloutsomeformstoincorporateviaamailbox.RecentEUcaselawhas,however,movedtowardstheU.S.internalaffairsrule,deferring to the jurisdictionof thestateof incorporation. Id.at325–29.ThisopensupthepossibilityofregulatorycompetitionforcorporatelawinEuropeaswell. 39. Cary,supranote32,at672.Accordingtothisview,statessuchasDelawaremightwishtoattractincorporationsbecauseofthefranchisetax—theannualfeescor-porationspaytomaintaintheirincorporationinthatstate.Indeed,Delawarehascometo fund one-quarter of its budget through this means. STEPHEN M. BAINBRIDGE,CORPORATEGOVERNANCEAFTERTHEFINANCIALCRISIS 24 (2012) (“Delaware generates$740–800millionperyearinfranchisetaxes,whichamountstoaquarterofthestate’sbudget.”); DEL.OFF. OFMGMT.&BUDGET,FINANCIALOVERVIEW (2018), https://budget.delaware.gov/budget/fy2018/documents/operating/financial-overview.pdf[https://perma.cc/R7KY-9YK6](estimatingfranchisetaxesof“$975.0millionforFis-calYear2017and$992.6millionforFiscalYear2018”). 40. Winter,supranote30,at257(“Ifmanagementistosecureinitialcapital...itmustattractinvestorsawayfromthealmostinfinitevarietyofcompetingopportuni-ties.”). 41. E.g.,Editors,Comment,LawforSale:AStudyoftheDelawareCorporationLawof1967,117U.PA.L.REV.861(1969). 42. ROBERTAROMANO,THEGENIUSOFAMERICANCORPORATELAW37–39(1993). 43. AsoneDelawareChanceryCourtjudgenoted,“Delawarehasasubstantialin-terest in providing an effective forum for litigating disputes involving the internal

Page 11: Catalyzing Privacy Law

1742 MINNESOTALAWREVIEW [105:1733

competition, seen fromthisperspective, canoccurnot just throughthecontentofthegoverningrulesbutalsothroughthequalityoftheiradjudication.

TheDelawareEffectthereforecanbesummarizedastheemer-genceofcertainjurisdictionsashighlyinfluentialoverseersofpartic-ularbehaviorbasedonproactiveelectionsmadeby regulatedenti-ties—anopt-intoaparticularjurisdiction.Ifenoughregulatedentitiesmake the same choice, that jurisdictionmay come to dominate thefield.Boththesubstantivelawandtheregulatorytechniquesofaju-risdictionmaythengaininfluenceoutsideitsbordersasotherregula-torsdefertoit.44Whilethisarrangementcouldresultinaracetothebottom,itcouldalsoenabletheemergenceofhighlyspecializedex-pert regulatoryoversight that thenbecomes the standard towhichotherjurisdictionsdefer.

B. THECALIFORNIAEFFECTDavidVogelfamouslychallengedasimilarhypothesisofaraceto

thebottominenvironmentalregulationandconsumerprotectionlaw.Wheremanyarguedthatinternationaltradewouldinevitablyleadtotheerosionofconsumerandenvironmentalregulation,Vogelcoun-teredthat“undercertaincircumstances,globaleconomicintegrationcanactuallyleadtothestrengtheningofconsumerandenvironmentalstandards.”45Insteadofaracetothebottom(whathe,adoptingthetraditionalview,calleda“DelawareEffect”)heofferedthatregulatorycompetition might result in a “California Effect.”46 This outcomehingedon“thecriticalroleofpowerfulandwealthy‘green’political

affairsofDelawarecorporations.”InreActivisionBlizzard,Inc.,86A.3d531,547(Del.Ch.2014).For support for this statement,ViceChancellorLaster citedRobertaRo-mano’sbookTheGeniusofAmericanCorporateLaw:“‘Themostimportanttransaction-specificassetinthecharteringrelationisanintangibleasset,Delaware’sreputationforresponsivenesstocorporateconcerns,’whichstemsfrom‘acomprehensivebodyofcaselaw,judicialexpertiseincorporationlaw,andadministrativeexpertiseintherapidprocessingofcorporatefilings.’”Id.at547n.7(citingROMANO,supranote42,at38–39). 44. See,e.g.,Dore,supranote38,at325–29(describingtheEU’sshifttowardtheinternalaffairsrule). 45. DavidVogel&RobertA.Kagan,Introduction:NationalRegulationsinaGlobalEconomy,inDYNAMICSOFREGULATORYCHANGE1,1(DavidVogel&RobertA.Kaganeds.,2004);DAVIDVOGEL,TRADINGUP:CONSUMERANDENVIRONMENTALREGULATIONINAGLOBALECONOMY5(2004)(“Totheextentthattradeliberalizationhasaffectedthelevelofcon-sumerandenvironmentalprotection,ithasmoreoftenstrengthenedthanweakenedit.”). 46. VOGEL,supranote45,at5–8.

Page 12: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1743

jurisdictionsinpromotingaregulatory‘racetothetop’amongtheirtradingpartners.”47

UnliketheDelawareEffect,inwhichajurisdictiontemptscompa-niestooptintoitsregulatoryschemeandotherjurisdictionsthende-fertothatone’sexpertise,theCaliforniaEffectoccurswhenonejuris-dictionpushesotherjurisdictionstoimprovetheirownlaws.48Thisracetothetopisdejureinnature,ratherthandefactoordeferential;otherjurisdictionspasslawsthatmimicthesuperregulatorjurisdic-tion.

VogelidentifiedthreeconditionsunderwhichaCaliforniaEffectmightoccur.49First,aracetothetopismorelikelytobetriggeredifthestandardsaresupportedbyacoalitionofpublicinterestgroupswith regulated companies thatwish to impose the regulatory coststheyfaceontheircompetitorsinother,morelaxjurisdictions.50Sec-ond,thesuperregulatormusthavealargemarketthatissufficientlyattractivethatcompanieswouldratherabsorbthecostofregulationthanforegothemarket.51Third,aracetothetopismorelikelytooc-curifthereisastronginstitutioncapableofharmonizingstandardsacrossjurisdictions,suchastheU.S.federalgovernmentortheEU.52

TheclassicexampleoftheCaliforniaEffect isCalifornia’semis-sionsregulationsforautomobiles.AsAnnCarlsonexplains,fromthemid-1960s onward, the state pioneered strong tailpipe emissionsstandards.53WhenCongressamendedtheCleanAirAct topreemptstatestandardsforemissions,itgrandfatheredin“anystate”thathademissionscontrolsinplacepriortoMarch30,1966—astandardap-plicableonlytoCalifornia,aslawmakersunderstoodperfectlywell.54TheCleanAirActof1970explicitlyrecognizedCaliforniaasasuper-regulator:itbecametheonlystateallowedtosetstricter-than-federalstandards,andotherstatescouldthenopttofollowCalifornia’sstand-ards.55TwelveeasternstatesandtheDistrictofColumbiaannounced

47. Id.at6. 48. Seeid.at5–8. 49. Id.at260–68;seealsoSebastiaanPrincen,TradingUpintheTransatlanticRe-lationship,24J.PUB.POL’Y127,128(2004)(discussingVogel’sproposedconditions). 50. VOGEL,supranote45,at260–61. 51. Id.at261–63. 52. Id.at263–68. 53. AnnE.Carlson, IterativeFederalismandClimateChange,103NW.U.L.REV.1097,1111(2009). 54. Id. 55. SeeRockyMountainFarmersUnionv.Corey,730F.3d1070,1078–79(9thCir. 2013) (“Other states could choose to followeither the federalor theCaliforniastandards,buttheycouldnotadoptstandardsoftheirown.”);Carlson,supranote53,

Page 13: Catalyzing Privacy Law

1744 MINNESOTALAWREVIEW [105:1733

in1994thattheywouldfollowCalifornia.56Autoemissionsrulesillus-trate all three of Vogel’s conditions: a coalition of public interestgroupsalongsideregulatedcompanies,asuperregulatorwithalargeandattractivemarket, anda strong institution (the federal govern-ment)capableofharmonizingstandards.

ThemechanismoftheCaliforniaEffectdiffersfromtheDelawareEffect.UndertheDelawareEffect,otherjurisdictionsdefertothereg-ulatorychoicesofthesuperregulator,magnifyingtheimpactofthosechoices.57UndertheCaliforniaEffect,otherjurisdictionsthemselvesadoptthesamerulesasthesuperregulatorjurisdiction.58

C. THEBRUSSELSEFFECTInthelatetwentiethcentury,astheauthorityandinstitutionsof

theEuropeanUniongrew,anothersuperregulatoremerged:Brussels,theseatoftheEUbureaucracy.AsAnuBradfordvividlydescribesit:“FewAmericansareawarethatEUregulationsdeterminethemakeuptheyapplyinthemorning,thecerealtheyeatforbreakfast,thesoft-waretheyuseontheircomputer,andtheprivacysettingstheyadjustontheirFacebookpage.Andthat’sjustbefore8:30AM.”59

Where the California Effect depends on jurisdictions racing tostrengthentheirregulations inresponsetoeachother, theBrusselsEffectoperatesprincipallyasadefactomechanism,whenmarketac-torsconformtheirglobalproductstoEuropeanrules.60Bradfordob-serves,“[T]heBrusselsEffectismoreaboutonejurisdiction’sabilitytooverrideothersthanitisabouttriggeringanupwardrace.”61

at1134(notingCalifornia’sspecialstatus);NicholasBryner&MeredithHankins,WhyCalifornia Gets To Write Its Own Auto Emissions Standards: 5 Questions Answered,CONVERSATION,https://theconversation.com/why-california-gets-to-write-its-own-auto-emissions-standards-5-questions-answered-94379[https://perma.cc/H7U4-CLJQ]. In 2019, the EPA and NHTSA formally withdrew California’s Clean Air Actwaiver.CoralDavenport,TrumpToRevokeCalifornia’sAuthorityToSetStricterAutoEmissionsRules,N.Y.TIMES(Sept.20,2019),https://www.nytimes.com/2019/09/17/climate/trump-california-emissions-waiver.html[https://perma.cc/QCL6-TDZ6]. 56. PeterP.Swire,TheRacetoLaxityandtheRacetoUndesirability:ExplainingFailuresinCompetitionAmongJurisdictionsinEnvironmentalLaw,14YALEL.&POL’YREV.67,82(1996). 57. SeesupraPartI.A. 58. Seesupranotes47–50andaccompanyingtext. 59. Bradford,supranote28,at3(citationsomitted). 60. Seeid.(“Unilateralregulatoryglobalizationoccurswhenasinglestateisableto externalize its laws and regulations outside its borders throughmarketmecha-nisms,resultingintheglobalizationofstandards.”). 61. Id.at8.

Page 14: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1745

Whymight a corporation change its practices outside Europe,adoptingstrictercodesabsent legalcompulsion?Bradfordexplains,“[M]ultinationalcorporationsoftenhaveanincentivetostandardizetheir production globally and adhere to a single rule.”62 Of course,sometimestheseenterprisesdodecidetoobservedifferentregulatoryregimesindifferentlocations.JustasVogeldistilledtheconditionsforaCaliforniaEffect,Bradford identifiescircumstancesunderwhichaBrusselsEffectismorelikelytooccur.63First,aswiththeCaliforniaEffect,theBrusselsEffectislikelytooccuronlywhentheunilateralregulatorrepresentsalargeandattractivemarket.64Second,thatsu-perregulatormusthavesignificantregulatorycapacity,throughwhichittendstoaimstrictrulesat“inelastictargets”suchasconsumermar-kets,thuscreatingrulesthatcan’tbereadilyevaded.65Third,theop-erations of the firmmust be “nondivisible,”meaning that it is lesscostlyforafirmtocomplywiththeonehigherstandardworldwidethantosetupdifferentcompliancestandards.66

UnliketheeffectsnamedforDelawareandCalifornia,theBrus-selsEffectdependson the choicesof the entities subject to regula-tions,notthoseofgovernmentsorregulators.67 Indeed, iforganiza-tions decide to obey a particular jurisdiction’s requirements in alltheiractivities,thenthatjurisdictionwillgaininfluenceevenifotherjurisdictionsmightstronglypreferadifferentrule,solongasthesu-perregulator’sdemandsdonotactuallyviolatethelawinotherplaces.

Whiletheliteraturenamescertaincross-jurisdictionaleffectsaf-terparticularsuperregulatorswhoareespeciallylikelytocausethem,itisamistaketooverinterpretthesenames.Asweshallsee,superreg-ulatorscanaffectotherjurisdictionsinvariousways.68So,forexam-ple,whenothernationsadoptnewdataprotectionlawstoharmonizetheirruleswiththoseintheEU,thisisaCaliforniaEffectthathappenstoemanatefromBrussels.Whenwebsitesbeganpostinggloballyap-plicableprivacypoliciespartlyinresponsetoa2003Californiastatuterequiringtheydoso,69thiswasaBrusselsEffecttriggeredbyaCali-fornia law.Wewill delve into these catalytic effects in privacy law

62. Id.at6. 63. Id.at10–19;seealsoSchwartz,supranote9,at780–83(discussingandapply-ingBradford’sfactors). 64. Bradford,supranote28,at11–12. 65. Id.at12–17. 66. Id.at17–19. 67. SeesupraPartsI.A–B;Bradford,supranote28,at48–49. 68. SeeinfraPartIII. 69. California Online Privacy Protection Act of 2003, CAL. BUS. & PROF. CODE§§22575–22579(2018).

Page 15: Catalyzing Privacy Law

1746 MINNESOTALAWREVIEW [105:1733

more fullybelow.70 First,however,weexplain the substanceof theGDPRandtheCCPA,demonstratingintheprocessboththeiroverlapsanddifferencesandrevealing theemergenceofCaliforniaasacon-tendertobeadataprivacysuperregulator.

II.GDPRVERSUSCCPAWhichdataprivacyregimeisdrivingthewaveoflegislativeac-

tivityrelatedtodataprivacyacrosstheUnitedStates,andwhatisthemechanismofthatinfluence?Toanswerthisquestion,weneedfirsttounderstandthetworegimes.ThisPartrevealsbothsimilaritiesanddifferencesbetweentheGDPRandtheCCPA.Afterall,iftheCCPAcanbedescribedasacopyoftheGDPR,thenevenifwecanshowthatstatelegislatorsandCongressarecopyingCalifornia,SchwartzandotherswouldbecorrectthattheEuropeanUnionistheultimatesourcebe-hindnewU.S.privacyproposals.71Butif,asweargue,theCCPAisafundamentallydifferentregime—onlysimilartotheGDPRatthesur-face,whilelackingmajorstructuralelementsoftheGDPR—thenthequestionofwhothesuperregulatorisbecomesonewithmeaningfulconsequences for understanding all these federal and state pro-posals.72

ApaperbackoftheGDPRrunssome130pages,itssectionsliter-ally divided into chapters.73 The CCPA, by contrast, is around 25pages.74Thetwolawswerealsowrittenonvastlydifferenttimelines.IftheGDPRisadoctoralthesis,theCCPAisatermpaperwrittenthenightbeforethedeadline.75

InthisPart,wecomparethetworegimes,addressingwheretheyapply,whomtheycover,andwhattheyrequire.Wealsoaddressdif-ferencesintheregulatorystyle,enforcementmechanisms,andlegal

70. SeeinfraPartIII. 71. Seesupranotes7–14andaccompanyingtext. 72. Seesupranote6(listingdataprivacybillsproposedinCongressin2019and2020). 73. Eur.Union,EuropeanDataProtectionLaw:GeneralDataProtectionRegula-tion 2016, AMAZON, https://www.amazon.com/European-Data-Protection-Law-Regulation/dp/1533170835[https://perma.cc/2JW7-YDHP]. 74. SeeCaliforniaConsumerPrivacyActof2018,CAL.CIV.CODE§§1798.100–.199(2018). 75. Compare Katelyn Ringrose& JeremyGreenberg,California Privacy Legisla-tion:ATimelineofKeyEvents,FUTUREPRIV.F. (Aug.31,2020),https://fpf.org/blog/california-privacy-legislation-a-timeline-of-key-events[https://perma.cc/C6NC-WVZR],with Adam Deakin, GDPR Timeline: A History of Data Protection, VUTURE,https://vutu.re/blog/gdpr-timeline--a-history-of-data-protection.aspx[https://perma.cc/2JS2-SHS7].

Page 16: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1747

settingsoftheGDPRandtheCCPA.Thisunderstandingofthetwosys-temssetsupouranalysisinPartIII,whereweconsidertheinfluenceofthenewEuropeanandCalifornianlawsacrosstheUnitedStates.

A. EUROPEANDATAPROTECTIONVERSUSU.S.CONSUMERPROTECTIONFirst,ithelpstounderstandthefundamentaldifferencesbetween

aU.S.-styleandanEU-styledataprivacyregime.Whendiscussingdatagovernance,EuropeanlawyersdonotevenusethesamelanguageasAmericanlawyers;theyrefertostatutesthatgovernthehandlingofpersonaldataas“dataprotection”laws,not“privacy”laws.76Thisre-flectsafundamentaldifferenceinapproach:“dataprotection”isuni-versalinEurope,whilemostAmericanlawfocuseson“consumerpro-tection.”77 Data protection laws like the GDPR proceed from theprinciple that data protection is a fundamental human right safe-guardedthroughconstitutionalprotectionsintheEuropeanConven-tiononHumanRightsandtheEUCharter.78Thisplacesdataprotec-tionrightson thesameplaneas freespeechordueprocess.79Asaresult, thedefault inEurope is thatpersonal informationcannotbecollectedorprocessedunlessthereisaspecificlegaljustificationfordoingso.80

IntheUnitedStates,bycontrast,privacylawmostoftenfollowsa“consumerprotection”model,withregulatorsfocusedonensuringthatconsumersreceivethebenefitoftheirbargaininindividualbusi-ness-to-consumertransactions.81Theconsumerprotectionmodelfre-quently relieson themuch-criticizedpremise thatdisclosureandarightofrefusal(so-called“noticeandchoice”)adequatelyempower

76. SeePaulM.Schwartz&Karl-NikolausPeifer,TransatlanticDataPrivacyLaw,106 GEO. L.J. 115, 138, 147 (2017); see also CHRISTOPHER KUNER, EUROPEAN DATAPROTECTIONLAW:CORPORATECOMPLIANCEANDREGULATION2–3(2ded.2007);JamesQ.Whitman,TheTwoWesternCulturesofPrivacy:DignityVersusLiberty, 113YALEL.J.1151,1159–60(2004);PaulM.Schwartz,PreemptionandPrivacy,118YALEL.J.902,909–10(2009);JoelR.Reidenberg,SettingStandardsforFairInformationPracticeintheU.S.PrivateSector,80IOWAL.REV.497,500–01(1995). 77. McGeveran,supranote20,at966(“[D]ataprotectionlawbeginswithanas-sumptionthatcontroloverpersonalinformationisahumanright....U.S.regulators,suchastheFTCorstateattorneysgeneral,regulateprivacybypolicingthefairnessofparticulartransactions.”). 78. CharterofFundamentalRightsoftheEuropeanUnion,arts.7–8,2000O.J.(C364)11;ConventionfortheProtectionofHumanRightsandFundamentalFreedomsart.8,Nov.4,1950,213U.N.T.S.221. 79. CharterofFundamentalRightsoftheEuropeanUnion,supranote78,arts.7,11. 80. Seeid.art.8. 81. SeeMcGeveran,supranote20,at966.

Page 17: Catalyzing Privacy Law

1748 MINNESOTALAWREVIEW [105:1733

consumers.82UnlikeinEurope,thereisnoprotectionintheU.S.Con-stitution against activities by nongovernmental entities,83 includingthecollectionofpersonaldata.Andunlikeadataprotectionregime,inwhichprotectionsfollowthedata,theconsumerprotectionmodelfo-cusesongoverningbothamorediscreteinteractionandamoredirectrelationship.UntiltheCCPA,mostAmericanlawpermittedentitiestocollectandusepersonaldatahowevertheywishedbydefault,absentaspecificlegalruleforbiddingaparticularpractice.84

AseconddifferencebetweenEuropeandtheUnitedStatesisthatU.S.privacylawhasalwaysbeenfragmentedand“sectoral.”85Differ-entstatutesareenforcedbydifferentregulatorsindifferentsectorssuchashealthcare,financialservices,education,orcreditreporting.Afewofthesesectoralregimesareconstructedlikedataprotectionrules,but theyapplyonlywithin theirnarrowdomains.86MostU.S.laws function on the transactional consumer protectionmodel de-scribedabove.Asafinalbackstop,general-purposeconsumerprotec-tionregulators,suchastheFederalTradeCommission(FTC)andstateattorneysgeneral,addressasubsetofcases fallingoutsideanysec-toralrules,againlargelyfollowingaconsumerprotectionmodel.87

Bycontrast, ineveryEuropeannation,specializeddataprotec-tionregulatorshavelongenforcedomnibusstatutesapplicabletoallorganizationswhentheyhandleanypersonaldata.88Whilethesedataprotection laws contain extra protections for especially sensitive

82. See,e.g.,WOODROWHARTZOG,PRIVACY’SBLUEPRINT:THEBATTLETOCONTROLTHEDESIGNOFNEWTECHNOLOGIES62–67(2018); JulieE.Cohen,WhatPrivacy IsFor,126HARV.L.REV.1904,1930(2013). 83. SeeDeShaneyv.WinnebagoCnty.Dep’tofSoc.Servs.,489U.S.189,195–96(1989)(“[N]othinginthelanguageoftheDueProcessClauseitselfrequirestheStatetoprotectthelife,liberty,andpropertyofitscitizensagainstinvasionbyprivateac-tors.”). 84. SeeSchwartz&Peifer,supranote76,at147. 85. SeeReidenberg,supranote76,at505–06;Schwartz,supranote76,at908–13. 86. HealthInsurancePortabilityandAccountabilityAct,45C.F.R.§§160,162,164(2020);Children’sOnlinePrivacyProtectionAct,15U.S.C.§§6501–6506. 87. DanielleKeatsCitron,ThePrivacyPolicymakingofStateAttorneysGeneral,92NOTREDAMEL.REV.747,748(2016);DanielJ.Solove&WoodrowHartzog,TheFTCandthe New Common Law of Privacy, 114 COLUM. L. REV. 583, 590 (2014); see alsoMcGeveran,supranote20,at977–78(describingthe“cleanuprole”ofconsumerpro-tectionregulatorsinenforcementofU.S.privacylaw). 88. CharterofFundamentalRightsoftheEuropeanUnion,supranote78,art.8(“Everyonehastherighttotheprotectionofpersonaldataconcerninghimorher.”);Consolidated Version of the Treaty on the Functioning of the European Union art.16(1),Oct.26,2012,2012O.J.(C326)47(“Everyonehastherighttotheprotectionofpersonaldataconcerningthem.”).

Page 18: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1749

information,theirbasichumanrightsframeworksimposeuniformre-quirementseverytimepersonaldataiscollected,processed,ortrans-ferred.89Theserulesapplythroughsweepingdefinitionsof“datacon-trollers”and“dataprocessors”thatencompassnotonlybusinessesofevery size and type but also governments, nonprofit organizations,political campaigns, and even individuals—anyone engaged in the“processing”ofpersonaldata.90

B. SUBSTANTIVESIMILARITIESAtfirstglance,theCCPAmayseemmore“European”thanexist-

ingU.S.privacylaws.True,itisthefirstU.S.statutethathassomedataprotectioncharacteristicswithoutbeingnarrowlysectoral.Forexam-ple,undertheCCPA,legalprotectionsfollowpersonaldata,regardlessofwhetheranindividualhasadirectrelationshipwiththeregulatedcompany.91ThisdiffersfrommanyexistingregulatorymodelsintheUnitedStates.BecausetheFTC’sgeneralconsumerprotectionauthor-ityfocusesonlyontherelationshipbetweenindividualsandcompa-nies,itclaimstohavelittlepoweroverdatabrokerswhoobtainindi-vidual information from other companies or public sources ratherthanfromconsumersthemselves.92TheCCPA,bycontrast,regulates

89. TheEuropeanCommission’sreviewoftheoperationoftheGDPRatitssecondanniversarynotedthattheEUmemberstateshadnotofferedasmuchuniformityintheirlocalimplementationsoftheGDPRasmightbedesired.CommunicationfromtheCommissiontotheEuropeanParliamentandtheCouncil:DataProtectionasaPillarofCitizens’EmpowermentandtheEU’sApproachtotheDigitalTransition–TwoYearsofApplication of the General Data Protection Regulation, at 12, COM (2020) 264 final(June 24, 2020), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0264[https://perma.cc/HSY9-LCUU]. 90. GDPR,supranote7,art.4(2)(defining“processing”as“anyoperationorsetofoperationswhichisperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection, recording,organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmis-sion, dissemination or otherwise making available, alignment or combination, re-striction,erasureordestruction”);seeCaseC-40/17,FashionIDGmbH&Co.KGv.Ver-braucherzentraleNRWe.V., ECLI:EU:C:2019:629 (July 29, 2019) (holding Facebookjointlyresponsibleasadatacontrollerwhenathird-partywebsiteusesaFacebook“Like”buttonthatfacilitatesusertracking).ThefirstEuropeanCourtof JusticecasedealingwiththeGDPR’spredecessor,theDataProtectionDirective,involvedacrimi-nalchargeagainstanindividualwhohadposted(seeminglyinnocuous)informationabout fellowparishioners to awebpagewithout their consent. CaseC-101/01, Lin-dqvistv.ÅklagarkammareniJönköping,2003E.C.R.I-12971. 91. CAL.CIV.CODE§1798.105(d)(Deering2018). 92. U.S. FED. TRADE COMM’N, DATA BROKERS: A CALL FOR TRANSPARENCY ANDACCOUNTABILITY (2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf[https://perma.cc/TR62-497D].

Page 19: Catalyzing Privacy Law

1750 MINNESOTALAWREVIEW [105:1733

databrokersdirectly—acriticalmovetargetinganindustrythathasanenormousimpactonindividuals’privacy.93

SomecoreelementsoftheCCPAalsoseemtoechoaspectsoftheGDPR.Bothlawsdefinepersonalinformationverybroadly,farbeyondmostexistingU.S.privacylaws.94Bothlawsfoundationallyemphasizetransparency, reflecting the Fair Information Principles on whichmanydataprivacyregimesinbothEuropeandtheUnitedStatesarebuilt,andbothlawssharethecontoursofanumberofadditionalindi-vidualrights.95

In the past, narrow definitions of personal information havesharplylimitedtheeffectofmanyU.S.privacylaws.96UndermostU.S.laws,onlycertaintypesofinformationcountedaspersonaldata,mak-ingthedefinition limited, technical,andstatic.TheGDPRandCCPAbothbreakwiththispastbyusingthereal-worldpotentialforidenti-fiabilityasthetouchstone.TheGDPR’sbroadandopendefinitionofpersonaldataincludesnotjustinformationthatdirectlyidentifiesaperson,butalsoinformationthatrendersapersonidentifiable.97TheCCPAsimilarlyappliestoinformationthatis“capableofbeingassoci-atedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticular consumer or household.”98 Both laws provide expansiveandopenlistsofexamplesofcoveredpersonalinformation,fromIPaddressestobiometricinformation.

AnothersimilaritybetweentheGDPRandtheCCPAisthecentralroleoftransparency.TransparencyisacoreprincipleoftheGDPR.99TheGDPR’srecitalsproclaimitafundamentaltenetofdataprotectionlaw thatpeople shouldknow thatpersonaldatahasbeencollectedandbeabletounderstandtheextenttowhichthatinformationispro-cessed.100 The CCPA likewise focuses on giving people notice and

93. JULIAANGWIN,DRAGNETNATION7(2014)(“Stalkersandrogueemployeeshaveconsistentlyfoundwaystoabusethesedatabases.”).ThefederalFairCreditReportingAct,anarrowsectoralstatute,doesregulatesomesegmentsofthedatabrokerindus-try,but largelywithin thecontextofbusiness relationshipsamongcredit reportingagenciesandthelendersoremployerswhorelyontheirproducts.15U.S.C.§1681. 94. SeeGDPR,supranote7;CAL.CIV.CODE§1798. 95. GDPR,supranote7;CAL.CIV.CODE§1798. 96. PaulOhm,BrokenPromisesofPrivacy:RespondingtotheSurprisingFailureofAnonymization,57UCLAL.REV.1701(2010);PaulM.Schwartz&DanielJ.Solove,ThePIIProblem:PrivacyandaNewConceptofPersonallyIdentifiableInformation,86N.Y.U.L.REV.1814(2011). 97. GDPR,supranote7,art.4(1). 98. CAL.CIV.CODE§1798.140(o)(1). 99. GDPR,supranote7,art.5(1)(a). 100. Id.recital39.

Page 20: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1751

accessrightssothattheycantracewhatishappeningtotheirpersonalinformation. The California legislature’s articulated intent for theCCPAwastogiveconsumers“aneffectivewaytocontrol theirper-sonalinformation”bygivingthem“[t]heright...toknowwhatper-sonalinformationisbeingcollectedaboutthem,”and“[t]heright...toknowwhethertheirpersonalinformationissoldordisclosedandtowhom.”101

Beyondthishortatorylanguage,bothlawsembedtransparencyprinciplesintheirrequirements.UndertheGDPR,organizationsmustprovideindividualsbothnoticeandaccess.102Theymustaffirmativelyprovidedetailedgeneralnoticethatincludesthepurposeofdatapro-cessing,therecipientsofthedata,theperiodforwhichthedatawillbe stored, and other information.103 Organizations that collect per-sonalinformationfromathirdpartymustalsoprovidesuchnotice,104andallthesedisclosuresmustbeclearandintelligible.105

TheGDPRalsoestablishesarightofindividualaccess,106buildingon“subjectaccessrights”thathavebeeninplacethroughoutEuropeatleastsincethe1990sundertheDataProtectionDirective.107Inre-sponse to an individual’s access request, data controllersmustdis-close,amongotherthings:thepurposesofprocessing,thecategoriesofpersonalinformationconcerned,therecipientsofpersonaldata,re-tentionorstorage time,and thesourceof thedata if theyhavenotbeencollectedfromtheindividual.108Additionally,theymustprovideacopyofthedataitselfinacommonlyusedelectronicform.109

The CCPA likewise gives individuals both notice and accessrights.LiketheGDPR,itrequirescompaniestodisclosethepurposeofprocessing,categoriesof informationgathered,andtheexistenceofindividualrightswithrespecttothatdata(itdoesnot,however,re-quiredisclosureofthepreciseidentitiesoftherecipientsofthedataorthestorageperiod).110Suchdisclosures,accordingtoregulations

101. SeeAssemb.375,2018Leg.§2(i)(Cal.2018). 102. GDPR,supranote7,arts.13–14. 103. Id. 104. Id.art.14(1)(d). 105. Id.art.12. 106. Id.art.15. 107. JefAusloos&PierreDewitte,ShatteringOne-WayMirrors—DataSubjectAc-cessRightsinPractice,8INT’LDATAPRIV.L.4,4–28(2018). 108. GDPR,supranote7,art.15. 109. Id.art.15(3);seealsoid.recital63(“Wherepossible,thecontrollershouldbeabletoprovideremoteaccesstoasecuresystemwhichwouldprovidethedatasubjectwithdirectaccesstohisorherpersonaldata.”). 110. CAL.CIV.CODE§1798.185(2018);CAL.CODEREGS.tit.11,§999.305(2020).

Page 21: Catalyzing Privacy Law

1752 MINNESOTALAWREVIEW [105:1733

promulgatedbyCalifornia’sattorneygeneral,mustbe“designedandpresentedinawaythatiseasytoreadandunderstandabletoconsum-ers.”111TheCCPAgoeswellbeyondnoticerequirementsinpriorU.S.law,suchasaCaliforniastatuterequiringwebsitestopostprivacypol-icies.112

LiketheGDPR,theCCPAalsogivesindividualsaccessrights.Thestatutecreatesarightforconsumerstorequestboththecategoriesandspecificpiecesofpersonal information thatabusinesshas col-lected.113Consumershavearighttorequestdisclosureofthecatego-riesofsourcesfromwhichthepersonalinformationiscollected,thebusinessorcommercialpurposeforcollecting,andthecategoriesofthirdpartieswithwhomthebusinesssharespersonalinformation.114Unusually foraU.S. law, the rulesapplynot just to companies thathaveadirectrelationshipwiththeconsumer,butalsotocompaniesthatcollectandsellpersonalinformationeveniftheyobtainthatin-formationfromsomebodyotherthantheconsumer.115CCPAaccessrightsrepresentasignificantadvancefromverylimitedrightsunderpreviouslaw,suchasaccesstocreditscoringinformationandthean-nualfreecreditreport.116

Thetworegimesshare,too,thecoreelementsofanumberofad-ditionalindividualrights(thoughtheydifferinthedetails):dataport-ability,opt-outrights,adutyofnondiscrimination,andarighttodele-tionorerasure.TheGDPRcontainsarighttodataportability—thatis,arighttoreceiveone’spersonaldatainaformatthatenablesanindi-vidualtoswitchserviceproviders.117Thisrightisaimedatgivingin-dividualsmorecontrolovertheirdataandmorechoicesaboutITser-vices118butisalsounderstoodtopotentiallyenhancecompetition.119TheCCPAquietlycreatesadataportability“right”ofitsown:personaldatadeliveredelectronicallyinresponsetoanaccessrequest“shallbe

111. CAL.CODEREGS.tit.11,§999.305(2). 112. CAL.CIV.CODE§22575(Deering2014). 113. Id.§§1798.100(a),.110(a);CAL.CODEREGS.tit.11,§§999.300(q),.308(c)(1),.318. 114. CAL.CIV.CODE§1798.110(a). 115. UndertheCCPA,consumerscanrequestaccesstocertaininformationfrom(a)abusinessthatcollectspersonalinformationand(b)abusinessthatsellspersonalinformationordisclosesitforabusinesspurpose.Id.§§1798.100(a),.110(a),.115(a). 116. 15U.S.C.§1681(g). 117. GDPR,supranote7,art.20,recital68;ARTICLE29DATAPROT.WORKINGPARTY,GUIDELINESONTHERIGHTTODATAPORTABILITY(2017). 118. ARTICLE29DATAPROT.WORKINGPARTY,supranote117,at3–4. 119. Id.at4.

Page 22: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1753

inaportableand...readilyusableformat.”120Infact,theCCPA’sdataportability“right”maybebroaderthantheGDPR’sinsomeways,asitappliestoinferreddataaboutanindividual,wheretheGDPR’srightdoesnot.121

Both theCCPAand theGDPRcontaina right for individuals to“optout”anddenypermissionforhandlingoftheirpersonaldataincertainways.TheCCPAestablishesanopt-outrightforconsumerstotellabusinessnottoselltheirpersonalinformation.122Ifabusinesshasactualknowledgethataconsumerissixteenyearsoldoryounger,itmustobtainaffirmativeauthorization(“opt-in”)foranysaleofper-sonal information—from the individual themselves if they are be-tweenthirteenandsixteenyearsoldorfromaparentorguardianiftheindividualisunderthirteenyearsold.123TheGDPR,bycompari-son,establishesthreeanalogousrights:therighttorestrictdatapro-cessing,124 theright toobject todataprocessing,125andtheright towithdraw consent.126 Although theGDPRhas broader rights to optout—theyapplywellbeyondthesaleof information—theyarealsolessabsolutethanthoseintheCCPA.127

Both regimes contain a duty of nondiscrimination: companiescannot “discriminate” against individuals who choose to exerciserightsrelatedtopersonaldata.128Thismeansthatabusinesscannot,for example, denygoodsor services, chargedifferent rates, impose

120. CAL.CIV.CODE§1798.100(d). 121. ARTICLE29DATAPROT.WORKINGPARTY,supranote117,at10;CAL.CIV.CODE§1798.140(o),(l),(k),(m). 122. CAL.CIV.CODE§1798.120.Vermont’snewdatabrokerlaw,H.764,requirestransparencyastowhetheradatabrokerallowsconsumerstooptoutofcollectionorsaleofinformationbutdoesnotrequireadatabrokertodoso.SeeVT.STAT.ANN.tit.9,§2430(2019). 123. CAL.CIV.CODE§1798.120(d). 124. GDPR,supranote7,art.18. 125. Id.art.21,recitals60,70. 126. Id.art.7(3). 127. Id.art.2(1).There isalsoabalancingtestspecific toscientificorhistoricalresearchpurposesorstatisticalpurposes.Id.art.21(6). 128. CAL.CIV.CODE§1798.125;GDPR,supranote7,recital42;EUR.DATAPROT.BD.,GUIDELINES05/2020ONCONSENTUNDERREGULATION2016/679¶48 (2020),https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf[https://perma.cc/PK3G-F7MP](givingasanexampleof“consentwithoutdetriment”thatacompanymay“showthataserviceincludesthepossibilitytowithdrawconsentwithout negative consequences e.g. without the performance of the service beingdowngradedtothedetrimentoftheuser”);CAL.CODEREGS.tit.11,§999.336(a)(2020)(“Afinancialincentiveorapriceorservicedifferenceisdiscriminatory,andthereforeprohibited...ifthebusinesstreatsaconsumerdifferentlybecausetheconsumerex-ercisedarightconferredbytheCCPAortheseregulations.”).

Page 23: Catalyzing Privacy Law

1754 MINNESOTALAWREVIEW [105:1733

penalties,orprovideadifferentlevelofservicestocustomerswhooptoutofdatatransactions.TheCCPAregulations,however,contemplateacompensationschemewherebyabusinesscanofferfinancialincen-tivesorapriceorservicedifferenceiftheyare“reasonablyrelatedtothevalueoftheconsumer’sdata.”129Thischangesthedutyofnondis-criminationinatleastsomecircumstancesfromanabsolutedutyintoan information-forcingmechanism regarding how companies valueconsumerdata.130

TheGDPRfamouslycontainsarighttoerasure,alsoknownasthe“righttobeforgotten.”131TheCCPAcreatesamorelimitedrighttode-letion.132TheGDPR’srighttoerasuregivesindividualstherighttoob-tain the erasure of personal data both from companieswithwhichtheyhaveadirectconsumerrelationshipandfromthirdparties,un-dercertaincircumstances.133Thereareexceptionstotherighttoeras-ure,includingfreedomofexpressionandpublicinterestintheareaofpublichealth.134Asmanyhavenoted,thisso-called“righttobeforgot-ten”isnotabsolutebutisinlargepartabalancingtestbetweencom-petingvalues,outsourcedtoprivatecompanies.135TheCCPAcreatesamuchnarrowerrighttodeletion.UnliketheGDPR’srighttoerasure,whichappliestothirdparties,theCCPA’srighttodeletionappliesonlytobusinessesthatcollectinformationdirectlyfromtheconsumer.136

129. CAL.CODEREGS.tit.11,§999.336(b). 130. Seeid.§999.337. 131. GDPR,supranote7,art.17.SeegenerallyMEGLETAJONES,CTRL+Z:THERIGHTTOBEFORGOTTEN(2016). 132. CAL.CIV.CODE§1798.105(2018). 133. GDPR,supranote7,art.17(1)(a)–(f)(permittinganindividualtoexercisetherighttoerasureincircumstancesincluding,butnotlimitedto,whenthepersonaldataisnolongernecessaryforthepurposeitwasoriginallycollectedorprocessedfor,theindividualwithdrawstheirconsentwheretheorganizationreliedonsaidconsentasthelawfulbasisofprocessing,orwhentheindividualobjectstotheprocessingoftheirdatafordirectmarketingpurposes). 134. Id.art.17(3)(a),(c). 135. See CHRISTINA ANGELOPOULOS, ANNABEL BRODY, WOUTER HINS, BERNTHUGENHOLTZ,PATRICKLEERSSEN,THOMASMARGONI,TARLACHMCGONAGLE,OTVANDAALEN&JORISVANHOBOKEN,INST.FORINFO.L.,STUDYOFFUNDAMENTALRIGHTSLIMITATIONSFORONLINE ENFORCEMENT THROUGH SELF-REGULATION 52 (2015), https://scholarlypublications.universiteitleiden.nl/access/item%3A2869513/view [https://perma.cc/AAM8-UABW]; see also Case C-131/12, Google Spain SL v. AEPD,ECLI:EU:C:2014:317,16–22(May13,2014);EdwardLee,RecognizingRightsinRealTime:TheRoleofGoogle intheEURightToBeForgotten,49U.C.DAVISL.REV.1017(2016);StefanKulk&FrederikZuiderveenBorgesius,CaseNote,GoogleSpainv.Gon-zález:DidtheCourtForgetAboutFreedomofExpression?,5EUR.J.RISKREGUL.389,389–98(2014). 136. CAL.CIV.CODE§1798.105(a).

Page 24: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1755

ThismorerestrictedscopeisanaccommodationofFirstAmendmentlawandvaluesintheUnitedStates,whichmayconstrainerasurere-quirementsimposedonthirdparties.137

Insum,theCCPAmovesclosertoadataprotectionregimelikethe GDPR in certainways,which helps explain thewidespread as-sumptionthatitrepresentsaU.S.embraceoftheEuropean-styledataprotectionmodel.WhiletheCCPA’sbroaddefinitionofpersonaldata,emphasis on transparency, and establishment of some individualrights do go further thanpreviousU.S. law, noneof these shifts gonearlyasfarastheGDPR.AsweshallseeinthenextSection,thesesimilarities are overshadowed by fundamental substantive differ-encesbetweenthetwomodels.

C. SUBSTANTIVEDIFFERENCES Once an analysis moves beyond these similarities, it becomes

clearthattheCCPAregimedifferssharplyfromtheGDPR.First,andperhapsmostimportantly,thetwolawsdonotsharethesameunder-lyingprinciples,leadingtogreatdifferencesinthescopeandnatureoftherightsanddutiesimposedbyeach.Second,whiletheCCPAisbroaderthanpastAmericansectorallaws,itstillregulatesamuchnar-rowersetofentitiesthandoestheGDPR.Third,thetwolawshavedif-ferentenforcementmechanisms.Fourth,theirregulatorystylescon-trast, with significant practical and substantive consequences. Andfinally,CaliforniaandEuropeareeachquitedistinctinwhatwecalltheir“legalsetting”—thebackdropagainstwhichprivacylawsexistandwilldevelopovertime.Weconsidereachofthesedifferencesinorder.

Firstandforemost,forallitsmovestowardbroadercoverageandthecreationofindividualrights,theCCPAdoesnottreatprivacyasahumanrightinthewaydataprotectionlawsliketheGDPRdo.138 It

137. Sorrellv.IMSHealth,Inc.,564U.S.552,557(2011);seeAnupamChander&UyênP.Lê,FreeSpeech,100IOWAL.REV.501,522(2015)(arguingthatSorrelldemon-strates“theseriousnessofFirstAmendmentconstraintsonprivacyregulationsonin-formationintermediaries”).CasessuchasFloridaStarv.B.J.F.,491U.S.524(1989),CoxBroadcastingCorp.v.Cohn,420U.S.469(1975),andSmithv.DailyMailPublishing,443U.S.97(1979),arguablysuggestthatonceinformationislegallydistributed,thegov-ernmentcannotrestrictitsuseabsentstateinterestofthehighestorder.However,anumberofscholarsarguethatmostprivacylawscanpassFirstAmendmentmuster.See,e.g.,NeilM.Richards,WhyDataPrivacyLawIs(Mostly)Constitutional,56WM.&MARYL.REV.1501(2015);JackM.Balkin,InformationFiduciariesandtheFirstAmend-ment,49U.C.DAVISL.REV.1183(2016).ButseeEugeneVolokh,FreedomofSpeechandInformationPrivacy:TheTroublingImplicationsofaRightToStopPeoplefromSpeakingAboutYou,52STAN.L.REV.1049(2000). 138. CompareCAL.CIV.CODE§1798.105,withGDPR,supranote7,art.1.

Page 25: Catalyzing Privacy Law

1756 MINNESOTALAWREVIEW [105:1733

remains, intheAmericantradition,atransactionalprivacylawcon-cernedwithprotectingconsumers intheirdealingswithcommercialentities.Forthisreason,theCCPAdoesnotembraceseveralprinciplesthat have been at the core of constitutionally influenced EuropeandataprotectionlawsincelongbeforetheGDPR—backtoitspredeces-sor,the1995DataProtectionDirective,139andbackevenfurthertonationaldataprotectionlawsinmanyEuropeancountriesdatingfromthe1970sand1980s.140

TheGDPRisbuiltaroundtheconceptof“lawfulprocessing”ofdata.Thatis,personaldatacannotbeprocessedunlessadatacontrol-lerhasobtainedindividualconsent141oroneoffiveotherenumeratedcategoriesoflawfulprocessingapplies.142TheCCPAdoesnotrequirethatprocessingbelawful.143Rather,itsharesthepresumptionofmostotherAmericanprivacylawthatpersonaldatamaybecollected,used,ordisclosedunlessaspecificlegalruleforbidstheseactivities.144Thisis likely the singlemostmeaningfuldifferencebetween the twore-gimes.

Moreover, theGDPRimposesmultipleadditionalconditionsonalldataprocessing,evenwhenitisauthorizedbyconsentoranotherof the legitimizing conditions.145 The GDPR requires that personaldatamaybecollectedonlyfor“specified,explicitandlegitimatepur-poses,”statedatthetimeofcollection.146Additionalprinciplesincludepurposelimitation(processingdataonlyforthosepreviouslystatedpurposes),dataminimization(collectingnomoredatathannecessaryforthosepurposes),dataretention(limitingstorageofdatatoperiodsjustifiedbythosepurposes),privacybydesign,aswellasprivacyim-pactassessmentsforhighriskdataprocessing,amongothers.147

139. Directive95/46/EC,1995O.J.(L281)31. 140. See,e.g.,GesetzzumSchutzvorMiBbrauchpersonenbezogenerDatenbeiderDatenverarbeitung(Bundesdatenschutzgesetz-BDSG)[LawonProtectionAgainsttheMisuse of PersonalData inDataProcessing (FederalDataProtectionAct)], Jan. 27,1977,BUNDESGESETZBLATT[BGBI]at1201(W.Ger.);Loi78-17du6janvier1978de informatiquéet libertés [Law78-17of January6,1978on InformationandCivilLiberties], COMMISIONNATIONALE DE L’INFORMATIQUÉ ET DES LIBERTÉS [COMMISSION ONINFORMATIONTECHNOLOGY,DATAFILES ANDCIVILLIBERTIES] (Fr.); Data Protection Act1984,c.35(U.K.). 141. GDPR,supranote7,art.6(1)(a). 142. Id.art.6(1)(a)–(f). 143. CAL.CIV.CODE§1798.100. 144. Id. 145. GDPR,supranote7,art.5(1). 146. Id.art.5(1)(b). 147. Id.art.5(1)(b)–(f).

Page 26: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1757

The CCPA imposes few requirements concerning the purposesfordatacollectionortheproportionalityofdatahandlingtothosepur-poses.TheCCPA’stextdoesnotevengoasfarastheHealthInsurancePortability and Accountability Act (HIPAA), which requires thatdownstreamdisclosuresofpatientdatabethe“minimumnecessary”toachieveapurpose.148Instead,theCCPArequiresabusinesstopro-videnoticeifitis“collect[ing]personalinformationcollectedforad-ditionalpurposes.”149Thisruleon its facedoesnotstopcompaniesfromusingdatafornewpurposes—itjustrequiresdisclosureiftheydoso.Asinmanyotherplaces,theCCPA’sapproachreliesontrans-parencyratherthanfollowingtheGDPRbyimposingsubstantivedu-tiesoncompaniesthatcollectandprocesspersonaldata.Theimple-mentingregulationspromulgatedbytheCaliforniaattorneygeneraldorequirethatabusiness“shallnotuseaconsumer’spersonalinfor-mationforapurposemateriallydifferentthanthosedisclosedinthenotice at collection.”150 If a business wishes to use personal infor-mationforanew,undisclosed,materiallydifferentpurpose, itmustobtainexplicitconsentfromtheconsumerforthatuse.Whilethisismorethanmeretransparency,itisfarfromtheextensiveconditionsonalldataprocessingintheGDPR.

Thedivergenceinthetworegimes’animatingprinciplesalsoin-fluencestheirtreatmentofindividualrights.TheCCPA,apartfromal-lowingindividualstooptoutofsalesof theirpersonaldata,affordsindividualslittlecontrol.Itdoesnothingtoenableindividualstore-fusetogivecompaniestheirdatainthefirstplace.TheGDPRstrivestodosobyrequiringstringentformsofconsentinanumberofcir-cumstances151andbygranting individualsrobustrightsthroughoutthelifecycleofdataprocessing,includingtherighttorectificationofincorrect information;152 the right to prevent automated individualdecision-makingand to receiveexplanationof anyautomateddeci-sion;153andbroaderrightsrelatedtoerasureofdataandwithdrawal

148. 45C.F.R.§§164.502(b),.514(d)(2021). 149. CAL.CIV.CODE§1798.100(b)(2018). 150. CAL.CODEREGS.tit.11,§999.305(a)(5)(withdrawnJuly29,2020). 151. Regardingbothparticularlysensitivedata(specialcategoriesofdata)andau-tomateddecision-making,theGDPRrequiresthemorestringent“explicitconsent”ifconsent is tobe thebasisofprocessing.GDPR,supranote7;ARTICLE29DATAPROT.WORKINGPARTY,GUIDELINESONAUTOMATEDINDIVIDUALDECISION-MAKINGANDPROFILINGFORTHEPURPOSESOFREGULATION(2017). 152. GDPR,supranote7,art.16. 153. Id.art.22;seealsoMargotE.Kaminski,TheRighttoExplanation,Explained,34BERKELEYTECH.L.J.189,201(2019).

Page 27: Catalyzing Privacy Law

1758 MINNESOTALAWREVIEW [105:1733

of consent.154 Additionally, the GDPR’s requirement of lawful pro-cessingbestowsmoreindividualcontrolthantheCCPA.155TheCCPArelies primarily on transparency, and apart fromaccess andnoticerights,grantsindividualsonlythetwolimitedrightsdiscussedabove:tooptoutofsaleandtorequestdeletion.156

Fundamentally,then,theCCPAisnotacomprehensiveEuropean-styledataprotectionregime.TheGDPRquintessentiallytargetscom-pliancefromanorganizationalperspective:itattemptstobuildupaparticularkindofresponsiblecorporateinfrastructure,includingin-ternalpositionsandprocesses.157TheGDPR’saffirmativeregulatoryrequirementsrangefromdataminimizationtoriskassessmentstore-cordingrequirements,andtheyareimposedondatacollectorsevenwherethereisnotacorrespondingindividualright.158TheCCPAreg-ulationsrequirecompliancetrainingandrecord-keeping,159butover-allappeartobegearedmoretowardsprovidingtransparencyintoin-dustrypractices—inthiscase,howacompanyrespondstoconsumerrequestsundertheCCPA—thantowardsreinforcinggooddataprac-ticesorcreatingsubstantiveprotectionsforconsumers.ItremainstobeseeniftheGDPRwillsucceedinentrenchingmoreprivacy-protec-tivecorporatepractices,butitsaimsarefarbroader,andapproachfardeeper,thantheCCPA’s.

AseconddifferencebetweentheGDPRandCCPArelatestoregu-latedentities.Asnotedearlier,theGDPRcoversanyonethatprocessespersonaldata,includingnotonlycompaniesbutalsoindividuals,non-profit organizations, andgovernments.160 TheCCPAappliesonly tobusinesses,andonlytothosethatmeetacomplexsetofoverlappingrequirementsrelatedtotheirsizeortheextentoftheirinvolvementin personal data trade.161 Here again, the two laws reflect the

154. GDPR,supranote7,art.17. 155. Id.art.6(1)(a). 156. CAL.CIV.CODE§1798.120(2018). 157. SeeMargotE.Kaminski,BinaryGovernance:LessonsfromtheGDPR’sApproachtoAlgorithmicAccountability,92S.CAL.L.REV.1529,1596(2019). 158. GDPR,supranote7,art.5(2);seealsoKaminski,supranote157. 159. CAL.CODEREGS.tit.11,§999.317(2020). 160. GDPR,supranote7,art.2(1). 161. CAL.CIV.CODE§§1798.100,.105,.110,.115,.120.TheCCPAtargetsthreekindsof commercial entities as “businesses.” Id. § 1798.140(c). It targets (1) larger busi-nesses(withovertwenty-fivemilliondollarsinannualgrossrevenue)thatcollectCal-iforniaresidents’personaldata,regardlessofhowmanypeopleareimpactedbythiscollection;(2)for-profitbusinessesofanysizethatbuy,receive,sell,orsharepersonalinformationconcerningasignificantnumberofresidents(50,000ormore);and(3)businessesthatderivehalformoreoftheirannualrevenuesfromsellingpersonalin-formation—regardlessoftheirsizeorhowmanypeopleareaffectedbythisactivity.

Page 28: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1759

dominant approach on each side of the Atlantic. A data protectionmodelinherentlyaimstobecomprehensive.TheCCPA,whilebroaderthanmanysectoralU.S.privacylawsofthepast,stilllimitsitsaimtoprotectingconsumers fromcertaindatahandlingpracticeswithinaspecificcontextdefinedbycommerciality,geography,andscale.

The regimes’ respective enforcement mechanisms are a thirdareaofdivergence.Bothprovideformonetarypenaltiesfornon-com-pliance.TheGDPRauthorizesadministrativefinesissuedbynationaldataprotectionregulatorsofupto4%ofacompany’sannualworld-widerevenue,whiletheCCPAincludescivilpenaltiesofupto$2,500perviolationor$7,500per intentionalviolation,anumberthatcanexactenormoussumswhenmultipliedby thenumberofpeopleaf-fectedinmanyprivacyviolations.162However,thereisnoprivaterightof action for affected individuals to enforce most elements of theCCPA.ThisisinkeepingwiththetrendforU.S.privacylawsofatleastthelasttwentyyears,includingtheFTCAct,163HIPAA,164andtheChil-dren’s Online Privacy Protection Act (COPPA).165 There have beenproposalsintheCalifornialegislaturetoauthorizeprivateCCPAlaw-suits,butfornowonlythestateattorneygeneralmayenforcemostprovisionsofthelaw.166InEurope,aconstitutionallyguaranteedrightofredressforviolationsofindividualrightsmeanstheGDPRcanbeenforcedbyindividualcomplaints.167WhileclassactionsarelargelyunfamiliarinEuropeanlaw,theGDPRdoesallowaclaimsrepresen-tationmodelsothatindividualsdonothavetofileclaimsontheirownbehalfonly.Thereisalsoawell-developedregulatorystructureintheGDPR,withspecializeddataprotectionregulatoryauthoritiesineachEUcountryandcoordinationoftheireffortsthroughaEuropeanDataProtectionBoard.168AlthoughtherecentlyenactedCaliforniaPrivacyRights Act (CPRA) establishes a new privacy-specific regulator,169there is no tradition of dedicated data protection regulators in theUnitedStates,whichinsteadreliesonagencieswithnumerousother

162. GDPR,supranote7,art.83;CAL.CIV.CODE§1798.155(a)–(b). 163. FederalTradeCommissionAct,15U.S.C.§§41–58. 164. Health Insurance Portability and Accountability Act, 45 C.F.R. § 160.203(2002). 165. 15U.S.C.§§6501–6506. 166. TheCCPAdoes,however,authorizeprivatelawsuitsforanarrowsetofclaimsrelatedtodatasecuritybreaches. 167. GDPR,supranote7,arts.77–79. 168. Id.arts.51–59. 169. SeeLydiadelaTorre&GlennBrown,WhatIstheCaliforniaPrivacyProtectionAgency?, IAPP (Nov. 23, 2020), https://iapp.org/news/a/what-is-the-california-privacy-protection-agency[https://perma.cc/QL6A-CYDP].

Page 29: Catalyzing Privacy Law

1760 MINNESOTALAWREVIEW [105:1733

obligations, including theFTC, stateattorneysgeneral, and sectoralregulatorsinareassuchashealth,banking,oreducation.

Fourth, the regulatory styles of the two regimes differ greatly.Thiscancreatebothsubstantiveandculturalgaps.TheCCPAestab-lishes limited but granular requirements that California’s attorneygeneral has fleshed out further in recently promulgated regula-tions.170TheGDPR,ontheotherhand,consistsofbroadstandardsinitstextandreliesheavilyoncooperationwithcompaniesandvariousformsofguidance(includingtheGDPR’sRecitals,EuropeanDataPro-tectionBoardGuidelines,andinterpretationsfromindividualnationaldataprotectionauthorities)tofillinthedetails.171Inotherwords,theGDPR’sapproachtoregulationexemplifiescollaborativegovernance,also known as “coregulation” or “new governance.”172 The GDPR’svaguenessisarguablydeliberate.EUauthoritieswantedtoallowcom-paniesandsectorstofillindetailsofhowtocomplywiththelawovertime,whetherformallybyestablishingcodesofconductorcertifica-tionmechanisms(althoughthesehaveyettomaterializemorethantwoyearsaftertheGDPRcameintoforce),173orinformallythroughself-regulation,recordingandreporting,impactassessments,andon-goingconversationswithregulators.174Bycontrast,theCCPA’sgran-ularityappears,inplaces,tovaluedetailandcertaintyoveradaptabil-ity.

Forexample,wheretheGDPRsimplystatesthatitrequiresclar-ityandintelligibilityinitsaccessandnoticerights,thestatutorytextof the CCPA specifies that companies provide a toll-free telephonenumber and website address for consumers to make access re-quests.175 For those businesses subject to the CCPA’s opt-out, theCCPAmandatesaclearandconspicuous link titled “DoNotSellMyPersonalInformation”andadescriptionoftheconsumer’srighttooptoutofthesaleofpersonaldata.176TheCCPAregulationsgointoevenmoredetailabouttheprecisemodeandcontentrequiredfornoticeat

170. FinalTextofProposedRegulations,Cal.CodeRegs.tit.11,§§999.300–.337,CAL.OFF.ATT’Y GEN., https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf[https://perma.cc/CT9M-4G7M]. 171. SeeKaminski,supranote157;McGeveran,supranote20. 172. See,e.g.,JodyFreeman,CollaborativeGovernanceintheAdministrativeState,45UCLAL.REV.1,31(1997);OrlyLobel,TheRenewDeal:TheFallofRegulationandthe Rise of Governance in Contemporary Legal Thought, 89 MINN. L.REV. 342, 349(2004). 173. GDPR,supranote7,arts.40,42. 174. SeeKaminski,supranote157;McGeveran,supranote20. 175. CAL.CIV.CODE§1798.130(a)(1)(2018). 176. CAL.CODEREGS.tit.11,§999.305(f)(1)(2020).

Page 30: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1761

collection,noticeofopt-out,noticeoffinancialincentive,andprivacypolicies.177 These examples demonstrate a stylistic difference be-tweenthetwolawsthatcouldhaverealconsequencesforbusinessestryingtocomplywithboth.Forcertainobligations,theCCPAanditsregulationsofferaclear,ifinflexible,roadmapforcompliance.Often,however,itissodetailedthatitcreatesthepossibilityofdivergencefromtheGDPR—evenwhereinbroadstrokesthetwolawsmightap-pearsimilar.

Finally,thebackdropagainstwhichthesetwoprivacylawswereenacted,orwhatwecalltheirlegalsetting,differssignificantly.Whilethe CCPA is constrainedby increasingly deregulatory FirstAmend-mentdoctrine,theGDPRisbackedbyEuropeancourtsthathavein-creasinglyrecognizedtheimportanceofbothprivacyanddataprotec-tion as fundamental rights.178 In recent years, these courts haveappliedtherighttobeforgottentosearchengines,179foundtheDataRetentionDirectivetoviolatefundamentalrights,180andtwiceinvali-dated the primary mechanism for transferring data to the UnitedStatesbecauseof fears thatAmericannationalsecuritysurveillancewouldtrampleonEuropeans’rights.181

Crucially,Europeanconstitutionalstructuresenforceaffirmativerightsagainstprivateconduct,notjustagainststateactorsasintheUnitedStates.182And,whileEuropeanconstitutionaltraditionssafe-guardtherighttofreedomofexpression,itisusuallybalancedagainstotherrights,anditcananddoesoftenloseouttoconstitutionaldataprotection rights.183 By contrast, the U.S. Supreme Court in recentyearshas interpretedfreespeechdoctrinetorestrictbothdatapri-vacy regulations and other consumer protection disclosure re-gimes.184SomeobserversworrythattheFirstAmendmentisbecom-inganincreasinglyblunttool,subjectingmanyregulationsconcerning

177. Id.§§999.305–.308. 178. Schwartz&Peifer,supranote76. 179. CaseC-131/12,GoogleSpainSLv.AEPD,ECLI:EU:C:2014:317,22(May13,2014). 180. CaseC-293/12,Digit.Rts.Ir.Ltd.v.MinisterforCommc’ns,Marine&Nat.Res.,ECLI:EU:C:2014:238,19(Apr.4,2014). 181. CaseC-362/14, Schremsv.DataProt. Comm’r, ECLI:EU:C:2015:650, 10–31(Oct. 6, 2015); Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd.,ECLI:EU:C:2020:559(July16,2020). 182. SeeSchwartz&Peifer,supranote76,at126,155. 183. AlecStoneSweet&JudMathews,ProportionalityBalancingandGlobalConsti-tutionalism,47COLUM.J.TRANSNAT’LL.73,90–149(2008);BilyanaPetkova,PrivacyasEurope’sFirstAmendment,25EUR.L.J.140,152(2019). 184. SeeinfraPartIII.D.2.

Page 31: Catalyzing Privacy Law

1762 MINNESOTALAWREVIEW [105:1733

privacyandothertopicstooften-fatalstrictscrutiny.185Additionally,theSupremeCourthasbeenskepticalofdataprivacyharms,incasesaddressingbothprivacydamagesandstandingtosue.186TheU.S.Con-stitution contains no explicit data privacy right, and the FourthAmendmentprotectsonlyagainststateaction,nottheactionsofpri-vateparties.187

Overall, these five differences overshadow the similarities. As-sertingthattheCCPAisremotelyequivalenttoadataprotectionre-gimeliketheGDPRoverstatestheimportanceofafewresemblances.ItistruethattheCCPAdepartsfromsomecommoncharacteristicsofpreviousU.S.privacylawandthatitoverlapswithsomeaspectsoftheGDPR.ButtheCalifornia law’smotivations,mechanisms,scope,andlegalsettingkeepitwellwithintheconsumerprotectiontraditionofAmericanprivacylaw.Thequestionnowiswhichofthesetwofunda-mentally different laws is catalyzing the recent legislative activityaroundprivacyinCongressandstatelegislatures.

III.CATALYZINGPRIVACYThestandardaccountoftransatlanticprivacydescribestwofun-

damentallyincompatibleprivacyregimesreflectingdeepphilosophi-caldividesbetweenlegalcultures.Accordingtothisstory,alaissez-faireapproach todataprivacy in theUnitedStates reflectsbroaderliberal norms thatprioritize individual autonomy in the faceof biggovernment,whilethemoreinterventionistEUapproachreflects“so-cial-protection norms” aimed at protecting human dignity.188 Re-searchers (including one of us) have argued that this conventionalwisdomoversimplifiesmattersbyfocusingondisparitiesinlaw-on-the-books and ignoring similarities in practices-on-the-ground.189Nonetheless,theEUandUnitedStateshavebeenunable,orat least

185. See,e.g.,MargotE.Kaminski,PrivacyandtheRightToRecord,97B.U.L.REV.167,173(2017);Scott Skinner-Thompson,RecordingasHeckling, 108GEO.L.J. 125,146(2019);Richards,supranote137,at1524.SeegenerallyAmandaShanor,TheNewLochner,2016WIS.L.REV.133. 186. SeeDoev.Chao,540U.S.614(2004);FAAv.Cooper,566U.S.284(2012);Clapperv.AmnestyInt’lUSA,568U.S.398(2013);Spokeo, Inc.v.Robins,136S.Ct.1540(2016);Frankv.Gaos,139S.Ct.1041(2019). 187. Some state constitutions do, however, provide an explicit right to privacy,evenagainstprivateparties.See,e.g.,CAL.CONST.art.1,§1(“Allpeoplearebynaturefreeandindependentandhaveinalienablerights.Amongtheseareenjoyingandde-fending...privacy.”). 188. SeeJoelR.Reidenberg,ResolvingConflictingInternationalDataPrivacyRulesinCyberspace,52STAN.L.REV.1315,1343(2000);Whitman,supranote76,at1161. 189. Bamberger&Mulligan,supranote20,at260;McGeveran,supranote20,at960.

Page 32: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1763

disinclined,tocometoaninternationalconsensusondataprivacy,in-steadforgingsuigenerisandunstablebilateralarrangementsgovern-ingdatatransfersbetweenthetworegimes.190

TheCCPAandtheGDPRheraldapossibleparadigmshiftfordataprivacy. Rather than two fundamentally incompatible frameworks,oneEuropeanandoneAmerican,weidentifytheemergenceofaracebetweenCaliforniaandtheEuropeanUnionasregulatorycatalysts,drivingtheU.S.states,andpossiblytheU.S.federalgovernment,toen-actnewdataprivacylaws.191

ThisPartfirstoutlinestheargumentthattheGDPRhasbeenthedominantinfluenceonbothdefactoanddejurespreadofprivacylawworldwide.WearguethattheUnitedStatesrepresentsanexceptiontothisnarrative—anarrativethatlargely,andinourviewmistakenly,adheres to anotionofnation-states (and supranational entities) asunitary actors rather than considering the various players withinthem.192

Wethenexamineanumberofrecentlyproposedandseveralre-centlyenactedstateandfederaldataprivacylaws,aimingtoanswerthequestion:whichjurisdictionisdrivingthisracetoproposeanden-actnewprivacyrules?WefindthatalthoughthecommonlyacceptednarrativecreditsnewstrongEuropeanrulesasthedriver,193infact,the proposals in U.S. states have largely copied California. And alt-houghtheCCPAdoesnotalwaysprovidethesubstantivecontentforrecentlyproposedfederallegislation,ithasbeentheimpetusbehindthosebills.California,notEurope,iscatalyzingtherecentandongoingdevelopmentofU.S.dataprivacylaw.

ThestoryoftheCCPAanditsimitators,weargue,isnotthecom-monly assumed story about the unilateral power of Brussels. It

190. Seecasescitedsupranote181. 191. SaraMerken,StatesFollowEU,CaliforniainPushforConsumerPrivacyLaws(1),BLOOMBERGL.(Feb.6,2019,3:02PM),https://news.bloomberglaw.com/privacy-and-data-security/states-follow-eu-california-in-push-for-consumer-privacy-laws-1. 192. See, e.g., Harold Hongju Koh,How Is International Human Rights Law En-forced?,74IND.L.J.1397,1401–09(1999)(contrastingfivetheoriesofhowinterna-tionalhumanrightslawisenforced:power,self-interest,liberalexplanations,commu-nitarian explanations, and legal process explanations—and noting the role of“transnationalnormentrepreneurs”inlegalprocess(incontrasttostate-centrictheo-riessuchasrealism));Anne-MarieSlaughter,ALiberalTheoryofInternationalLaw,94AM.SOC’YINT’LL.PROC.240,241(2000)(describingliberalIRtheoryas“aviewthatpreservesanimportantroleforstatesbutdeprivesthemoftheirtraditionalopacity”incontrasttotraditionalIRtheory,“whichconceive[s]oftheinternationalsystemascomposed of unitary, identical state actorswith fixed preferences (the billiard ballmodel)”). 193. Seesupranotes10–14andaccompanyingtext.

Page 33: Catalyzing Privacy Law

1764 MINNESOTALAWREVIEW [105:1733

demonstrates instead hownetworked individuals can harness pro-cessesatthestateandlocalleveltopromotetheadoptionofnewlegalnorms.194Ratherthancausingaracetothebottom,thebackdropofwhatwecall“dataglobalization”bothinfluencesandempowersnormentrepreneursadvocatingforstricterrequirements.195

WhyareotherstatesnowcopyingtheCCPA?Wepositanumberofreasons.First,inanechooftheDelawareEffect,Californiamayhaveestablisheditselfnationallyasanexpertjurisdictionondataprivacylaw,throughboththeCCPAandnumerousearlierstatutesregulatingdataprivacy.196Second,sincesomanydata-centeredcompanieshaveasignificantpresenceinCalifornia,otherstatesmaybepresumingaCalifornia-driven“Brussels”Effect: that is,manycompaniesalreadycomplyingwiththeCCPAwithrespecttoCaliforniaresidentswoulddefactocomplywith,orbereadilyabletocomplywith,CCPA-likere-quirementsinotherstates.Third,statelegislatorsmotivatedtoenactprivacy protections are far more likely to model their laws on aroughly twenty-page lawfromaU.S. jurisdictionthana foreign lawconsistingof99articlesand173recitals.

WedonotdenythattheGDPRinfluencedthedirectionofAmeri-canprivacylaw.ItcertainlyreducedthecostsofcompliancewithnewAmericanprivacylawformultinationalsthatwerealreadybringingthemselvesintocompliancewiththeGDPR.ThestrongnewEuropeanlawalsobroughtattentiontothecomparativedeficitinU.S.law.Buttheeffect fromtheEUhasbeenmorecircumscribedthangenerallyreported,anditisclearlysecondarytoaveryrealCaliforniaEffect.

WewillclosePartIIIwithsomecautiouspredictions.Weexam-inesomeofthecountervailingforcesuniquetotheUnitedStatesthatmaycontainthespreadofprivacyrulesfromonejurisdictiontothenext,includingthedormantcommerceclause,thepossibilityoffed-eralpreemption,andtheFirstAmendment.Wehypothesize,however,thatthespreadofdataprivacylawintheUnitedStateswillcontinue,withtheCCPAasthenewminimumthresholdforprotection.Anewdata privacy equilibrium is being established in the United States,whether it progresses state-by-state, encourages development of

194. Seesupranote192. 195. For an argument of how to curtail the race to the bottomwith respect toonline service providers, see ANUPAMCHANDER,THEELECTRONICSILKROAD:HOWTHEWEBBINDSTHEWORLDINCOMMERCE166–69(2013). 196. See,e.g.,CAL.BUS.&PROF.CODE§22580(California“EraserLaw”allowingmi-norstherighttodeleteInternetcontentundercertaincircumstances);CALCIV.CODE§§1798.80–.84(California’spioneeringdatabreachnotificationlaw);CAL.BUS.&PROF.CODE §§22575–22579 (CaliforniaOnlinePrivacyProtectionAct of 2003,which re-quiredonlineprivacypoliciesandotherdisclosuresabouthandlingofpersonaldata).

Page 34: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1765

modelstatelegislation,resultsinauniformfederallaw,orsomecom-binationoftheabove.

A. BRUSSELSASTHEWORLD’SPRIVACYCATALYSTAsPaulSchwartzandothershaveobserved,theGDPRisdriving

the enactment of new data privacy laws around theworld.197 Thismatcheswhatwedescribed in Part I as a (de jure) “California” Ef-fect.198

TheEUhasstrictlylimitedtheexportofpersonaldataoutsideoftheEUsincethe1995DataProtectionDirectivecameintoeffect,andthispolicycontinuedintheGDPR.199BoththeDirectiveandtheGDPRallowcrossbordertransfersofpersonaldataonlyinoneofthreeways.Twoofthemethodsarecumbersome,requiringindividualcompaniestogothroughcomplex,inflexible,andoftenbureaucraticprocessestoadopteither“bindingcorporaterules”or“modelcontractclauses.”200Thethirdmethodisthe“adequacymechanism,”whichoperatesonthenationallevelinsteadofatthelevelofanindividualorganization.IftheEuropeanCommissiondeclaresa foreigncountry’sdataprotec-tion laws and enforcement to offer an “adequate level of protec-tion,”201thendatacanflowtoanyorganizationinthatcountrywithnofurtherconstraint.Becauseanadequacyrulinggreatlysimplifiesdatatransferincomparisontothemoreonerousoptions,manycountrieshavesoughttomodifytheirlawstoobtainsucharuling.202

Theadequacyprocesscanthusbecharacterizedasadeliberatelegalexportstrategy.BymakingitmucheasierforcompaniesdoingbusinessintheEUtotransferdataacrossbordersiftheirhomejuris-dictionsadoptdataprotectionlawsthatsatisfyEuropeanauthorities,theEUdeployedtheBrusselsEffect(defactocompliance)tocauseaCaliforniaEffect(dejureregulatorychanges).AsSchwartzcautions,thedynamic ismore complicated in reality, becauseother jurisdic-tions have pushed back against the adequacy process, resulting in

197. SeegenerallySchwartz,supranote9,at771(“ThecornerstoneofEUlawinthisarea,theGeneralDataProtectionRegulation(GDPR),isnowwidelyregardedasaprivacylawnotjustfortheEU,butfortheworld.”). 198. SeesupraPartI.B. 199. SeeGDPR,supranote7,art.45;Directive95/46/EC,art.25,1995O.J.(L281). 200. GDPR, supra note 7, arts. 46–47 (describing binding corporate rules andstandardcontractualclauses,amongothermechanisms);Directive95/46/EC,art.25(outlining procedures for derogations from Article 25 limitations on cross-bordertransfers). 201. Directive95/46/EC,art.25(1). 202. SeeSchwartz,supranote9,at786–95(comparingUK,Japan,U.S.andnotingthatIsraelandothershavereceivedadequacydeterminations).

Page 35: Catalyzing Privacy Law

1766 MINNESOTALAWREVIEW [105:1733

moreofagive-and-takethanpureexport.203Butattheendoftheday,thelawsofothercountriesdolookmuchmorelikeEUlawthantheydidbeforetheiradequacydeterminations.

TheGDPRalsodemonstratesa(defacto)BrusselsEffect,spur-ring many multinational companies to comply with its provisionsworldwide,evenwhereother jurisdictionsdonotadjust their laws,andnotonlyforoperationsdealingwithEuropeanpersons.Someen-terprisesdecidedtoavoidGDPRexposurebyexcludingEuropealto-gether.204Forexample,theLosAngelesTimesandtheChicagoTribunedisabledaccessforInternetusersintheEU.205NationalPublicRadiotookadifferentapproach:“Userscouldeitheragreetothenewterms,ordeclineandbetakentoaplain-textversionofthesite,lookingforalltheworldlikeithadlastbeenupdatedin1996.”206Chinesesmart-homemanufacturerYeelightdisabled Internet-connected lightbulbsintheEuropeanUnion.207Forthesefirms,eventhepotentialbenefitsof serving the huge Europeanmarket could not justify the costs ofcomplianceortherisksofnon-compliance.AndsurelymanysmallerorganizationsdisregardGDPRrequirementsbecausetheirexposuretoEuropeisminor.

Nonetheless,whentheGDPRwentintoeffectinMay2018,peopleacrosstheworld,includingAmericans,beginreceivingafusilladeofmessagesfromcompaniesupdatingtheirprivacypolicies.Somecom-panies have adopted the compliance infrastructure required in theGDPR—designatingdataprotectionofficers, running impactassess-ments,bakinginsomeformofprivacybydesign—throughouttheirinternationaloperations.JustasthescholarshipontheBrusselsEffectanticipates,thesecompanieshavefounditdesirabletomaintainauni-fied firm-wide compliance architecture and adhered to the more

203. Id.(illustratingnegotiationsbetweentheEUandexternalcountriestoallowpersonaldatatoflowfreelybetweeneconomies). 204. RebeccaSentance,GDPR:WhichWebsitesAreBlockingVisitorsfromtheEU?,ECONSULTANCY (May 31, 2018), https://econsultancy.com/gdpr-which-websites-are-blocking-visitors-from-the-eu-2[https://perma.cc/9A2Y-XEHA]. 205. AlexHern&MartinBelam,LATimesAmongUS-BasedNewsSitesBlockingEUUsers due to GDPR, GUARDIAN (May 25, 2018), https://www.theguardian.com/technology/2018/may/25/gdpr-us-based-news-websites-eu-internet-users-la-times[https://perma.cc/76J5-5G2C] (noting that U.S. papers such as theNew York DailyNews,theBaltimoreSun,OrlandoSentinel,andtheSanDiegoUnion-Tribunealsodisa-bledaccess). 206. AlexHern& JimWaterson, SitesBlockUsers,ShutdownActivitiesandFloodInboxes as GDPR Rules Loom, GUARDIAN (May 24, 2018), www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect[https://perma.cc/4FYJ-PL5S]. 207. Id.

Page 36: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1767

stringentGDPRrequirements.Afewcompanieshavegoneevenfur-therbyadoptingaspectsoftheGDPRotherthanitscompliancerules;Microsoft, for example, announced that itwould “extend the rightsthatareattheheartofGDPRtoallofourconsumercustomersworld-wide.”208

ThroughboththeDirectiveandtheGDPR,EUauthoritiessuccess-fully exported their approach to data protection to many placesaroundtheglobe,both throughnational responses to theadequacymechanismandinstitutionaleffortstounifydatacomplianceopera-tions.ButtheinfluenceofEUprivacylawhasbeenmuchmorelimitedinotherrespects,startingwithitscapacitytocatalyzelegalchangeintheUnitedStates.

B. BUTSEETHEUNITEDSTATESWhile theGDPR’sadequacymechanismand itsdirecteffecton

globalcompaniesmayenticeotherjurisdictionsworldwidetoenactoramenddataprivacylaw,itisnotthecatalystforrecentlyproposedlaws in theUnitedStates. Indeed,asPart II shows, theCCPA isnotmodeledontheGDPR,thoughbothsharesimilaritiesfoundedinthelong-establishedFairInformationPracticePrinciples.Theforcesbe-hindboththeCCPAanditscounterpartsacrosstheUnitedStatesdonotseekanadequacyrulingfromtheEuropeanUnion.Nearlyaquar-tercenturyofEuropeandataprotectionlawdidnotprompttheUnitedStatestotakeupabroadlawofitsown.

WhyhastheUnitedStatesgoneitsownway?Wewillnotelaterthat the exceptional American approach to free expression, and itstensionwithsomeportionsoftheGDPRframework,arelikelyinhib-itingfactors.Butwebelievethatanearliermomentofnormentrepre-neurshipwasequallycritical.

TheEUprohibitiononcross-borderdatatransfersbecameeffec-tivein1998undertheDataProtectionDirective.FacedwiththenearcertaintythatU.S.lawwouldnotbefoundadequateforunrestricteddataflowfromtheEuropeanUnion,209theClintonadministrationset

208. JulieBrill,Microsoft’sCommitmenttoGDPR,PrivacyandPuttingCustomersinControlofTheirOwnData,MICROSOFTBLOG (May21,2018),https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data[https://perma.cc/2MG5-AJ49]. 209. AnadequacydeterminationwouldnothavebeenforthcomingfromtheEUwithoutdramaticlegalandregulatorychangesintheU.S.SeeOpinion1/99oftheWork-ingPartyontheProtectionofIndividualswithRegardtotheProcessingofPersonalData:ConcerningtheLevelofDataProtectionintheUnitedStatesandtheOngoingDiscussionsBetweentheEuropeanCommissionandtheUnitedStatesGovernment,at2,art.29(Jan.26,1999),https://ec.europa.eu/justice/article-29/documentation/opinion

Page 37: Catalyzing Privacy Law

1768 MINNESOTALAWREVIEW [105:1733

outtonegotiateanexceptionbecauseU.S.companieswantedtoavoidusingthemorecumbersomemechanismsfordatatransferavailableundertheEuropeanlaw.BolsteredbyitscloserelationshiptoEuropeaswellasAmerica’seconomicandothersoftpower,theClintonad-ministration worked out a bespoke exemption from the Europeanrules.AmericanandEuropeandiplomatsworkedforyearstonegoti-ateaseparatedatatradeagreementapplicableonlytotheirbilateralrelationship. In 2000, theClinton administration and theEuropeanCommission signed the “U.S.-EUSafeHarborAgreement,”whichal-lowedU.S.companiestocertifyannuallythattheyadheredtoanar-rowsetofgeneraldataprotectionprinciplesinordertotransferper-sonaldatafromtheEU.210

TheU.S.thusinoculateditselfagainstanycatalyzingeffectfromEUdataprotectionlaw,ofeitherthedefactoordejurevariety.TheEuropeanCommission(effectivelytheEU’sexecutivebranch)ratifiedtheSafeHarborasconsistentwithEUdataprotectionlaw.211Butina2015decision,theCourtofJusticeoftheEuropeanUnion,citingtherevelationsofEdwardSnowdenaboutthescopeofU.S.nationalsecu-ritysurveillance,struckdowntheSafeHarbor.212

Eventhen,theresponsewasnotfortheU.S.toconformitslawtotheEUadequacystandard,oreventoconcedethatAmericandatacon-trollerswould need to use one of the othermechanisms for cross-borderdatatransfers.Instead,thetwosidesreturnedtothenegotiat-ing table and reached a new compromise, known as the “EU-U.S.PrivacyShield.”213ThecarrotofadequacythatenticedcountriesfromArgentinatoThailandtochangetheirdataprivacylawsstillfailedto

-recommendation/files/1999/wp15_en.pdf [https://perma.cc/NR47-MKFU] (“[T]hecurrentpatchworkofnarrowly-focussedsectoral lawsandvoluntaryself-regulationcannotatpresentbereliedupontoprovideadequateprotectioninallcasesforper-sonaldatatransferredfromtheEuropeanUnion.”).ButseeChristopherWolf,DelusionsofAdequacy?ExaminingtheCaseforFindingtheUnitedStatesAdequateforCross-Bor-derEU-U.S.DataTransfers,43WASH.U.J.L.&POL’Y227(2014)(makinganadmittedlycontrarianargumentthatU.S.lawcouldbejudgedadequateundertheDataProtectionDirective). 210. SeeWelcometotheU.S.-EUSafeHarbor,EXPORT.GOV(Jan.12,2017),https://2016.export.gov/safeharbor/eu/eg_main_018365.asp[https://perma.cc/EKJ6-XFHY]. 211. SeeCommissionDecision2000/520,2000O.J.(L215)7. 212. CaseC-362/14,Schremsv.DataProt.Comm’r,ECLI:EU:C:2015:650(Oct.6,2015). 213. SeePrivacyShieldOverview, INT’LTRADEADMIN.,https://www.privacyshield.gov/Program-Overview[https://perma.cc/TA5G-KRVU].

Page 38: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1769

moveU.S.privacylaw.214In2020,theEU’shighestcourtonceagaininvalidatedthespecialtransatlanticarrangementasstillinconsistentwithEUlaw.215ItremainstobeseenhowtheEUandU.S.willrespondthistime.ButthereislittleindicationthatAmericanjurisdictionshavebecome any more inclined to harmonize U.S. law with the GDPRmodel.

WenowturntoexaminetherecentextensivestateandfederallegislativeactivityintheUnitedStates.OurclosecomparisonoftheGDPRandtheCCPAinPartIandourexaminationbelowofvariousstateandfederalprivacybillsshowsthattheCCPA,nottheGDPR,hasplayedtheleadingroleinthelegislativeresponseacrosstheUnitedStates.ThevariousstatebillsareoftenmodeledonprovisionsoftheCCPA.FederalbillsinturnarethepoliticalresponsetostatelegislativeactivitypromptedbytheCCPA.

1. StateLawsSincetheadventoftheGDPRandtheCCPA,theUnitedStateshas

seen an unprecedented volume of legislative proposals that wouldregulatedataprivacyatthestatelevel.AccordingtotheNationalCon-ferenceof StateLegislatures, in2019alone, consumerprivacybillswere introduced or filed in at least twenty-five states and PuertoRico.216 Legislatures innearlyhalfof the states (twenty-onebyourcount)consideredorenacteddatasecuritybillsin2018and2019.217

214. Inarareexceptiontothisrule,aspartofthenegotiationsleadingtotheadop-tionofthePrivacyShield,theU.S.CongresspassedtheJudicialRedressActin2015,5U.S.C.§552a,tohelpassureEuropeansthattheywouldhavetheabilitytobringclaimsunderthePrivacyActof1974,5U.S.C.§552a,againstU.S.governmentalintrusions. 215. CaseC-311/18,DataProt.Comm’nv.FacebookIr.Ltd.,ECLI:EU:C:2019:1145(Dec.19,2019). 216. 2019ConsumerDataPrivacyLegislation,NAT’LCONF.ST.LEGISLATURES(Jan.3,2020),http://www.ncsl.org/research/telecommunications-and-information-technology/consumer-data-privacy/calif.aspx[https://perma.cc/6WNL-RX4P]. 217. See,e.g.,AlabamaDataBreachNotificationActof2018,ALA.CODE §8-38-1(2018);ActAmendingTitle44,Chapter11,ArizonaRevisedStatutes,byAddingArticle2RelatingtoConsumerHouseholdGoods,ARIZ.REV.STAT.ANN.§§44-1611to-1616(2019); California Consumer Privacy Act of 2018, CAL.CIV.CODE § 1789.175 (West2019);ActConcerningStrengtheningProtections forConsumerDataPrivacy,COLO.REV.STAT.ANN.§§6-1-713,6-1-716(West2019);S.240,101stGen.Assemb.,1stReg.Sess.(Ill.2019)(introducedasConsumerCreditReportingAgencyRegistrationandCybersecurityProgramAct);ActToAmendandReenactR.S.51:3073(2)and(4)(a)and3074,Relative to theDatabaseSecurityBreachNotificationLaw,LA.STAT.ANN.§§51:3073to:3074(2019)(requiringorganizationstodestroyinformationandex-pandsdefinitionofPII);S.786,439thGen.Assemb.(Md.2019);H.R.904,2019Gen.Assemb.,2019Sess.(N.C.2019);NEB.REV.STAT.ANN.§§87-801,87-806(West2019);S.176,54thLeg.,1stSess.(N.M.2019);S.5575,2019Leg.,2019–2020Reg.Sess.(N.Y.

Page 39: Catalyzing Privacy Law

1770 MINNESOTALAWREVIEW [105:1733

Dataprivacyanddatasecurityarerelatedbutnotidenticalissues,218although legislators frequently conflate them—evidenced by Colo-rado’s“dataprivacy”law,whichfocusesondatasecuritymatters.AtleasttenstatesconsideredprivacylawsaimedatInternetservicepro-viders(ISPs),presumablyinresponsetoCongress’s2017repealoftheFederal Communications Commission’s broadband privacy rules.219And legislators inmanystatesproposednarrowerprivacy laws,ontopicsfromstudentprivacytotheprotectionofbiometricorgeoloca-tioninformation.220

2019); SecurityBreachNotificationAct,OKLA.STAT.ANN. tit. 24, §§ 162–166 (West2008);ActRelatingtoActionsAfteraBreachofSecuritythatInvolvesPersonalInfor-mation,OR.REV.STAT.ANN.§§646A.602,.604,.606,.608,.610,.622(West2011);H.R.1181,2019–20Gen.Assemb.,2019Sess.(Pa.2019);InsuranceDataSecurityAct,S.C.CODEANN.§§38-99-10to-100(2019);ActToProvidefortheNotificationRelatedtoaBreachofCertainDataandToProvideaPenaltyTherefor,S.D.CODIFIEDLAWS§§22-40-19to-26(2019);ActToAmendTennesseeCodeAnnotated,Title47,RelativetoReleaseofPersonalInformation,TENN.CODEANN.§47-18-2107(West2019);ActRe-latingtothePrivacyofPersonalIdentifyingInformationandtheCreationoftheTexasPrivacyProtectionAdvisoryCouncil,H.R.4390,86thLeg.,Reg.Sess. (Tex.2019);S.156,2017–2018Gen.Assemb.,2018Sess.(Vt.2018);H.R.1071,66thLeg.,2019Reg.Sess.(Wash.2019);ActToAmendtheCodeofVirginiabyAddingaSectionNumbered58.1-341.2,RelatingtoNotificationofTaxReturnDataBreach,VA.CODEANN.§58.1-341.2 (2018).Virginia also introducedabill in2018 to amendand reenact section59.1-200relatedtotheVirginiaConsumerProtectionAct.Thebilldiedincommittee.H.D.1588,2018Gen.Assemb.,Reg.Sess.(Va.2018). 218. SeeDerekE.Bambauer,PrivacyVersusSecurity,103J.CRIM.L.&CRIMINOLOGY667,668–69(2013)(“Whilelegalscholarstendtoconflateprivacyandsecurity,theyaredistinctconcerns.”);WilliamMcGeveran,TheDutyofDataSecurity,103MINN.L.REV.1135,1141(2019)(“Datasecurityisjustoneelementofthebroaderconceptofdataprivacy;thelatteralsorelatestothecollection,use,anddisclosureorpersonaldatainadditiontoitssecurestorage.”). 219. BrianFung,TrumpHasSignedRepealof theFCCPrivacyRules.Here’sWhatHappens Next., WASH. POST (Apr. 4, 2017, 6:42 AM), https://www.washingtonpost.com/news/the-switch/wp/2017/04/04/trump-has-signed-repeal-of-the-fcc-privacy-rules-heres-what-happens-next [https://perma.cc/RK25-UD2A]; see H.R.230,30thLeg.,1stSess.(Ala.2017);H.R.232,30thLeg.,1stSess.(Ala.2017);H.R.277,30thLeg.,2dSess.(Ala.2018);S.160,30thLeg.,2dSess.(Ala.2018)(thesefourAlaskabillsdied);H.R.80,29thLeg.,2018Reg.Sess.(Haw.2018)(introducingataskforceonISPprivacy);S.243,2019Gen.Assemb.,Reg.Sess.(Ky.2019);S.275,129thLeg.,1stReg.Sess.(Me.2019);H.D.1655,2018Gen.Assemb.,Reg.Sess.(Md.2018);H.D.141,2020GenAssemb.,Reg.Sess.(Md.2020);H.R.382,191stGen.Ct.,Reg.Sess.(Mass.2019); H.R. 1030, 91st Leg., Reg. Sess. (Minn. 2019); S. 1553, 90th Leg., Reg. Sess.(Minn.2018);H.R.457,66thLeg.,2019Sess. (Mont.2019)(failed incommittee);S.2641,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.3711,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.1927,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.1527,218thLeg.,Reg.Sess.(N.J.2018);S.5245,242dLeg.,2019–2020Reg.Sess.(N.Y.2019);H.R.246,2019–20Gen.Assemb.,2019Reg.Sess.(Pa.2019). 220. See,e.g.,H.R.2354,87thGen.Assemb.,Reg.Sess. (Iowa2018);GeolocationPrivacyProtectionAct,H.R.2785,101stGen.Assemb.,1stReg.Sess.(Ill.2019);H.R.

Page 40: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1771

Ourfocushereisontheunprecedentedflurryofcomprehensivedataprivacylegislation.Restrictingthefocustocomprehensivedataprivacylaws,wecountatleastseventeenstatesinadditiontoCalifor-niaandPuertoRicothatconsideredorenactedcomprehensivedataprivacylawsin2018and2019.221Fivestatesestablishedtaskforceswiththegoalofproposingdataprivacylegislation.222Includingtaskforces, there were in 2018 and 2019 at least nineteen states (andPuertoRico)consideringorenactingcomprehensivedataprivacyleg-islation.223InCalifornia,theCaliforniaPrivacyRightsAct(CPRA),en-actedviaballotinitiativeinNovember2020butwithmostprovisionsnotgoingintoeffectuntilJanuary2023,establishesthenewCaliforniaPrivacyProtectionAgency,aprivacy-specificregulatorinthatstate.224Inadditiontotheseindividualstateproposals,theUniformLawCom-mission(ULC)isdevelopingaproposeduniformlawthatwouldes-tablish“acomprehensivelegal frameworkforthetreatmentofdataprivacy,”guidedtoalargedegreebythescopeoftheCCPA.225TheULC

536-FN,2019Gen.Ct.,Reg.Sess.(N.H.2019)(addingbiometricinformationtothecon-sumerprotectionact);H.R.2866,80thLegis.Assemb.,2019Reg.Sess.(Or.2019)(add-inggeolocationinfo);H.R.352,111stGen.Assemb.,Reg.Sess.(Tenn.2019)(makingunauthorizeduse or distribution of personal health information a violation of con-sumerprotectionlaw);S.110,2019–2020Gen.Assemb.,2020Sess.(Vt.2020)(stu-dentprivacylaw);H.D.2535,2019Gen.Assemb.,Reg.Sess.(Va.2019)(requiringsitestoletminorsrequesttoremoveinformation). 221. SeeS.418,30thLeg.,Reg.Sess.(Haw.2019);H.R.3358,101stGen.Assemb.,Reg.Sess.(Ill.2019);H.R.465,2019Leg.,Reg.Sess.(La.2019);S.275,129thLeg.,1stReg.Sess.(Me.2019);H.D.901,2019Gen.Assemb.,Reg.Sess.(Md.2019);S.120,191stGen.Ct.,Reg.Sess.(Mass.2019);H.R.2917,91stLeg.,Reg.Sess.(Minn.2019);H.R.592,100thGen.Assemb., 1stReg. Sess. (Miss. 2019); S. 220,80thSess.,Reg. Sess. (Nev.2019,codifiedatChap.211);Gen.Assemb.4640,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.4902,218thLeg.,Reg.Sess.(N.J2019);S.176,54thLeg.,1stSess.(N.M.2019);Assemb.7736,2019–2020Leg.Sess.,Reg.Sess.(N.Y.2019);S.5642,2019–2020Leg.Sess.,Reg.Sess.(N.Y.2019);H.R.1049,2019–2020Gen.Assemb.,Reg.Sess.(Pa.2019);H.R.5930,2019Gen.Assemb.,Reg.Sess.(R.I.2019);H.R.4518,86thLeg.,Reg.Sess.(Tex.2019);H.R.764,2017–2018Gen.Assemb.,Reg.Sess.(Vt.2018);S.5376,66thLeg.,2019Reg.Sess.(Wash.2019). 222. S.1108,2019Gen.Assemb.,Jan.Sess.(Conn.2019);H.R.225,30thLeg.,Reg.Sess.(Haw.2019);H.R.249,2019Leg.,Reg.Sess.(La.2019);H.R.1485,66thLeg.As-semb.,Reg.Sess.(N.D.2019);H.R.4390,86thLeg.,Reg.Sess.(Tex.2019)(establishingtheTexasPrivacyProtectionAdvisoryCouncil). 223. NorthDakotaandConnecticutareeachcountedonceinouranalysis,asbothstatesproposedcomprehensivedataprivacylegislationandultimatelyinsteadestab-lishedataskforce. 224. SeedelaTorre&Brown,supranote169. 225. KatieRobinson,NewDraftingandStudyCommitteesToBeAppointed,UNIF.L.COMM’N (July 24, 2019, 4:37 PM), https://www.uniformlaws.org/committees/community-home/digestviewer/viewthread?MessageKey=bc3e157b-399e-4490-9c5c-608ec5caabcc&CommunityKey=d4b8f588-4c2f-4db1-90e9-48b1184ca39a&

Page 41: Catalyzing Privacy Law

1772 MINNESOTALAWREVIEW [105:1733

hasdraftedandpromotedhundredsofmodelstatutes,fromtheUni-formCommercialCodetotheUniformTradeSecretsAct.OncetheULCvotestopublishmodelbills,itisuptoindividualstatelegislaturestoadoptthem.226

Wefocushereonafewoftheseproposalstoidentifytheirintel-lectualoriginsineithertheCCPAortheGDPR.Wefindthat,despitepopularclaimstothecontrary,thecatalysisfordataprivacyproposalsinstatelegislaturesisemanatingnotfromBrussels,butfromCalifor-nia.

Take, forexample,Connecticut’sproposedcomprehensivedataprivacybill,SB1108.Theoriginalversionofthebill,introducedinJan-uary2019,effectivelycopiedtheCCPA,withminoredits.Thedefini-tionof“personalinformation”wasidentical;thedefinitionofacov-ered “business” was identical.227 Like the CCPA, the proposedConnecticutbillgranted individualsaccessrights,228aright todele-tion,229andarighttooptoutofthesaleofone’sdata.230LiketheCCPA,theproposedConnecticutbillprohibitedbusinessesfromdiscriminat-ingagainstconsumersforexercisingtheirrights.231TheproposedbillsocloselytrackedtheCCPA’srequirementsthatit,too,requiredatoll-freenumberforrequestingaccess,andaconspicuous“DoNotSellMyPersonalInformation”linkforoptingoutofsale.232Ultimately,how-ever,legislatorsreplacedthebillwithasubstituteactestablishingatask force concerning consumer privacy, signed into law on July 9,2019.233TheActinstructsthetaskforceto“examinewhatinformationbusinesses in this state should be required to disclose to

tab=digestviewer#bmbc3e157b-399e-4490-9c5c-608ec5caabcc [https://perma.cc/98JG-TQQ3]. 226. See FAQs, UNIF. L. COMM’N, https://www.uniformlaws.org/aboutulc/faq[https://perma.cc/8XGL-CALF].OneoftheauthorsofthisArticle,WilliamMcGeveran,previouslyservedas thereporter for thecommitteedrafting thismodel legislation;anotheroftheauthorsofthisArticle,MargotKaminski,servesasresearchdirectorfortheDevelopmentsinPrivacyLawCommittee. 227. Compare California Consumer Privacy Act of 2018, CAL. CIV. CODE§1798.140(c)(defining“business”),and id.§1798.140(o)(defining“personalinfor-mation”),with S. 1108§1(3),2019Gen.Assemb., Jan. Sess. (Conn.2019) (defining“business”),andid.§1(15)(defining“personalinformation”). 228. Conn.S.1108§§2,4,6. 229. Id.§3. 230. Id.§7. 231. Id.§8. 232. Id.§§9(1),10(1). 233. SeegenerallySubstituteforRaisedS.B.No.1108SessionYear2019,CONN.GEN.ASSEMB., https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&which_year=2019&bill_num=Sb+1108[https://perma.cc/A6F7-NZF2].

Page 42: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1773

consumers...[s]uchexaminationshallinclude,butnotbelimitedto,theCaliforniaConsumerPrivacyActof2018,asamended,toconsiderwhatprovisionscouldbeimplementedinthisstate.”234

Massachusetts’sproposeddataprivacybill,S.120,providesan-other clear example of thismimicry.235 Also introduced in January2019,S.120containslanguageidenticaltotheCalifornialawinmul-tipleplaces.LiketheCCPA,theproposedMassachusettsbillappliesto“businesses,” and like theCCPA, this includesbothbusinesseswithgrossrevenuesoveracertainthreshold(tenmilliondollarsinMassa-chusetts,twenty-fivemilliondollarsinCalifornia)andbusinessesthatderivefiftypercentormoreofannualrevenuefromthedisclosureofpersonalinformation.S.120’sexceptionforpubliclyavailableinfor-mation,too,almostperfectlyadoptsCCPAlanguage.236WhileS.120doesnotcontaintheCCPA’sexhaustive listofexamplesofpersonalinformation,itscoredefinitionofpersonalinformationdiffersbyjustoneword.237TheproposedMassachusettsbillwouldestablishnotice,access,anddeletionrequirementsthatlargelycorrespondtothoseintheCCPA.238LiketheCCPA,therightsarenotwaivable.239

Insomeplaces,theproposedMassachusettsbillisstrongerthantheCCPA.Itgivesconsumerstherighttooptoutofnotjustthesaleofpersonalinformation,butalsoofthird-partydisclosure.240Andunlikethe CCPA, it provides for a private right of action, with statutory

234. SubstituteS.1108§1(a),2019Gen.Assemb.(Conn.2019). 235. MarkD.Quist,ComprehensiveDataPrivacyLegislationIntroducedinMassa-chusetts–IncludesPrivateRightofActionWithoutaNeedToProveHarm,MONDAQ(Feb.15, 2019), http://www.mondaq.com/unitedstates/x/781198/Data+Protection+Privacy/Comprehensive+Data+Privacy+Legislation+Introduced+In+Massachusetts+Includes+Private+Right+Of+Action+Without+A+Need+To+Prove+Harm[https://perma.cc/CZ8S-QK2M]. 236. Compare California Consumer Privacy Act of 2018, CAL. CIV. CODE§1798.140(o)(2)(2018),withS.120§1(m)(1),191stGen.Ct.(Mass.2019). 237. CompareMass.S.120§1(m)(1)(defining“personal information”as“infor-mationthatidentifies,relatesto,describes,iscapableofbeingassociatedwith,orcouldreasonably be linked, directly or indirectly,with a particular consumeror the con-sumer’sdevice”(emphasisadded)),withCAL.CIV.CODE§1798.140(v)(1)(defining“per-sonalinformation”as“informationthatidentifies,relatesto,describes,isreasonablycapableofbeingassociatedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticularconsumerorhousehold”(emphasisadded)). 238. Mass.S.120§2(requiringdisclosureofcategoriesofpersonalinfo,businesspurpose,consumerrights,andmore);id.§3(establishingtherighttorequestspecificpiecesofpersonalinfo,namesofthirdpartiestowhomdisclosed,sources,andbusi-nesspurpose);id.§5(coveringtherighttodeleteinfocollectedfromtheconsumer);id.§6(includingtherighttooptoutofthird-partydisclosureinsteadofsale). 239. CompareCAL.CIV.CODE§1798.192,withMass.S.120§14. 240. Mass.S.120§6.

Page 43: Catalyzing Privacy Law

1774 MINNESOTALAWREVIEW [105:1733

damages of $750 per consumer per incident, plus attorney fees.241MirroringtheCCPA,itdirectsthestateattorneygeneraltowritereg-ulationsandempowersthatofficetoenforcethenewprivacyrules.242

Also,inJanuary2019,NorthDakotaintroduceddataprivacyleg-islation243with significant similarities to the CCPA. That legislationseemstohavebeeninspiredbyanewsreportaboutEuropeanprivacylawthatoneofthedrafterswatched.244Despitethisinspiration,whenthetimecametodraftabill,NorthDakotaalsolookedtoCaliforniaforsubstantive language.245 The bill defined a coveredbusiness nearlyword-for-wordidenticallytotheCCPA’sdefinition.246Thedefinitionof“personalinformation,”too,closelytrackedthatintheCCPA.247Itcreated a right of access similar to the CCPA’s.248 Unlike the CCPA,however,inafewprovisions,theNorthDakotabillemulatedamore

241. Id.§9. 242. Id.§§10–11. 243. H.R.1485,66thLeg.Assemb.(N.D.2019). 244. See SaraMerken,States FollowEU, California inPush forConsumerPrivacyLaws (1), BLOOMBERG L. (Feb. 6, 2019, 3:02 PM), https://news.bloomberglaw.com/privacy-and-data-security/states-follow-eu-california-in-push-for-consumer-privacy-laws-1 [https://perma.cc/8A8X-9MUW] (“North Dakota Rep. Jim Kasper (R) toldBloombergLawthathedecidedtointroducelegislationafterwatchinga‘60Minutes’programaboutthenewrightstheEU’sGeneralDataProtectionRegulationprovidestoEUcitizens.”). 245. Id.(notingthatsomestateshave“largelyfollow[ed]theleadofCalifornia”indraftingconsumerprivacylaws). 246. CompareN.D.H.R.1485,§51-37-01(“[A][c]overedentity ...a.Hasannualgrossrevenuesinexcessoftwenty-fivemilliondollars;b.Annuallybuys,receives,sells,orsharespersonal informationofat least fifty thousandconsumers,households,ordevices;orc.Derivesatleastfiftypercentofitsannualrevenuesfromsellingpersonalinformation.”), with California Consumer Privacy Act of 2018, CAL. CIV. CODE§1798.140(c)(West2018)(definingbusinessas“[a]soleproprietorship,partnership,limitedliabilitycompany,corporation,association,orotherlegalentitythat...(A)Hasannualgrossrevenuesinexcessoftwenty-fivemilliondollars...(B)Aloneorincom-bination, annually buys, receives for the business’s commercial purposes, sells, orsharesforcommercialpurposes,aloneorincombination,thepersonalinformationof50,000ormoreconsumers,households,ordevices.(C)Derives50percentormoreofitsannualrevenuesfromsellingconsumers’personalinformation.”). 247. Compare N.D. H.R. 1485 § 51-37-01 (“‘Personal information’ means infor-mationthatidentifies,describes,orcouldreasonablybelinkedwithaparticularindi-vidual.Thetermdoesnotincludepubliclyavailableinformationlawfullymadeavaila-ble to the general public from federal, state, or local government records.”),withCaliforniaConsumerPrivacyActof2018,CAL.CIV.CODE§1798.140(o)(1)(West2018)(“‘Personalinformation’meansinformationthatidentifies,relatesto,describes,isrea-sonablycapableofbeingassociatedwith,orcouldreasonablybe linked,directlyorindirectly,withaparticularconsumerorhousehold.”). 248. N.D.H.R.1485§51-37-03(providingthatupon“requestfromanindividual,acoveredentityshalldisclose”thecontentofpersonaldatathatitpossesses).

Page 44: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1775

Europeanapproach;forexample,itwouldhaveprohibiteddisclosureofpersonalinformationwithoutexpresswrittenconsent(moreofanopt-inthananopt-out)anditwouldhavecreatedaprivaterightofaction.249Ontheotherhand,otherdeparturesfromtheCCPAtookitfurther fromtheGDPR,because it lackedanoticerequirementorarighttodeletion.Ultimately,thebillwasreplacedbyaproposalforalegislativestudyofdataprivacylaws.250

Thesethreestatesarejustasamplingofthisdynamic.Wefindproposalsinatleastsevenotherstatesthatcouldsimilarlybecharac-terizedasCCPAclonestoalargedegree.251BillsinMississippi,Penn-sylvania,andRhodeIsland,likethoseinConnecticutandMassachu-setts,copiedportionsoftheCCPAwholesale.252OneproposedTexasbilllargelytrackedtheCCPAaswell.253Texasultimatelyenactedadif-ferentbillintolaw,theTexasPrivacyProtectionAct;whileinitiallyittoowasabroaddataprotectionlaw,itwasultimatelyamendedtocre-ateacounciltoreportbackonproposedstatutorychanges.254InIlli-nois, theproposedDataTransparencyandPrivacyActwouldapplytheCCPAdefinitionof“businesses”andwouldgrantconsumersbothnotice and access rights and a right to opt out of sale, although it

249. Id.§51-37-02(“Prohibitionagainstdisclosureofpersonalinformationexceptuponwrittenconsent.”);id.§51-37-05(“Ifanindividual’spersonalinformationispur-chased,received,sold,orsharedbyacoveredentityinviolationofthischapter,theindividualmaybringacivilactioninacourtofthisstate....”). 250. N.D. H.R. 1485; see also N.D. LEGIS. COUNCIL, DISCLOSURE OF CONSUMERS’PERSONALDATA—BACKGROUNDMEMORANDUM (2019),https://www.legis.nd.gov/files/resource/committee-memorandum/21.9058.01000.pdf[https://perma.cc/7U2L-7BLV](noting that “HouseBillNo.1485wasamended toprovide foramandatoryLegislativeManagementstudyonprotections,enforcements,andremediesregardingthedisclosureof consumers’personaldata, andbothchamberspassed thebill asamandatorystudy”). 251. SeeRachelR.Marmor,MaryamCasbarro,Monder“Mike”Khoury&NancyLi-bin,“CopycatCCPA”Bills Introduced inStatesAcrossCountry,DAVISWRIGHTTREMAINLLP(Feb. 8, 2019), https://www.dwt.com/blogs/privacy—security-law-blog/2019/02/copycat-ccpa-bills-introduced-in-states-across-cou[https://perma.cc/E6NB-XAFU](“Legislatorsinninestateshaveintroduceddraftbillsthatwouldimposebroadobligationsonbusinessestoprovideconsumerswithtransparencyandcontrolofper-sonaldata.”). 252. H.R.1253,2019Leg.(Miss.2019);H.R.1049,2019Gen.Assemb.(Pa.2019);H.R.5930,2019Gen.Assemb.(R.I.2019). 253. H.R.4518,86thLeg.(Tex.2019).Bycontrast,H.R.4390,86thLeg.(Tex.2019)takesamoreblendedCCPA-GDPRapproach. 254. Tex.H.R.4390;seeEmilyBruemmer,DavisWrightTremaineLLP,StateandFederalPrivacyLegislationStalls,JDSUPRA(June28,2019),https://www.jdsupra.com/legalnews/state-and-federal-privacy-legislation-63216 [https://perma.cc/D2GZ-5P9H](notingthatHouseBill4390createdanadvisorycounciltostudydataprivacylawsinTexasandotherjurisdictions).

Page 45: Catalyzing Privacy Law

1776 MINNESOTALAWREVIEW [105:1733

carvedout theuseofdata foradvertisingandotherexemptions.255Maryland’sbillandHawaii’soriginalbill (laterreplacedwithataskforce) offered a set of rights for data subjects similar to the CCPA,thoughtheydifferinsomesignificantrespects.256

Nevadaisoneoftheonlystatestonotjustconsiderbutactuallyenactnewdataprivacylawinthisperiod.Thenewlaw,expandingonpreviously existingprotections,went intoeffect in2019.257Nevadalawhadalreadyrequiredwebsitesandonlineservicesthatcollectcer-tainpersonal information toprovidenotice to consumers.258WhilenotdirectlyimportinglanguagefromtheCCPA,thenewNevadalawechoes the conceptual core of the CCPA by prohibiting companiesfromsellingconsumerinformationonreceiptofa“verifiedrequest”fromtheconsumertooptout.259Thatsaid,thenewNevadalawprovesconsiderablylessambitiousinscopethantheCCPA:itcoversanar-rowerdefinitionofpersonal information, andanarrower subsetofbusinesses, and requires less of them (no access requests, nodele-tion).260Italsodefines“sale”lessbroadlythandoestheCCPA.261Butitsfocusonanopt-outforrestrictingsaleofpersonaldataisdistinctlyCalifornian,andnotEuropean.262

Insummary:aconsiderablenumberofstatesaremimickingthepreciselanguageoftheCCPA,whileothersareadoptingitscorecon-sumer-oriented framework. No state has proposed adopting Euro-pean-style comprehensive data protection law.We found very fewstate proposals that even focused onGDPR-like compliance obliga-tions in addition to individual consumer rights, includingWashing-ton’srecentlyfailedPrivacyAct263(discussedfurtherbelow)andoneofthetwobillsproposedinTexas.264OneofNewYork’sproposalsre-flectsathirdcompetingconceptofdataprivacy,whichweintroduceanddiscussinthenextSection.265Butourcloseanalysisclearlyshows

255. H.R.3358,101stGen.Assemb.(Ill.2019). 256. S.418,30thLeg.,Reg.Sess.(Haw.2019);S.613,2019Gen.Assemb.,Reg.Sess.(Md.2019);seealsoMarmoretal.,supranote251(describingthedifferencesbetweenthestates’draftlaws). 257. S.220,80thSess.(Nev.2019). 258. NEV.REV.STAT.§603A.340(2019). 259. Nev.S.220,§2.2(codifiedatNEV.REV.STAT.§603A.345). 260. Nev.S.220. 261. Id.§1.6.1. 262. Id.§2.2. 263. WashingtonPrivacyAct,S.5376,66thLeg.,Reg.Sess.(Wash.2019). 264. H.R.4390,86thLeg.(Tex.2019). 265. S.5642,2019–2020Leg.Sess,Reg.Sess.(N.Y.2019);seeIssieLapowsky,NewYork’s Privacy Bill Is Even Bolder Than California’s, WIRED (June 4, 2019),

Page 46: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1777

thatCalifornia,notEurope,iscatalyzingcomprehensivedataprivacylegislationinstatesaroundthecountry.

2. FederalLawsWhilestatebillsaretypicallymodeledontheCCPA,manypro-

posedfederalprivacybillsmaynotlookmuchliketheCCPAatall.Yet,weargue,theyareclearlydraftedinresponsetoit.Therewerebyourcountatleasttenfederaldataprivacyproposalsintroducedin2018and 2019.266 New federal bills continue to be introduced all thetime.267WecompareseveraloftheseproposedfederallawstoshowhowtheydifferfromboththeGDPRandtheCCPA—andnotehowathirdmodel has also emerged.We close this Section by explainingwhy,nonetheless,theCCPAcanbeunderstoodastheprimarycatalystoffederaldataprivacyproposals.

We compare below the following proposed legislation to theCCPA and GDPR: Senator Ron Wyden’s Consumer Data ProtectionAct,268 SenatorMarco Rubio’s American Data Dissemination Act,269andSenatorBrianSchatz’sDataCareAct.270Weconcludethatthesub-stantiveprovisionsofseveralofthebillsdrawfromolderprivacylawsorfromacademicproposals,nottheGDPRortheCCPA.Atleastamong

https://www.wired.com/story/new-york-privacy-act-bolder[https://perma.cc/HMH4-EEGM](describingtheNewYorkPrivacyAct). 266. Seesupranote6(listingcomprehensiveprivacybillscurrentlybeingconsid-eredinCongress).SeegenerallyCameronF.Kerry,BreakingDownProposalsforPrivacyLegislation:HowDoTheyRegulate?,BROOKINGS(Mar.8,2019),https://www.brookings.edu/research/breaking-down-proposals-for-privacy-legislation-how-do-they-regulate[https://perma.cc/2XML-YBRU](discussinghowdifferentdataprivacypro-posalsmayinteractwithexistingregulatoryframework);TimPeterson,CirclingClosertoaFederalPrivacyLaw,CongressHas Introduced7PrivacyBillsThisYear,DIGIDAY(June 25, 2019), https://digiday.com/marketing/cheatsheet-know-7-privacy-bills-congress-introduced-year[https://perma.cc/GC3V-ERD6](describingdifferentfed-eraldataprivacyproposals). 267. See,e.g.,ZackWhittaker,ANewSenateBillWouldCreateaU.S.DataProtectionAgency,TECHCRUNCH(Feb.13,2020,4:00AM),https://techcrunch.com/2020/02/13/gilliband-law-data-agency[https://perma.cc/9568-6NNH](discussinganewbillpro-posedbySenatorKirstenGillibrandcalledtheDataProtectionAct);GeoffreyA.Fowler,NobodyReadsPrivacyPolicies.ThisSenatorWantsLawmakersToStopPretendingWeDo, WASH. POST (June 18, 2018, 7:00 AM), https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown [https://perma.cc/87D2-7LMW](discussinganewbillproposedbySenatorSherrodBrowncalled theDataAccountabilityandTransparencyAct). 268. S.SIL18B29,115thCong.(2018). 269. S.142,115thCong.(2019). 270. S.3744,115thCong.(2018).

Page 47: Catalyzing Privacy Law

1778 MINNESOTALAWREVIEW [105:1733

thebillsanalyzedhere,onlySenatorWyden’sbillshowsdirectsignsofinfluencefromboththeCCPAandGDPR.

TheproposedConsumerDataPrivacyAct(CDPA),271introducedbySenatorWydeninNovember2018,incorporateslanguageandcon-ceptsfromboththeCCPAandGDPR,yetdiffersfromboth.Forexam-ple, liketheCCPA,theCDPA’sdefinitionofpersonalinformationfo-cusesonwhether information isnot just individually identifiedbut“reasonably linkable” to an individual.272 Like the CCPA, the CDPAdoesnotcoverbusinessesbelowacertainsize,aslongastheymeetotherrestrictions.273TheCDPA,however,wouldincorporateanum-berofaspectsoftheGDPR:itwouldrequirereportinginsomecircum-stances;274 createaccess rights,275 includingwithrespect tocompa-niesthatlackadirectrelationshipwithconsumers;276createarightofcorrection;277 and require impact assessments for automated deci-sion-making.278UnlikeeithertheGDPRorCCPA,however,theCDPAwouldbuildenforcementaroundarobustconsumerrighttooptoutof data sharing with third parties.279 The CDPA directs the FTC topromulgate regulations, and houses enforcement with the FTC, towhich it allocates considerable additional resources.280 It does notpreemptstateregulation.

TheproposedDataCareAct(DCA)introducedinDecember2018by Senator Schatz with fourteen cosponsors, differs fundamentally

271. S.SIL18B29,115thCong.(2018). 272. Compareid.§2.12(defining“personalinformation”as“anyinformation,re-gardlessofhowtheinformationiscollected,inferred,orobtainedthatisreasonablylinkabletoaspecificconsumerorconsumerdevice”),withCaliforniaConsumerPri-vacyActof2018,CAL.CIV.CODE§1798.140(o)(1)(West2018)(defining“personalin-formation”as“informationthatidentifies,relatesto,describes,isreasonablycapableofbeingassociatedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticularconsumerorhousehold”). 273. CompareS.SIL18B29,115thCong.§2.5(B)(i)(2018)(excludingcompanieswithlessthanfiftymilliondollarsinaverageannualgrossreceiptsandrequiringthattheynotcollectinformationonoveronemillionpeopleanddevicesandarenotdatabrokers),withCAL.CIV.CODE§1798.140(1)(A)(2018)(excludingcompanieswithlessthantwenty-fivemilliondollarsinannualgrossrevenues). 274. S.SIL18B29,115thCong.§5(2018). 275. Id.§7(b)(1)(D). 276. Id.§7(b)(1)(D)(iii);seeGDPR,supranote7,art.14(“Informationtobepro-videdwherepersonaldatahavenotbeenobtainedfromthedatasubject”). 277. S.SIL18B29§7(b)(1)(F). 278. Id.§7(b)(1)(G). 279. Id.§7(b)(1)(D)(iii). 280. Seegenerallyid.

Page 48: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1779

fromboth theCCPAandGDPR.281TheDCAwould imposedutiesofcare, loyalty,andconfidentialityononlineserviceproviders.282TheDCAfocusesondutiesowedbycompanieswithadirectrelationshiptoconsumers,notondatabrokersorotherthirdparties.283Thus,theDCA advances a consumer protection rather than data protectionmodel of privacy and does not impose any of the transparency re-quirementsthatarecentraltoboththeCaliforniaandEUregimes.TheDCAembodies an emerging strain of thought about privacy amongU.S.scholarswhoadvocateredefiningprivacyasamatterof“trust”or“fiduciary-likeduty”onthepartoflarge-scaledatacollectors.284The“informationfiduciary”modelofdataprivacyhasnotbeenlimitedtoSenatorSchatz’s federalproposal; the recentNewYorkPrivacyActwasmodeledontheconcept.285Thisshowsthepossibilityofathirdpotentialcatalystonthefield—theconceptofan“informationfiduci-ary,”stemmingfromanumberofacademicproposals—andindicatesperhapsanupcomingbattleofthenormentrepreneurs,discussedfur-therbelow.

281. DataCareActof2018(DCA),S.3744,115thCong.(2018).TheDCAwouldputenforcementinthehandsoftheFTC,alreadyresponsibleforenforcingaspectsofU.S.dataprivacyunder itsconsumerprotectionauthority. Id.§4(a).TheActwouldnotpreemptstateprivacylaws,althoughstateattorneysgeneralwouldbepreventedfrombringingenforcementactionsduringanFTCenforcementaction.Id.§5. 282. Id.§3. 283. Id. 284. See ARI EZRA WALDMAN, PRIVACY AS TRUST: INFORMATION PRIVACY FOR ANINFORMATIONAGE(2018)(advocatingforadataprivacymodelbaseduponacontextoftrust);Balkin,supranote137,at1186(discussing“theconceptofaninformationfidu-ciary”);LindseyBarrett,ConfidinginConMen:U.S.PrivacyLaw,theGDPR,andInfor-mationFiduciaries,42SEATTLEL.REV.1057,1087–106(2019)(arguingthatfiduciarydutiesshouldbeappliedtodatacollectors);NeilRichards&WoodrowHartzog,Pri-vacy’s Trust Gap: A Review, 126 YALE L.J. 1180, 1219–23 (2017) (reviewing FINNBRUNTON&HELENNISSENBAUM,OBFUSCATION:AUSER’SGUIDEFORPRIVACYANDPROTEST(2015),anddiscussinghowtopromotetrustinadigitalworldandholddatacollectorsresponsible);NeilRichards&WoodrowHartzog,TakingTrustSeriouslyinPrivacyLaw,19STAN.TECH.L.REV.431,434(2016)(“Ifwewantasustainabledigitalsociety,weneedstrong,trustedinformationrelationships[betweenconsumersanddatacollec-tors].”);TimWu,AnAmericanAlternativetoEurope’sPrivacyLaw,N.Y.TIMES(May30,2018),https://www.nytimes.com/2018/05/30/opinion/europe-america-privacy-gdpr.html[https://perma.cc/49ZK-87WG](“[T]heUnitedStatesmayneedto...relyonjudgesandstatelawtoestablishthatthelegalconceptof‘fiduciaryduty’canapplytotechnologycompanies.”).Foracritique,seeLinaM.Khan&DavidE.Pozen,ASkep-ticalViewofInformationFiduciaries,133HARV.L.REV.497(2019),whichidentifiesis-sueswiththetheoryofinformationfiduciaries. 285. S.5642,2019–2020Leg.Sess,Reg.Sess.(N.Y.2019);seeBruemmeretal.,su-pranote254(“[T]heNewYorkPrivacyAct includedtheconceptofa ‘datafiduci-ary’....”);Lapowsky,supranote265(“[T]heNewYorkbillwould ...requirebusi-nessestoactasso-called‘datafiduciaries’....”).

Page 49: Catalyzing Privacy Law

1780 MINNESOTALAWREVIEW [105:1733

The proposed American Data Dissemination Act (ADD), intro-ducedbySenatorRubioinJanuary2019,directstheFTCtoproposeprivacyrules “substantiallysimilar, to theextentpracticable, to therequirementsapplicabletoagencies”underthe1974PrivacyAct.286Unlike thePrivacyAct,287whichappliesonly to the federalgovern-ment,theseruleswouldapplytoprivatesectoractorsthatcollectcer-taintypesofpersonalinformation.288TheADDresemblestheGDPRandCCPAonlytotheextentthatthosetworegimes,likethe1974Pri-vacyAct,buildonFairInformationPracticePrinciples.289ItdirectstheFTCtoadoptregulationsthatrestrictdisclosuresofrecords;290createanaccessright;291andcreateacorrectionrightofsorts,oratleastameanstoamendanddisputeinaccuraterecordsbasedonprocesses-tablishedundertheFairCreditReportingAct.292Thus,theADDdrawsonneithertheCCPAnortheGDPRdirectly,butinsteadusesexistingfederalprivacylawasitsmodel.TheADDwouldpreemptstatepri-vacylaws.293

WhilethethreefederalbillsdonotmimictheCCPAtotheextentstatelawsdo,theCCPAlaidthegroundworkforfederallegislationintwokeyways.First,becauseU.S.corporationswithnationalreachwilllikelyfindthemselveshavingtocomplywiththeCCPA(andpossiblyalsotheGDPR),afederalrulepresentslessofaregulatoryburdenforU.S.corporationsthanitwouldhaveintheabsenceoftheCCPA.Sec-ond,manyhopetolimitthepotentialregulatoryburdenofmultiple,varyingstatelawsbyenactingafederallawthatpreemptsstatelaws.Giventheflurryofactivityinstatehousesacrossthecountry,afederallawseems tomanybusinesses like the “leastworst”option. In thissense,thefederalresponsemaywellbeabacklashagainsttheCCPAratherthananembraceofit.

286. American Data Dissemination Act of 2019, S. 142, 115th Cong. § 4(a)(2)(2019). 287. PrivacyActof1974,5U.S.C.§552a. 288. S.142,115thCong.§2(a)(5)(2019)(defining“coveredproviders”). 289. FairInformationPracticePrinciples,INT’LASS’NPRIV.PROS.,https://iapp.org/resources/article/fair-information-practices/#:~:text=(1)%20The%20Collection%20Limitation%20Principle,2)%20The%20Data%20Quality%20Principle[https://perma.cc/EY8C-92GD](describingtheeightprinciples). 290. AmericanDataDisseminationActof2019,S.142,115thCong.§4(b)(1)(B)(2019). 291. Id.§4(b)(1)(C). 292. Id.§4(b)(1)(D)–(E). 293. Id.§6.

Page 50: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1781

C. CALIFORNIAASU.S.PRIVACYCATALYSTTheaboveanalysis—inPart II comparing theCCPAandGDPR,

andinthisPartaboveanalyzingindetailanumberofrecentstateandfederalproposals—leadsustoanewunderstandingofwhatishap-peningintheracetoinfluenceU.S.dataprivacylaw.Thetruestoryismorecomplex,andmoreinteresting,thantheconventionalnarrativeofalong-armed,unilateralBrussels.California,notEurope,hasbeencatalyzingprivacyproposalsacrosstheUnitedStates.

In thisSection,weoffer thisalternativestory.WebeginwithadiscussionofhowourdeparturefromtheGDPR-centricnarrativeismore than justashift in location fromBrussels toSacramento.ThestoryofCaliforniaastheU.S.dataprivacycatalyst involvesnot juststategovernmentactorsbutalsotightlynetworkednormentrepre-neurs,actingagainstbackdropforcesofwhatwecall“dataglobaliza-tion.”ThespreadoftheCCPAtootherstates,weposit,reflectsanum-berofoverlappingdynamics,andtheinfluenceoftheGDPRisonlyoneofthem.ThisversionofthestorymaybemessierthanapureBrusselsEffect,butitismoreaccurateandleadstoseveralinsightsaboutthenearfutureofU.S.dataprivacylaw.

ThetheoriesofregulatorycatalysisthatwediscussedinPartIareessentiallyrealistorrationalchoicetheoriesoflawmaking.Thatis,theBrusselsEffectlargelyconceivesofStates(andstates)asunitaryac-tors,usingpowertoachievecomplianceonaninternationalstageorbalancingstickswithcarrots todrivebothgovernmentandprivateentitiestowardsrationallychoosingaregulatorygoal.

The story of theCCPA,when examined in greater detail, is farmorecomplex.ItisnotthestoryofCaliforniaasaunifiedstateactorbutofacollectionof individualnormentrepreneursthatharnessedthestatelegislativeprocesstoproducethelaw.Inthissense, it isalegalprocessstorymadeupnotjustofgovernmentsbutofindividu-als,issuenetworks,andinterpretativecommunities,onethatreflectsHaroldKoh’scharacterizationofverticallegalprocessinstyleifnotintransnationalnature.294

IftheoriginstoryoftheCCPAteachesanything,itisthatindivid-ualsandnetworksofindividualsplaysignificantrolesintheprocessofregulatorycatalysis.Before2018,California, likeeveryotherU.S.

294. SeegenerallyKoh,supranote192,at1406(explainingcompliancewithinter-nationallawnormsinpartthrough“theverticalprocesswherebytransnationalactorsinteractinvariousfora,generateandinterpretinternationalnorms,andthenseektointernalizethosenormsdomestically”);HaroldHongjuKoh,TransnationalLegalPro-cess,75NEB.L.REV.181(1996)(providingabroadoverviewoftransnationallegalpro-cessanditssignificanceininternationallegalscholarship).

Page 51: Catalyzing Privacy Law

1782 MINNESOTALAWREVIEW [105:1733

stateandthefederalgovernment,hadnocomprehensivedataprivacylaw.RealestatedeveloperAlastairMactaggartwantedtoenactsuchlaw inCalifornia.295Mactaggartandhis friendRickArney,whohadworkedintheCalifornialegislature,knewtheycoulduseCalifornia’sreferendumprocesstoavoidbeingtangledupbylobbyingintheleg-islature.296MactaggartbefriendedMaryStoneRoss,whohadworkedfor theCIA and theHouse IntelligenceCommittee.297 They collabo-ratedondraftingtheballotinitiativethroughagrouptheynamedCal-ifornians for Consumer Privacy, the political committee that thenpushed the bill (although Ross and Mactaggart later had a fallingout).298 Mactaggart looked up privacy experts, and contacted UCBerkeleyProfessorChris JayHoofnagle,whoputhim in touchwithformer FTC Chief Technologist Ashkan Soltani.299 Mactaggart thenhiredSoltanitohelprevisetheproposedballotinitiative,thebonesofwhichbecametheCCPA.300Then,asSoltanihasputit,“Mactaggart...offered SiliconValley a take-it-or-leave-it privacy policy—the samekindthatSiliconValleyusuallyofferedeveryoneelse.”301

ByusingtheCaliforniaballotinitiativeprocess,Mactaggartandhisalliesforcedthestatelegislature’shand.302TheCalifornialegisla-ture,fearingthepracticaldifficultiesofaballotinitiativethatwouldbecomenearlyunchangeablelawwithimmediateeffect,303scrambled

295. SeeNicholasConfessore,TheUnlikelyActivistsWhoTookOnSiliconValley—andWon,N.Y.TIMESMAG.(Aug.14,2018),https://www.nytimes.com/2018/08/14/magazine/facebook-google-privacy-data.html[https://perma.cc/PG7Y-A9FM]. 296. Id. 297. KashmirHill,HowaWomanDisappearsfromtheHistoryBooks,JEZEBEL(Aug.20, 2018), https://jezebel.com/how-a-woman-disappears-from-the-history-books-1828393645[https://perma.cc/J7C9-2CHP]. 298. Seeid.(noting“personalityconflicts”betweenMactaggartandRoss). 299. Confessore,supranote295. 300. Id. 301. Id. 302. Id.Theinitiativegatheredsome629,000signatures.Id. 303. Amendinganinitiativeapprovedbythevoters“wouldrequirea70percentvoteofeachhouseandsignaturebythegovernor,”andanyamendmentwouldhavetobe“consistentwith,andfurthertheintentof,theact.”EdwardR.McNicholas,ColleenTheresaBrown,AmyLally,MichaelMallow&AshNagdev,California’sGDPR?SweepingCaliforniaPrivacyBallotInitiativeCouldBringSeaChangetoU.S.PrivacyRegulationandEnforcement, SIDLEY AUSTIN LLP (June 26, 2018), https://datamatters.sidley.com/californias-gdpr-sweeping-california-privacy-ballot-initiative-could-bring-sea-change-to-u-s-privacy-regulation-and-enforcement[https://perma.cc/KZ9G-RNH2];KristenJ. Mathews & Courtney M. Bowman, The California Consumer Privacy Act of 2018,PROSKAUER ROSE LLP (July 13, 2018), https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018[https://

Page 52: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1783

todraftabill thatwouldpersuadetheinitiative’ssponsorstowith-drawit.304StateAssemblymemberEdChauandStateSenatorRobertHertzberg, both fromdistricts neighboring LosAngeles, introducedthebill.305TheenactmentoftheCCPAdoesnotrepresenttheactionofalegislaturethatindependentlyrecognizedasocialproblemitcouldhelpaddressoraresponsespurredbycompaniesadvocatingforleg-islationunderthepressuresoftheGDPR.Instead,itwasthelegisla-ture’s reaction to leverage exerted by highlymotivated, connected,and—atleastinMactaggart’scase—wealthyindividuals.306

Ratherthancausingaracetothebottom,thebackdropofdataglobalizationappearstohavebothinfluencedandempoweredthesenormentrepreneurs.First,newsstoriesabouttheeffectsofdataglob-alizationenabledMactaggarttoframetheimportanceoftheinitiative,ashe repeatedlypointed to the storyof theBritish consulting firmCambridgeAnalyticausingU.S.persons’datatoallegedlymanipulatevotersinthe2016election.307InthepreambletotheCCPA,theCali-fornia legislatureeventuallyechoedthismotivation.308Second,data

perma.cc/8A87-JZJW](“[I]tcanbeverydifficulttoamend[California]ballotinitiativesoncetheyarevotedintolaw.”). 304. SeeConfessore,supranote295(“[Mactaggart]...toldCalifornialawmakersthathewoulddrophiscampaigniftheycouldpassareasonableprivacybillbyJune28,thelegalpointofnoreturnforformallywithdrawinghis initiativefromthebal-lot.”);Assemb.375,2018Leg.§2(g)(Cal.2018)(enacted)(“InMarch2018,itcametolightthattensofmillionsofpeoplehadtheirpersonaldatamisusedbyadataminingfirmcalledCambridgeAnalytica.”). 305. SeeAssemb.375,2018Leg.§2(g)(Cal.2018)(enacted)(enactingtheCalifor-niaPrivacyActof2018). 306. Tosomeextent, aspectsof theGDPRreflect thisdynamic, too.SeeCaseC–362/14,Schremsv.DataProt.Comm’r,ECLI:EU:C:2015:650(Oct.6,2015)(invalidat-ingtheEUSafeHarborarrangementinfavorofprivacyadvocateSchrems). 307. CambridgeAnalyticaLLC,DocketNo.9383,2019WL6724446(FTCNov.25,2019);seeCaseyNewton,HowaWileyCalifornianBeatGoogleandFacebook’sInfluenceOperation, VERGE (Aug. 15, 2018), https://www.theverge.com/2018/8/15/17691004/california-data-privacy-law-alastair-mactaggart-regulation [https://perma.cc/9CZY-WDKG](“Mactaggartbenefitedfromincreasedskepticismabouttechcompaniesbroadly,buthealsogotanunexpectedgiftthisspring:theCambridgeAnalyticadataprivacyscandal.”).ForanargumentthattheactualimpactoftheCambridgeAnalyticamisuseofinformationonthe2016U.S.electionwas“likelyexaggerated,”seeYOCHAIBENKLER, ROBERT FARIS & HAL ROBERTS, NETWORK PROPAGANDA: MANIPULATION,DISINFORMATION,ANDRADICALIZATIONINAMERICANPOLITICS277(2018). 308. Assemb.375,2018Leg.§2(g)(Cal.2018)(“InMarch2018,itcametolightthattensofmillionsofpeoplehadtheirpersonaldatamisusedbyadataminingfirmcalledCambridgeAnalytica.A series of congressional hearingshighlighted that ourpersonalinformationmaybevulnerabletomisusewhensharedontheInternet.Asaresult, ourdesire forprivacy controls and transparency indatapractices isheight-ened.”).

Page 53: Catalyzing Privacy Law

1784 MINNESOTALAWREVIEW [105:1733

globalizationmayhaveloweredsomeofthebiggerhurdlestoprivacylawmakinginCalifornia(andpossiblyCongress)byimposingGDPRcompliancecostsonthelargeSiliconValleyenterprises,almostallofwhichhaveasubstantialEuropeanpresence.FacedwithsignificantprivacycompliancecostsfromtheGDPR,themarginalcostofastateprivacystatutetotheirbusinessmodelwasnowmuchlower.Third,dataglobalizationenabledtheGDPRitselftotouchU.S.citizensintheformofbothupdatedprivacypoliciesandnewsstoriesaboutprotec-tiveEuropeanprivacy law.309Thisaffectedbothpublicopinionandeliteresponses,whethercausingU.S.citizenstowonderwhyEurope-ansshouldgetprivacyprotectionsthatwedonot,orinspiringlaw-makers like theNorthDakota legislator to takeactiononaprivacybill.310

What happened next—the spread of the CCPA—was intendedandpredictedbyitsoriginators,whohypothesizedthat,likeCaliforniaemissionsstandards,abaselinedataprivacylawwouldspread.311Weofferfourexplanations,beyondtheusualdynamicsoftheCaliforniaEffect,astowhythisishappening.

First,evenpriortotheCCPA,Californiaestablisheditselfnation-allyasanexpertjurisdictionondataprivacylaw,givenbothpreviouspioneeringlegislationandthepresenceofSiliconValleywithinitsbor-ders.Californiahasbeenaforerunnerinlawsgoverningonlinedataprivacyanddatasecurityforoverfifteenyears.TheCaliforniaOnlinePrivacyProtectionAct(CalOPPA)wasenactedin2003andwentintoeffect in 2004.312 It was the first U.S. law “to require commercial

309. See, e.g.,AdamSatariano,GDPR, aNewPrivacy Law,MakesEuropeWorld’sLeadingTechWatchdog,N.Y.TIMES(May25,2018),https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.html(“[T]heEuropeanUnion ... enacts theworld’stoughestrulestoprotectpeople’sonlinedata.”). 310. See,e.g.,BrookeAuxer,LeeRainie,MonicaAnderson,AndrewPerrin,MadhuKumar&EricaTurner,AmericansandPrivacy:Concerned,ConfusedandFeelingLackofControloverTheirPersonalInformation,PEWRSCH.CTR.(Nov.15,2019),https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information[https://perma.cc/QN3J-EX93](“[A]majorityofAmericansreportbeingconcernedaboutthewaytheirdataisbeingusedbycompanies....”). 311. Confessore,supranote295(notinghowMactaggartcomparesprivacylegis-lationtoauto-emissionlegislation). 312. CAL.BUS.&PROF.CODE§§22575–22579(West2014).

Page 54: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1785

websitesandonlineservicestopostaprivacypolicy.”313Intheinter-veningyears,privacypolicieshavebecomeubiquitousacrosstheIn-ternet.314

Also,in2003,Californiaenactedadatabreachnotificationlaw:legalrulesrequiringcompaniesthathavesufferedaqualifyingdatasecurity breach to notify users whose information may have beencompromised.315 Prior to California’s intervention, few companiesvoluntarilydisclosedsecuritybreachesof theircustomers’personalinformation, fearing the public relations disaster of such a revela-tion.316 At first, some companies limited their compliancewith thenewdatabreachnotificationlawtothebordersofCalifornia.In2004,thedatabrokerChoicePointsufferedahugedatabreach.317Initially,it reported that breach to Californians only, as the state’s law re-quired.318However,observersquicklynotedhowodditwouldbeifadatabreachatanAtlanta-basednationwideoperationaffectedonlyCalifornians.Facedwithintensecriticismforfailingtoinformcustom-ersoutsideCalifornia,ChoicePointvoluntarilyissuedanationwideno-tice to allAmericanswhose informationhadbeen compromised.319

313. CaliforniaOnlinePrivacyProtectionAct(CalOPPA),CONSUMERFED’NCAL.EDUC.FOUND.(July29,2015),https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3[https://perma.cc/QL8G-499H]. 314. See,e.g.,supranote208andaccompanyingtext. 315. CAL.CIV.CODE§1798.82(West2003)(providingdisclosurerequirementsforanypersonorbusinessinCaliforniawhoownsorlicensescomputerizeddata,includ-ingpersonalinformation,whenthereisasecuritybreachofthesystem). 316. SAMUELSONL.,TECH.&PUB.POL’YCLINIC,UNIV.CAL.-BERKELEYSCH.L.,SECURITYBREACHNOTIFICATIONLAWS:VIEWS FROMCHIEFSECURITYOFFICERS 15 (2007), https://www.law.berkeley.edu/files/cso_study.pdf[https://perma.cc/5BG7-8VDN](conduct-ing interviews with businesses and noting that “all the organizations interviewednotedconcerns thatapublicnotificationofabreachwoulddamage theirorganiza-tions’reputationandthetrustbehindtheirname”). 317. TomZeller Jr.,BreachPointsUpFlaws inPrivacyLaws,N.Y.TIMES (Feb.24,2005), https://www.nytimes.com/2005/02/24/business/breach-points-up-flaws-in-privacy-laws.html[https://perma.cc/G6MH-GWJW](notingthatthedatabreachal-lowedconartiststoaccess“personaldataofnearly145,000people”). 318. Seeid.(“ChoicePointinformedonly35,000Californiansthattheirinformationmight have been compromised in [breach] because California is currently the onlystatethatrequirescompaniestomakesuchdisclosures.”). 319. ChoicePointexplaineditsdelayinnotifyingnon-Californiansasfollows:“ThecompanysaiditfirstnotifiedconsumersinCaliforniabecausethatwaswheremostofthevictimslived,andthenpreparedmorenoticeswheninvestigatorssuggestedthatresidentsinnearlyeverystatewereaffected.”Id.Mostanalystsdiscreditthisexplana-tion.See,e.g.,RonaldI.Raether,Jr.,ThereHasBeenaDataSecurityBreach:ButIsNoticeRequired?,A.B.A.(Aug.31,2011),http://apps.americanbar.org/buslaw/blt/content/2011/08/article-raether.shtml [https://perma.cc/E57W-NQLT] (“ChoicePoint de-cided initially to notify only California consumers. The backlash was swift and

Page 55: Catalyzing Privacy Law

1786 MINNESOTALAWREVIEW [105:1733

Thisnotificationalsoresulted inanenforcementactionbytheFTC.ChoicePoint,aproviderofcreditreportingservices,hadviolatedthefederalFairCreditReportingActbyallowingaccesstosome163,000consumerreportstopersonswhowerenotdulyauthorizedtoreceiveaccess.320Sofar,thisstoryresonateswithouraccountoftheBrusselsEffect:alargebusinessfounditunwisetocompartmentalizeitscom-plianceeffortsbasedon the lawofparticular jurisdictionsandwasforcedtoprovideahigherlevelofprotectionacrossitsoperations.

By2005,theCaliforniabreachnotificationlawhadunleasheda“wave”ofadditionalreportedsecuritybreachesinthestate.321Thesenotifications inCalifornia alerted consumersnationally of breachesthatmighthaveaffectedthembutremainedunreportedundertheirownstates’laws.Veryswiftly,inatextbookdejureCaliforniaEffect,dozensofotherstatesadoptedtheirownnotificationlaws.322Today,allfiftystateshaveenacteddatasecuritybreachnotificationlaws.323ThelawsthatfollowedCalifornia’snotonlycopiedbutalsobothex-panded324 and contracted325 California’s model. And in 2018, the

immediate.ChoicePointquicklymodifieditsdecisionandnotifiedallaffectedconsum-ersregardlessoftheirstateofresidency.”). 320. Natalie Kim,Three’s a Crowd: Towards Contextual Integrity in Third-PartyDataSharing,28HARV.J.L.&TECH.325,330(2014);seePaulM.Schwartz&EdwardJ.Janger,NotificationofDataSecurityBreaches,105MICH.L.REV.913,923(2007)(de-scribingChoicePoint’ssettlementwiththeFTC).TheFTC-ChoicePointsettlementalsoauthorizedtheFTCtomonitorcomplianceby“[p]osingasconsumersandsuppliers”ofChoicePoint.SeeStipulatedFinalJudgement&Orderat19,UnitedStatesv.Choice-Point Inc., No. 1:06-cv-0198 (N.D. Ga. Jan. 26, 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069stip.pdf [https://perma.cc/P9N9-3T9U]. 321. SatishM.Kini&JamesT.Shreve,NoticeRequirements:CommonThemesandDifferences intheRegulatoryandLegislativeResponsestoDataSecurityBreaches,10N.C.BANKINGINST.87,87(2006). 322. SeeSAMUELSONL.,TECH.&PUB.POL’YCLINIC,supranote316,at3(“Atleast36stateshaveenactedlegislationrequiringorganizationsthatpossesssensitivepersonalinformationtowarnindividualsofsecuritybreaches.Californialedthewayinthecre-ationoftheselaws,drivenbyconcernsaboutidentitytheftandlaxinformationsecu-rity.InfollowingCalifornia’slead,otherstateshaveexpandedupontherequirementsoftheCaliforniastatuteby,forexample,requiringthatorganizationsreportbreachestoastateregulatoryagency.”). 323. Security Breach Notification Laws, NAT’L CONF. ST. LEGISLATURES (July 17,2020),http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx[https://perma.cc/3ZXZ-WA2C]. 324. See SAMUELSONL.,TECH.&PUB.POL’YCLINIC, supra note 316, at 9 (“[M]anystateshaveexpandedthedefinitiontoincludevariousothersformsofpersonalinfor-mation....”). 325. Id.at44(“[M]anystateshavealsonarrowedCalifornia’snotificationtriggerbyexemptingnotificationtoconsumersonlyif,uponareasonableinvestigation,theorganization reasonably determines that harm is not likely to result to individuals

Page 56: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1787

GDPRintroducedsecuritybreachnotificationintoEuropeanlaw,ex-plicitlyborrowingfromCalifornia’sinnovation.326

ThishistoryoffollowingCalifornialawlaysthegroundworkforstatestoimitatetheCCPA.AndCaliforniamaybeseenasanexpertjurisdictionondigitaldatapolicyforotherreasons.Ifastatelegisla-tureisgoingtocopyanotherstateandwantstostrikeabalancebe-tweenindividualrightsandbusinessneeds,Californialawrepresentsanappealinglypre-packagedcompromisefromthestatethathousesbothagenerallypro-consumerelectorateandSiliconValleyindustry.

Second,webelievestatesmaybecopyingCaliforniabecausetheypresumethattheCCPAwillcreateaBrusselsEffectofdefactocompli-ance,originatinginCalifornia.Thisisprobablypartofwhatcausedthecopycatdatabreachnotificationstatutes.Lawmakersinotherstatesshouldanticipatethatcompaniesarelesslikelytoopposeabill if ittracks the contours of a California law that those businessesmustobey already. Even though the CCPA protects only California resi-dents,companiesmayfinditdifficulttopartitionthatdataormaycal-culatethecostis lowenoughtoextendtheircomplianceinfrastruc-turetoconsumersinotherstates.ThismakesthosecompanieswithexposuretotheCCPA,butnottotheGDPR,lesslikelytofightalocallawthatmimicstheCCPA.

Third,comparedtotheGDPR,theCCPAisabetterlegalmemeforU.S.legislators.327TheGDPRcontains99articlesand173recitals,anditharnessesanexistingcomplexregulatorysystemagainsttheback-drop of European court decisions and constitutional doctrine. TheGDPRislong,complicated,andforeign.328TheCCPA’srelativebrevityandsimplicity,however,likelymakeitmoreappealingtostatelegis-latures.Astatecouldonly “copy” theGDPRaftercondensing itandtransposing it into an American legal setting. A state can copy theCCPAsimplybycuttingandpasting.

Fourth,whilenotdirectlycatalyzingU.S.privacylaw,theGDPRcontinuestoplayanimportantrole.ForthemostparttheGDPRhasnothada(dejure)“CaliforniaEffect”ontheU.S.federalgovernmentorU.S.states,butithashada(defacto)“BrusselsEffect”oncompanies

whoseinformationiscompromisedbythebreach.Vermontrequiresthat,ifanorgan-izationmakessuchadetermination,theorganizationmustprovidenoticeandanex-planationtotheAttorneyGeneralortotheapplicabledepartmentofbanking,insur-ance,securitiesandhealthcareadministration.”). 326. SeeGDPR,supranote7,art.33(“Notificationofapersonaldatabreachtothesupervisoryauthority.”). 327. WethankChristinaMulliganforthisinsightfulcharacterization. 328. Seesupranote73andaccompanyingtext.

Page 57: Catalyzing Privacy Law

1788 MINNESOTALAWREVIEW [105:1733

operatinginU.S.jurisdictions.ThismaylowertheresistanceofglobalcompaniestobothstateandU.S.dataprivacylaw.WhilemanyofthecompaniesmostaffectedbytheGDPRwerealreadyshoulderingreg-ulatorycostsunderthepriorDataProtectionDirective,theGDPRhasheavierobligations,moreexplicitextraterritorialreach,andmorese-verepenalties,allofwhichhavedramaticallyincreasedcorporatein-vestmentinGDPRcomplianceoverthelevelsundertheDirective.

AclearexampleofthisdynamicistheproposedWashingtonPri-vacyAct,whichhastwicecomerelativelyclosetopassageonlytofaillate intheprocess.329ThisbillhadmoresimilaritieswiththeGDPRthanotherstatelegislation.330ItusedGDPRterminologysuchas“con-troller”and“processor.”331Itwouldhaveestablished“GDPRlite”re-quirementsfornotice,access,correction,deletion,andrestrictionofprocessingrequirements,andwouldhaveimportedaspectsoftheEUconceptoflawfulprocessing.332Unlikeotherproposedstatelaws,theWashingtonbillincludedprivacyriskassessments,anotherideabor-rowedfromtheGDPR.333ItevendrewontheGDPR’slimitationsonautomateddecision-making.334

The key to understanding why theWashington proposal bor-rowedsomanyelementsoftheGDPRmaybeoneofthestate’slargestcompanies:Microsoft.335Microsofthasdeclaredthatitcomplieswith

329. S.5376,66thLeg.,Reg.Sess.(Wash.2019). 330. Id. 331. Seegenerallyid.;GDPR,supranote7,art.33(usingtheterms“controller”and“processor”). 332. Wash.S.5376§7(requiringcontrollerstoprovidesconsumersaprivacyno-ticethatincludes:thecategoriesofpersonaldatacollected,purposesforwhichthatdataisused,rightsthatconsumersmayexercise,categoriesofpersonaldatasharedwiththirdparties,andwhetheritsellspersonaldatatodatabrokers). 333. Compareid.§8(4)(“Thecontrollermustmaketheriskassessmentavailabletotheattorneygeneraluponrequest.Riskassessmentsareconfidentialandexemptfrompublicinspectionandcopying.”),withGDPR,supranote7,art.35¶7(“Datapro-tectionimpactassessment.”). 334. Washington Privacy Act, H.R. 5376, 66th Leg., Reg. Sess. §§ 6(7), (14)(1)(Wash.2019)(“Aconsumermustnotbesubjecttoadecisionbasedsolelyonprofilingwhichproduceslegaleffectsconcerningsuchconsumerorsimilarlysignificantlyaf-fectstheconsumer...Controllersusingfacialrecognitionforprofilingmustemploymeaningful human review prior to making final decisions based on such profilingwheresuchfinaldecisionsproducelegaleffectsconcerningconsumersorsimilarlysig-nificanteffectsconcerningconsumers.”). 335. Microsoft Corporation (MSFT), YAHOO FIN. (Jan. 17, 2021), https://finance.yahoo.com/quote/MSFT/[https://perma.cc/K68U-3STV](showingMicrosoft’smar-ketcapitalizationasofJanuary17,2021,as$1.608trillion).

Page 58: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1789

theGDPRworldwide.336Withover451,000employeesinthestate,thecompanyhasasignificantvoice inWashington.337Thecompanyac-tivelypromotedadoptionoftheWashingtonstatute;MicrosoftPresi-dentBradSmithdescribeditas“build[ing]onthebestaspectsofap-proaches elsewhere.”338 In introducing the bill, Washington ChiefPrivacyOfficerAlexAlbentellinglyexplainedthat“companiesthatal-ready complywithEurope’sGeneralDataProtectionRegulation ...shouldn’thaveahardtimecomplyingwiththeproposedlawinWash-ington.”339

TheBrusselsEffectonMicrosoftmaythusbedrivingittopushforstateprivacy legislationthatmorecloselymapsonto theGDPRandthereforedoesnotraiseregulatorycostsforMicrosoft—butmayraiseregulatorycostsfornon-GDPR-compliantlocalcompetitors.Mi-crosoftalsogainsbyassuringusersthattheirinformationiswell-pro-tected,withlegalsanctionsforfailures.

After sailing through the state senate by a vote of 46-1,340 theWashingtonbillfounderedamidcontroversyin2019.Afterportionsof the original legislation were stripped out, the state ACLU and

336. JulieBrill,Microsoft’sCommitmenttoGDPR,PrivacyandPuttingCustomersinControl of Their Own Data, MICROSOFT ON ISSUES (May 21, 2018), https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data [https://perma.cc/P5D2-TZZ8](“That’swhytodayweareannouncingthatwewillextendtherightsthatareattheheartofGDPRtoallofourconsumercustomersworldwide.KnownasDataSubjectRights,theyincludetherighttoknowwhatdatawecollectaboutyou,tocorrectthatdata,todeleteitandeventotakeitsomewhereelse.”). 337. MonicaNickelsburg,AmazonSurpassesMicrosoftinNumberofSeattleRegionEmployeesAmidBigGrowthPlansAcrossUS,GEEKWIRE(Sept.9,2019),https://www.geekwire.com/2019/amazon-surpasses-microsoft-number-seattle-region-employees-amid-big-growth-plans-across-us[https://perma.cc/6RZT-AG7L]. 338. BradSmith,NextGenerationWashington:OurPrioritiesfor2019,MICROSOFTON ISSUES (Feb. 11, 2019), https://blogs.microsoft.com/on-the-issues/2019/02/11/next-generation-washington-our-priorities-for-2019[https://perma.cc/M3MR-VZEM]; Wendy Davis,Microsoft Endorses Washington State Proposed Privacy Bill,MEDIAPOST: DIGIT. NEWS DAILY (Feb. 11, 2019), https://www.mediapost.com/publications/article/331814/microsoft-endorses-washington-state-proposed-priva.html[https://perma.cc/H36D-C7HJ]. 339. MonicaNickelsburg,WashingtonStateConsidersNewPrivacyLawToRegulateDataCollectionandFacialRecognitionTech,GEEKWIRE(Jan.22,2019),https://www.geekwire.com/2019/washington-state-considers-new-privacy-law-regulate-data-collection-facial-recognition-tech [https://perma.cc/JRL5-6ZJZ] (paraphrasing Al-ben’sremarks). 340. SenatePassesCarlyle’sWashingtonPrivacyAct,WASH.SENATEDEMOCRATS(Feb.14, 2020), https://senatedemocrats.wa.gov/carlyle/2020/02/14/senate-passes-carlyles-washington-privacy-act[https://perma.cc/TY6U-57MX].

Page 59: Catalyzing Privacy Law

1790 MINNESOTALAWREVIEW [105:1733

consumer advocacy organizations opposed the bill as too weak.341Criticsobjectedthatthebill’sdeparturefromelementsoftheGDPR,especiallyinitsenforcementmechanisms,wouldmakeitineffective;theyalsocomplainedthatindustrylobbyistshadtoomuchinfluenceoveralegislativeprocesstheyconsideredopaque.342Afterworkingtomendfenceswithprivacyadvocatesandexpandindustrysupport,thebill’ssponsorsreintroduceditin2020,withmostofthesamecorefea-tures,butagainfellshortattheendofthelegislativesession.343Mi-crosoft’schiefprivacyofficer,formerFTCcommissionerJulieBrill,344has signaled that the companywill continue to support legislationmodeledatleastlooselyontheGDPR,declaring,“Webelieveprivacyisafundamentalhumanright.”345

This story of theWashington Privacy Act displays the GDPR’sBrusselsEffectinaction.Butagain,italsounderscoresthepowerofindividualorcorporatenormentrepreneurs.AglobalcompanythatalreadycomplieswiththeGDPRhasgoodreasontowanttoimposecosts on its competitorswhile publicly promoting stronger privacyrightsforitsusersandthusenhancingtheirtrustinthatcompany.Inaddition, Brill, a former FTC commissionerwhowaswell regardedamongprivacyadvocates,appearstobedrivingtheagendaandbring-ingincompliancenormsfromaU.S.governmentagency.

341. CoalitionLetterinOppositiontoSB5378,ACLUWASH.(Apr.16,2019),https://www.aclu-wa.org/docs/coalition-letter-opposition-sb-5376[https://perma.cc/5UVT-8T23];WashingtonStatePrivacyBillFailsToAdvance;ConsumerReportsSaysWeak Bill Did Not ProvideMeaningful Protections, CONSUMERREPS.ADVOC. (Apr. 18,2019),https://advocacy.consumerreports.org/press_release/washington-state-privacy-bill-fails-to-advance-consumer-reports-says-weak-bill-did-not-provide-meaningful-protections[https://perma.cc/V6WS-AMH8];seealsoLucasRopek,WhyDid Washington State’s Privacy Legislation Collapse?, GOV. TECH. (Apr. 19, 2019),https://www.govtech.com/policy/Why-Did-Washington-States-Privacy-Legislation-Collapse.html[https://perma.cc/L6RK-C67U]. 342. Ropek,supranote255. 343. LucasRopek,WashingtonPrivacyLawOnceAgainFailsToMaterialize,GOV.TECH. (Mar. 13, 2020), https://www.govtech.com/policy/Washington-Privacy-Law-Once-Again-Fails-to-Materialize.html[https://perma.cc/JC9N-UC2G]. 344. Former Commissioners, FED.TRADECOMM’N, https://www.ftc.gov/about-ftc/biographies/former-commissioners[https://perma.cc/5F66-ZGDJ]. 345. SeeJulieBrill,TheNewWashingtonPrivacyActRaisestheBarforPrivacyintheUnitedStates,MICROSOFTON ISSUES (Jan.24,2020),https://blogs.microsoft.com/on-the-issues/2020/01/24/washington-privacy-act-protection[https://perma.cc/NA9L-VMAU]; JulieBrill,OurSupport forMeaningfulPrivacyProtectionThrough theWashingtonPrivacyAct,MICROSOFTONISSUES(Apr.29,2019),https://blogs.microsoft.com/on-the-issues/2019/04/29/our-support-for-meaningful-privacy-protection-through-the-washington-privacy-act[https://perma.cc/3TWA-GHYD].

Page 60: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1791

Finally, theGDPRmaybeplayingan important framingrole inpolicydiscussions,acting torhetoricallynormalizeandgroundcur-rentconversationsarounddataprivacy.ThepublicityaccompanyingtheadventoftheGDPRmayhavestokedAmericanpublicinterestindataprivacy.TheGDPRmaybe leadingU.S. citizens—including theNorthDakotalegislatormentionedabove346—towonderwhyEUper-sonsgetstrongerprivacyrightsthanAmericans,andtoquestionthelongstandingnarrative that imposingdigital privacy regulationwillbreaktheInternetorotherwisekillinnovation.347

SomemaydoubtthesincerityofCaliforniaasaprivacyregulator.Dataprotectionrules,criticswillobserve,encumbersomeofitslead-ingcorporations.Theymayassumethatthesecorporationswillhob-bleanyrealregulatoryenforcementbythestate.ButCalifornia’secon-omyis farbiggerthanSiliconValleyalone.Ofcourse,diffusevoicesfarepoorlyagainstactorswithconcentratedinterests,asMancurOl-sonobserved.348ButMaryStoneRoss,AlastairMacTaggart,andoth-ersdemonstrated thatCalifornia’s initiativeprocesscouldbe lever-agedtotapintoawidelyshareddesiretoprotectprivacythatcouldovercome even concentrated industry opposition. Indeed, MacTag-gartandhisorganization led thesuccessfulcampaigntopassCCPArevisionsbyballotmeasure.349Thistime,however,MaryStoneRossopposed the ballotmeasure, arguing that “the initiativewould roll

346. Seesupranote244andaccompanyingtext. 347. ForadescriptionoftheroleofprivacylawintheriseofU.S.Internetcompa-nies,seeAnupamChander,HowLawMadeSiliconValley,63EMORYL.J.639,642(2014),whichstatesthat“legal innovations inthe1990sthatreduced liabilityconcerns forInternetintermediaries,coupledwithlowprivacyprotections,createdalegalecosys-temthatprovedfertileforthenewenterprisesofwhatcametobeknownasWeb2.0.” 348. MANCUROLSON,THELOGICOFCOLLECTIVEACTION:PUBLICGOODSANDTHETHEORYOFGROUPS2(1965)(“[U]nlessthenumberofindividualsinagroupisquitesmall,orunlessthereiscoercionorsomeotherspecialdevicetomakeindividualsactintheircommoninterest,rational,self-interestedindividualswillnotacttoachievetheircom-monorgroupinterests.”). 349. SeeAllisonGrande,What’satStakeasCalif.PrivacyLawRevampGoestoVot-ers,LAW360(Oct.23,2020,9:12PM),https://www.law360.com/articles/1313938/what-s-at-stake-as-calif-privacy-law-revamp-goes-to-voters [https://perma.cc/RBL8-JNAK]; Sidney Fussell,One ClearMessage from Voters This Election?More Privacy,WIRED (Nov. 4, 2020, 8:26 PM), https://www.wired.com/story/one-clear-message-voters-election-more-privacy[https://perma.cc/7N4A-RE3E].

ForthefulltextoftheCaliforniaPrivacyRightsandEnforcementActof2020,seeTheCaliforniaPrivacyRightsActof2020,CAL.DEP’TJUST.(Nov.4,2020),https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf[https://perma.cc/CWP9-C85F].

Page 61: Catalyzing Privacy Law

1792 MINNESOTALAWREVIEW [105:1733

backtheCCPA’sprotectionsandweakencoredefinitionsofthelaw,whilemakingthebiggestcompaniesevenmorepowerful.”350

VogelarguesthattheCaliforniaEffectrequiresthat“nonstateac-torsinrichandpowerfulpoliticaljurisdictionspreferstrongerregu-latorystandards.”351Content-based industriesbased inLosAngeleshavelongcomplainedthatSiliconValleyenterprisesareinsufficientlyattentive to intellectual property claims. The CCPA’s principal au-thors352bothrepresentdistrictsborderingLosAngeles.353ManySili-conValleyenterprisesthemselvessupportdataprivacylaw,thoughsomesuggestthatthesupportisastrategicefforttoundermineCali-fornia’sprivacylawwithaweaker,preemptivefederallaw.354ThereisareasonforresponsibleSiliconValleyenterprisestoembracepri-vacylaw.SiliconValleyenterprisesdependonusers’confidencethatrevealingmoreandmoreofthemselvestotheirelectronicassistantswillnotcreateprivacyrisks.Companiesthatviolatethattrustunder-minetrustforothercompaniesaswell.355Ultimately,whetherCalifor-niansorthoseoutsidethestatetrustthestate’sprivacyregulatorswilldependontheirperformance.356

There aremanymore individual norm entrepreneurs atworkhere in the spread of the CCPA to other states, and the federal re-sponsetoit,thanwehavethusfarallowed.Asmentionedabove,theUniformLawCommission’snewprojecttodraftmodelstatelegisla-tionrepresentsoneofthemostformalsuchnetworks:commissionersfromeverystateconsciouslyseektoreplicatesuccessfulinnovationsacross state boundaries in a uniform way. Individual federal

350. Grande,supranote349. 351. VOGEL,supranote45,at268. 352. Assemblymember Ed Chau and Senator Robert Hertzberg introduced theCCPA.IssieLapowsky,CaliforniaUnanimouslyPassesHistoricPrivacyBill,WIRED(June28, 2018, 5:57 PM), https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill[https://perma.cc/LPW2-CW6B]. 353. Chau represents the 49th Assembly District and Hertzberg represents the18thSenateDistrict.EDCHAU,https://a49.asmdc.org[https://perma.cc/NBG3-GUY9];SENATOR ROBERT HERTZBERG, https://sd18.senate.ca.gov [https://perma.cc/Q4SK-9DYQ]. 354. RussellBrandom,TimCookWantsaFederalPrivacyLaw—butSoDoFacebookandGoogle,VERGE(Oct.24,2018,4:12PM),https://www.theverge.com/2018/10/24/18018686/tim-cook-apple-privacy-law-facebook-google-gdpr[https://perma.cc/QDP5-3NH5]. 355. SeeAriEzraWaldman,PrivacyasTrust:SharingPersonalInformationinaNet-workedWorld,69U.MIA.L.REV.559,598(2015);seealsoBalkin,supranote137;Rich-ards&Hartzog,supranote284,at435. 356. Cf. Ann E. Carlson, Regulatory Capacity and State Environmental Leader-ship:California’sClimatePolicy,24FORDHAMENV’TL.REV.63,65–66(2012)(describingsuccessofCalifornia’senvironmentalpolicyagency).

Page 62: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1793

representativesarecatalystsforchange.SenatorWyden,forexample,hasbeenaprivacyadvocateforyearsandmaybetakingadvantageofcurrentdynamicstopushforchangestofederallaw.357CivilsocietygroupssuchastheCenterforDemocracyandTechnologyhavepro-posed discussion legislation in hopes of influencing the federal de-bate.358TheNorthDakotalegislatorwhowatchedaGDPRdocumen-tary,too,canbecharacterizedasanormentrepreneur.DavidHoffmanatIntelCorporation,characterizedasalongtime“industryleaderonprivacy,” developed a draft federal proposal that Intel released forcomments.359Thesestorieslikelyrepresentthetipofaverylargeice-bergofindividualsandknowledgenetworksworkingtoharnessex-istingforcestopropagatenewlaw.

This suggests the early growth of what we call “catalysis net-works.”PaulSchwartzhasnotedtheexistenceof“harmonizationnet-works”(atermcoinedbyAnne-MarieSlaughter)inprivacylaw—net-works of “regulators in different countries [who]work together toharmonize or otherwise adjust different kinds of domestic law.”360WhatweareseeinghereisnotsolelyattemptsbyvariousactorstoharmonizeU.S.andEUlawontheground(althoughitiscertainlyintheinterestofglobalcompaniestominimizedisparities).Wepredictthatweareseeingtheemergenceofbothindividualsandnetworkstaking advantage of themoment to drive both broader geographiccoverageandperhapsnewformsoflaw.

Inoneversionofthisstory,theCCPAbecomesnotjustacatalystbutafloorofprotectionnationwide.Therearecertainlyplentyofrea-sonstobelievethismightbethecase.Thatsaid,weturnnowtosev-eralpotentiallimitsonCaliforniancatalysis.

D. CONSTRAINTSONCALIFORNIANCATALYSISThereareat leastthreepossibleconstraintsonthenationwide

spreadofCCPA-likeprivacy law.First, thecomplexrelationshipbe-tweenstateandfederalsovereigntyintheU.S.constitutionalorderin-teractssubstantiallywiththeabilityofstatelawsliketheCCPAtoop-erateor spreadnationally.Both thedormant commerce clauseand

357. SeeSaraMorrison,TheYearWeGaveUponPrivacy,VOX(Dec.23,2020,8:00AM),https://www.vox.com/recode/22189727/2020-pandemic-ruined-digital-privacy;Kerry,supranote266. 358. CDT’s Privacy Legislation, CTR. FOR DEMOCRACY & TECH., https://cdt.org/campaign/federal-privacy-legislation[https://perma.cc/4AZG-K8EF]. 359. Kerry,supranote266. 360. PaulM.Schwartz,TheEU-U.S.PrivacyCollision:ATurntoInstitutionsandPro-cedures,126HARV.L.REV.1966,1967(2013).

Page 63: Catalyzing Privacy Law

1794 MINNESOTALAWREVIEW [105:1733

potentialfederalpreemptionofstatelawcouldlimitthereachofstatelawandthecatalyticeffectoftheCCPA.361Second,whileitisbeyondthescopeofthisArticletoaddresstheseargumentsatlength,recentFirstAmendmentdoctrinemaycreateproblemsfortheCCPAandsim-ilarlaws.362Finally,wenotethepossibilitythatnewmodels,notablyincluding“trust”or“fiduciary”concepts,maytakerootandout-raceboththeGDPRandtheCCPAtobecomethedominantcatalystfornewprivacylaw.

1. TheDormantCommerceClauseBecause Internet regulation inevitablyspillsover jurisdictional

lines,thedormantcommerceclauseplaysanimportantroleindisci-plining any individual state’s Internet regulation. As the SupremeCourt has explained, “By prohibiting States from discriminatingagainstorimposingexcessiveburdensoninterstatecommercewith-outcongressionalapproval,[thedormantcommerceclause]strikesatone of the chief evils that led to the adoption of the Constitution,namely, state tariffs and other laws that burdened interstate com-merce.”363

Thedormantcommerceclauseimposestwoseparateconditionsonregulatoryspillovers:(1)theregulationatissuemustnotdiscrim-inateagainstinterstatecommerce,364and(2)itmustnotimposeex-cessiveburdenson interstatecommerce.365TheSupremeCourthasofferedageneralprinciple:“Where[a]statuteregulateseven-hand-edlytoeffectuatealegitimatelocalpublicinterest,anditseffectsoninterstatecommerceareonlyincidental,itwillbeupheldunlesstheburdenimposedonsuchcommerceisclearlyexcessiveinrelationtotheputativelocalbenefits.”366

361. Oneof theauthorsof thisArticlehasspoken toattorneyswhoarealreadyplanningtochallengetheCCPAunderthedormantcommerceclause. 362. ForanaccountofthewaysthattheFirstAmendmenthaslimitedU.S.privacylaw,seeChander&Lê,supranote137,at516–22. 363. ComptrolleroftheTreasuryv.Wynne,135S.Ct.1787,1794(2015). 364. Dep’tofRevenuev.Davis,553U.S.328,338(2008)(“Underthe...protocolfordormantCommerceClauseanalysis,weaskwhethera challenged lawdiscrimi-natesagainstinterstatecommerce.”). 365. Id.(“Adiscriminatorylawisvirtuallyperseinvalid,andwillsurviveonlyifitadvancesalegitimatelocalpurposethatcannotbeadequatelyservedbyreasonablenondiscriminatoryalternatives.”(citationsomitted)(internalquotationmarksomit-ted)). 366. Pikev.BruceChurch,Inc.,397U.S.137,142(1970).Afindingthatastatuteisdiscriminatorycould“beovercomebyashowingthattheStatehasnoothermeanstoadvancea legitimate localpurpose.”UnitedHaulersAss’nv.Oneida-HerkimerSolid

Page 64: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1795

Early cases challenging state Internet regulation on commerceclausegroundsmetwithsomesuccess.Amongthefirstwasa1997decisioninAmericanLibraryAss’nv.Pataki,overturningaNewYorkstatute that prohibited the transmission of obscene content tomi-nors.367 Into the early twenty-first century, a number of courts fol-lowedtheleadofPatakiwhenevaluatingsimilarstatutes.368However,courts inothercontextshavedeparted fromPataki’sapproach,up-holding, for example, state anti-spam statutes against commerceclause challenges.369 A California appeals court “reject[ed] Pataki’sholdingthatanyStateregulationofInternetuseviolatesthedormantcommerceclause.”370

A federaldistrict court case fromCalifornia seemsparticularlyrelevant.ThatcaseconsideredadormantcommerceclausechallengetoanearlierCaliforniaprivacylaw.In2014,twoCaliforniansfiledaclassactionagainstOmniHotels,allegingaviolationoftheCaliforniaInvasionofPrivacyAct,a1967statutethatmakesitillegaltorecordaconversationwithoutconsentofbothparties.OmniHotelshadsetupitscallcenterinNebraskaandcompliedfullywithNebraskalaw.Ne-braskaoffered“anemployerfriendlylawthatexemptsbusinessfromstatewiretapstatutesandgivesemployerstherighttointercept,dis-closeandusee-mailsintheordinarycourseofbusiness.”371Omniar-guedthatpracticallyspeaking,tocomplywithCalifornialaw,itwouldhavetonotifyallcallerstoitscustomerserviceabouttherecording,notjustCalifornians,andthatthisconstitutedaperseviolationofthecommerceclause.372

WasteMgmt.Auth.,550U.S.330,338(2007)(citingMainev.Taylor,477U.S.131,138(1986)). 367. Am.Librs.Ass’nv.Pataki,969F.Supp.160,169(S.D.N.Y.1997)(“[T]heInter-netisoneofthoseareasofcommercethatmustbemarkedoffasanationalpreservetoprotectusers from inconsistent legislation that, taken to itsmostextreme, couldparalyzedevelopmentoftheInternetaltogether.”).Foracritiqueofthisdecision,seeJackL.Goldsmith&AlanO.Sykes,TheInternetandtheDormantCommerceClause,110YALEL.J.785,786–87(2001). 368. SeeACLUv. Johnson,194F.3d1149,1161 (10thCir.1999);PSINet, Inc. v.Chapman,362F.3d227(4thCir.2004);Am.BooksellersFound.v.Dean,342F.3d96,104(2dCir.2003);Se.BooksellersAss’nv.McMaster,282F.Supp.2d389,396(D.S.C.2003); Cyberspace Commc’ns, Inc. v. Engler, 142 F. Supp. 2d 827, 831 (E.D. Mich.2001). 369. Washingtonv.Heckel,24P.3d404,413(Wash.2001);Fergusonv.Friend-finders,Inc.,115Cal.Rptr.2d258,268–69(Ct.App.2002). 370. Ferguson,115Cal.Rptr.2dat265. 371. Adesv.OmniHotelsMgmt.Corp.,46F.Supp.3d999,1009–10(C.D.Cal.2014)(citationomitted). 372. Id.at1012(“Omniassertsthatbecausetheportabilityofmobilephonenum-bersmakesitunfeasibletodistinguishbetweenCalifornianandnon-Californiancalls,

Page 65: Catalyzing Privacy Law

1796 MINNESOTALAWREVIEW [105:1733

The court decided that the California lawdid not discriminateagainstout-of-stateprovidersandwentontoconsiderwhetherthestatuteundulyburdenedinterstatecommerce.373Itconcluded,“Over-all,theCourtfindsthattheinterestsofCaliforniaintheprivacyofitsconsumerswouldbeaffectedmorebytheapplicationofNebraskalawthanNebraska’spro-businessinterestswouldbeaffectedbytheap-plicationofCalifornialaw.”374 IfOmnihadprevailed,thenNebraskawouldhave,wittinglyornot,createdtheidealconditionsforaprivacyracetothebottom:locateyourcallcenterinNebraskaandignorepri-vacylawsintheotherjurisdictionswhereyourcallersreside.Thedis-trictcourt’srulingavoidedthatresult.

TheCCPAdoesnotappeartofaciallydiscriminateagainstinter-state commerce.375 The statute iswrittenbroadly to coverall busi-nessesthatdealwiththeprivateinformationofCaliforniaresidents,regardlessofwheretheyarelocated.AslongastheCaliforniaattorneygeneraldoesnotenforcethelawagainstforeigncompaniesinadis-criminatoryfashion,theCCPAwouldlikelysurviveatleastthisprongofthedoctrine.

Themorerealisticpotentialbasis forachallengewouldbe thecontentionthattheCCPAposesan“excessiveburden”on interstatecommerce.While it ispossiblethatenforcementoftheCCPAwouldoccur inamannerthat leadstosuchanexcessiveburden,a federalcourtmaywellconcludethattheimportantinterestsatstakejustifiedthe CCPA’s reasonable interventions across state lines.While busi-nesseswillcomplainofheightenedcompliancecosts(asOmnicom-plainedoftheCaliforniarecordinglaw),California’sinterestsinpro-tectingitsresidents’privacymaywelljustifythoseadditionalcosts(asthecourtconcludedintheOmnilitigation).376However,uncertaintymayyetdeterotherstatesfromfollowingtheCCPA’slead,atleastun-tilanycommerceclausechallengeisresolved.

compliancewith§632.7wouldforceOmnitowarnallcallers,eventhosefromsingle-consentstates,thattheycouldberecorded.”). 373. Id. 374. Id. 375. AstheSupremeCourthasexplainedthisaspectofdormantcommerceclausedoctrine,“‘discrimination’simplymeansdifferentialtreatmentofin-stateandout-of-stateeconomicintereststhatbenefitstheformerandburdensthelatter.”UnitedHaul-ersAss’nv.Oneida-HerkimerSolidWasteMgmt.Auth.,550U.S.330,338–39(2007)(quotingOr.WasteSys.v.Dep’tofEnv’tQuality,511U.S.93,99(1994)). 376. OmniHotelsMgmt.Corp.,46F.Supp.3dat1015.

Page 66: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1797

2. PreemptionTheCCPA could face another federalism-based challenge to its

catalyticeffectonotherstates,comingnotfromthecourtsbutfromCongress.Statelawsmaybepreemptedwhencompliancewithbothstateandfederalmandatesisimpossible,andthustheintroductionofacomprehensivefederalprivacylawcouldleadtopreemptionofpartoralloftheCCPA.377Inmanydomains,Congresshasadoptedfederalstatutesthatexplicitlypreemptstatelawinthesamearea,thusestab-lishinguniformnationalstandardsonatopic.378AnewfederalstatutewithanexpresspreemptionclausewouldunraveltheCCPAandanypotentialimitatorsatthestatelevel.Thesuddensupportofmanyin-dustrygroupsforfederalprivacylawislikelymotivatedbythedesireforjustthisoutcome.379

WhoshouldregulateprivacyintheUnitedStates?Shouldstatesregulate privacy, should the federal government, or should both?There are thoughtful arguments for federal preemption of stricterstateregulation,butweconcludethat,onbalance,thefederalgovern-mentshouldestablishanationalminimum,notanationalmaximum,for data privacy. This is what William Buzbee has called “floorpreemption,”allowingaone-wayratchetforstandards—upwards—acrosstheUnitedStates.380Infact,preemptionmaybetheissuethatkillsproposedfederaldataprivacylaw,aspowerfulCaliforniansandDemocrats line up against the industry and Republicans. HouseSpeakerNancyPelosihasvowednottosupportanyfederalprivacylaw that provides fewer protections than the CCPA or indeed thatpreemptsstatelawatall.381However,industrywillbelessinterestedinanyfederallawifitwouldnotsupersedetheCCPA.

377. SeeFla.Lime&AvocadoGrowers,Inc.v.Paul,373U.S.132,142–43(1963). 378. See,e.g.,17U.S.C.§301(federalpreemptionprovisionoftheCopyrightActof1976);21U.S.C. §343-1 (preemptingstate lawconcerning food labeling);29U.S.C.§1144 (federal preemption provision of ERISA). See generally S. Candice Hoke,PreemptionPathologiesandCivicRepublicanValues,71B.U.L.REV.685,700(1991). 379. Writingofthisdynamicinothercontexts,RoderickHillsJr.explainsthisap-parentcontradiction:“[F]ederalregulationfrequentlyresultsfromlobbyingeffortsbyindustryintereststhatopposeregulation.Theapparentparadoxofthisstatementdis-solveswhenonetakesintoaccountindustry’sdesireforuniformityofregulation.”Ro-derickM.Hills,Jr.,AgainstPreemption:HowFederalismCanImprovetheNationalLeg-islativeProcess,82N.Y.U.L.REV.1,20(2007). 380. WeborrowherethefederalregulationframeworksetoutbyWilliamBuzbee.WilliamBuzbee,AsymmetricalRegulation:Risk,Preemption,andtheFloor/CeilingDis-tinction,82N.Y.U.L.REV.1547,1549(2007). 381. Darius Tahir, Pelosi Puts Privacy Marker Down, POLITICO (Apr. 15, 2019,10:00 AM), https://www.politico.com/newsletters/morning-ehealth/2019/04/15/pelosi-puts-privacy-marker-down-424986[https://perma.cc/GJ39-7J9J](“‘We

Page 67: Catalyzing Privacy Law

1798 MINNESOTALAWREVIEW [105:1733

Therearevirtuesofasinglenationalstandard.382Anationalpri-vacylawwouldestablishuniformityacrosstheregion—ratherthanpromisinghigherorlowerprotectionsdependingonwhereapersonisorwheretheirdataisprocessedorheld.383Itwouldfacilitatedataflowsacrossstateborderswithoutrequiringlegalreviewofthelawsofmultiplejurisdictions.Itwouldavoidthepossibilityofinconsistentmandatessuchasinconsistentnoticerequirements.Compliancecostslikelywouldgodownwithonlyonelegalstandard.

Buta federalpreemptionceiling raises substantial concerns. Itrisksestablishingaminimallevelofprivacy—onelowerthanthatastatesuchasCaliforniacouldhavedemanded.Second,itmayreduceexistingenforcementcapacityandexpertisebysideliningstateattor-neysgeneralwhocurrentlyengageinsignificantenforcementofdataprivacyanddatasecuritylaw.384Stateshavealonghistoryofregulat-ingprivacy,muchofitdevelopedthroughthecommonlaw.385AsPe-terSwirehasdocumented,existingfederalprivacylegislationgener-allyservesasaregulatoryfloor,notaceiling,includingsector-specificpreemptionprovisionsadoptedsincethemid-1990s.386ThisreflectswhatBuzbeeobserves,that“[i]nmostareasfocusedonregulationofrisks...suchasdiscriminationandeffortstoenhancepublicwelfarethroughregulationofenvironmental,occupational,andproductrisks,theprotective‘onewayratchet’offloorpreemption...hasbeenthe

cannot accept anything—for example, the Republicans would want preemption ofstatelaw.Well,that’sjustnotgoingtohappen,’[Pelosi]said.‘WeinCaliforniaarenotgoingtosay,“YoupassalawthatweakenswhatwedidinCalifornia.”Thatwon’thap-pen.’”). 382. SeeSchwartz,supranote76,at423–27;PatriciaL.Bellia,FederalizationinIn-formationPrivacyLaw,118YALEL.J.868,890–99(2009). 383. Bellia,supranote382,at897. 384. Citron,supranote87,at798–99(observingimportantroleofstatesinprivacyprotection).Toavoidthisproblem,anyfederalpreemptioncouldexpresslyretainanenforcement role for state attorneys general. See Peter Swire, US Federal PrivacyPreemptionPart2:ExaminingPreemptionProposals,IAPP(Jan.10,2019),https://iapp.org/news/a/us-federal-privacy-preemption-part-2-examining-preemption-proposals[https://perma.cc/KQS5-KUV4]. 385. SeeWilliamL.Prosser,Privacy,48CALIF.L.REV.383,386–87(1960). 386. PeterSwire,USFederalPrivacyPreemptionPart1:HistoryofFederalPreemp-tion of Stricter State Laws, IAPP (Jan. 9, 2019), https://iapp.org/news/a/us-federal-privacy-preemption-part-1-history-of-federal-preemption-of-stricter-state-laws[https://perma.cc/R3WR-KF8C].BothHIPAAandGINAserveasfloorsforstateregu-lation,notceilings.See45C.F.R.§§160.203–.205(2019)(HIPAA);GeneticInformationNondiscriminationAct of 2008,Pub. L.No. 110-233, §2(5), 122Stat. 881, 882–83.WhiletheFairCreditReportingActpreemptssomecausesofaction,itpermitsstatestoregulateidentitytheft.SeeFairCreditReportingAct,15U.S.C.§1681t(a).

Page 68: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1799

legislative and regulatory norm.”387 Most importantly, a federalpreemptionceilingriskslosingtheregulatoryinnovationthatcontin-uedstatelegislationintheareamightsupply.388

Newfederalprivacylawcouldprovideanationwidefloor,per-mittingstatestointerveneonlytotheextentthattheyraiseprivacystandardsfurther.Thisallowsforstateinnovationsandexperimenta-tion.WritingofanearliernarrowCalifornialawthatpermitsminorstodeletecertaininformationtheyuploadedtoInternetsites,HeatherGerken and James Dawson argue that “[i]f the experiment provesworkable,California’s‘eraser’lawmayserveasamodelforfuturereg-ulation;iftheexperimentfails,policy-makerswillbeallthewiser.”389Ofcourse,anationalfloorsacrificestheuniformityofasinglenationalstandard, increasingcompliancecosts.But if any stateoffersa too-strictprivacyrule—onethatistoodifficulttocomplywithgivenitsbusinessmodel—acorporationmightsimplyrefusetoprovideittherelevantproductorservice.

Yet an additional option, raised previously by Paul Schwartz,mightbeaCleanAirActmodelfordataprivacy:Congresscoulddes-ignateCaliforniaasakindofsuperregulator,grantingittheexclusiveright todeviateupwards from the federalprivacystandard.390ThiswouldallowCaliforniaalonetheopportunitytoinnovateintheareaand permit other states to choose either California’s or the federalgovernment’srules. Itwouldlowerregulatorycompliancecostsbutpreservesomeroomforupwardregulation.However,itwouldforegothepossibilityofexperimentationinotherstates,whichmightregu-latedifferently,moreclearly,ormorestringently thanCalifornia.391Forexample,thisapproachcoulddestroytheprospectofanew“trust”model emerging from legislation such as the bill proposed in NewYork.392

Regulatinginthefaceofsubstantialuncertaintywillrequiready-namicapproach.Becauseofthepaceofchangeindatagatheringandprocessing, informationprivacy is a study in surprising turns.Datacanbeusedinunexpectedways;itsbenefitsanddrawbacksareyetto

387. Buzbee,supranote380,at1552. 388. SeeSchwartz,supranote76,at917(describingstatesas“laboratoriesforin-novationsininformationprivacylaw”). 389. HeatherK.Gerken&JamesT.Dawson,LivingUnderSomeoneElse’sLaw,36DEMOCRACYJ.42,47(2015). 390. Schwartz,supranote76,at935(referencingAnnCarlson’sscholarship). 391. SeeVT.STAT.ANN.tit.9,§2453(2017);201MASS.CODEREGS.17(2009);OR.REV.STAT.§§646A.600–.628(2007). 392. Seesupranote217andaccompanyingtext.

Page 69: Catalyzing Privacy Law

1800 MINNESOTALAWREVIEW [105:1733

befullydiscovered.Thelasthandfulofyearshavebroughtustrackingpixels,facialrecognition,deepfakes,robotdogs,andevenomnipres-entsatellites.393Ifafederalbillossifiestherules,wemaynotbeabletogeneratetheregulationsneededforyetmoresurprisingturns.Ofcourse, the federalgovernment iscapableofmoreagileversionsofgovernance such as collaborative governanceor responsive regula-tion,includingthrougharegulatoryagencyliketheFTC.394

Ifafederallawpreemptsstateinformationprivacylaw,theCCPAmightbelosttohistory,amerefootnoteinthecenturiesofevolutionofprivacylaw.Yetwebelieveitwouldstillhaveservedacriticalrole:promptinganomnibusfederalprivacylawforthefirsttimesincethedawnoftheInternetage.AsGerkenandDawsonobserve,“Bycreatingaspillover,asingleinnovativestatecanputanitemonthenationalagendaevenifnearlyeveryoneelse—Congress,interestgroups,andotherstates—wouldpreferthattheissuegoaway.”395Thiswouldbeasignificantandlong-lastingCaliforniaEffect,indeed.

3. TheFirstAmendmentAnotherpotentialconstraintontheenactmentofstateandfed-

erallaws,andindeedthesurvivaloftheCCPA,istheFirstAmendment.DiscussedaboveinthecontextofthedifferingregulatorysettingsoftheEuropeanUnionandUnitedStates,theFirstAmendmentpoten-tiallyposesconstraintsondraftersofU.S.privacylaw.Whilein-depthcoverage of these constraints—and their limitations—is outside ofthisArticle’sscope,weoutlineafewbasicconceptshere.

393. ClareGarvie,AlvaroBedoya&JonathanFrankle,ThePerpetualLine-Up:Un-regulated Police Face Recognition in America, GEO.L.CTR. ONPRIV.&TECH. (Oct. 18,2016), https://www.perpetuallineup.org [https://perma.cc/RB45-VME5]; Ry Crist,Yes,theRobotDogAteYourPrivacy,CNET(June28,2019,8:21AM),https://www.cnet.com/news/yes-the-robot-dog-ate-your-privacy[https://perma.cc/ZZT8-W3CK];ChristopherBeam,Soon,SatellitesWillBeAbleToWatchYouEverywhereAlltheTime,TECH.REV.(June26,2019,8:21AM),https://www.technologyreview.com/s/613748/satellites-threaten-privacy[https://perma.cc/2BAY-PCNT]. 394. CharlesSabelandhiscoauthorsargueforthevirtueofa“rolling-ruleregime”where“regulatorsusereportsonproposalsandoutcomestoperiodicallyreformulateminimumperformancestandards,desirable targets, andpaths formoving from theformertothelatter.”CharlesSabel,ArchonFung&BradleyKarkkainen,BeyondBack-yardEnvironmentalism,24BOS.REV.4,4(1999).Forotheragilegovernancemodels,seeDennisD.Hirsch,GoingDutch?CollaborativeDutchPrivacyRegulationandtheLes-sonsItHoldsforU.S.PrivacyLaw,2013MICH.ST.L.REV.83,151–60;McGeveran,supranote20,at979–85;andLaurenE.Willis,Performance-BasedConsumerLaw,83U.CHI.L.REV.1309,1330–35(2015). 395. Gerken&Dawson,supranote389,at46.

Page 70: Catalyzing Privacy Law

2021] CATALYZINGPRIVACY 1801

TheFirstAmendmentprotectsfreedomofspeech.Italsoprotectsexpressiveactivity(speechmixedwithaction)andpenumbralactivitynecessaryforspeechtotakeplace(suchastheplacementofnewspa-perkioskstodistributenewspapersorthepurchaseofpenandpa-per).396AseriesofFirstAmendmentcasesonpublicrecordsestab-lished significant limitations on laws restricting the distribution oflawfullyobtained information.397Morerecently, theSupremeCourtappliedtheFirstAmendmenttofindunconstitutionalaVermontlawregulatingthesaleofprescriptiondruguserdata.398Andin2018,theSupremeCourtfoundunconstitutionalaseriesofdisclosurerequire-mentsaimedatprotectingpatientsfrompro-lifeorganizationsposingasabortionprovidersinadecisionthatcouldhaveconsequencesforotherdisclosure-basedconsumerprotectionregimes.399

Recently,theexpansivecoverageandprotectionofFirstAmend-ment doctrine has led some to decry its potential deregulatory ef-fects.400Ontheotherhand,privacyscholarshavenotedthattheFirstAmendmentalsoprovidesarguments foreffectiveprivacy law,asalackofprivacycanchillfreeexpression.401Commentatorsdisagreeon

396. SeeMargotE.Kaminski,PrivacyandtheRightToRecord,97B.U.L.REV.167,189(2017). 397. CoxBroad.Corp.v.Cohn,420U.S.469,493–95(1975);seealsoVolokh,supranote137,at1116–17. 398. Sorrellv.IMSHealth,Inc.,564U.S.552(2011);seeChander,supranote137(arguingthatSorrelldemonstrates“theseriousnessofFirstAmendmentconstraintsonprivacyregulationsoninformationintermediaries”).CasessuchasFloridaStarv.B.J.F.,491U.S.524(1989),CoxBroadcastingCorp.,420U.S.469,andSmithv.DailyMailPublishing,443U.S.97(1979),canbereadtostandfortheprinciplethatonceinfor-mationislegallydistributed,governmentcannotrestrictitsuseabsentstateinterestofthehighestorder.However,anumberofscholarsarguethatprivacylawscanpassFirstAmendmentmuster.Balkin,supranote137,at1189.ButseeVolokh,supranote137,at1051. 399. SeeAmyHowe,OpinionAnalysis:DividedCourtRulesforAnti-AbortionPreg-nancyCenters inChallengetoCaliforniaLaw,SCOTUSBLOG(June26,2018,4:02PM),https://www.scotusblog.com/2018/06/opinion-analysis-divided-court-rules-for-anti-abortion-pregnancy-centers-in-challenge-to-california-law[https://perma.cc/Q7WJ-VFZB]. 400. See Shanor, supra note 185, at 133;MARY ANNE FRANKS, THE CULT OF THECONSTITUTION105(2019). 401. See,e.g.,MarcJonathanBlitz,ConstitutionalSafeguardsforSilentExperimentsinLiving:Libraries,theRightToRead,andaFirstAmendmentTheoryforanUnaccom-paniedRightToReceiveInformation,74UMKCL.REV.799,800(2006);JulieE.Cohen,ARightToReadAnonymously:ACloserLookat“CopyrightManagement”inCyberspace,28CONN.L.REV.981,1003–19(1996);NeilM.Richards,IntellectualPrivacy,87TEX.L.REV.387,393–94(2008);MargotE.Kaminski&ShaneWitnov,TheConformingEffect:FirstAmendmentImplicationsofSurveillance,BeyondChillingSpeech,49U.RICH.L.REV.465, 467 (2015); Skinner-Thompson, supra note 185; Anupam Chander, Youthful

Page 71: Catalyzing Privacy Law

1802 MINNESOTALAWREVIEW [105:1733

howmuchofdataprivacylawmightsurviveFirstAmendmentchal-lenges.402Throughcourtchallengesorthroughitsexpandingculturalpenumbra,theFirstAmendmentmaychillthespreadoftheCCPA.

CONCLUSIONWhatdoesallofthismeanforourprivacy?Theendresultofthe

racebetweentheGDPRandtheCCPAmaywellbeahybridofboth.Thede factoprivacy lawgoverningglobal corporationsmaybe thestrictest aspectsofbothCalifornia andEuropean law—a figurative,butnotliteral,highestcommondenominator.403ThankstoaBrusselsEffect, some largeglobalenterpriseswouldadhere toGDPRnorms.ButthankstoaCaliforniaEffectinoneofthevariousformswehavedescribed,thatstatewouldhaveoutsizedinfluenceonthesubstanceofU.S.privacylaw—asAlastairMactaggarthasboasted,“Under[theCCPA],theattorneygeneralofCaliforniawillbecomethechiefprivacyofficeroftheUnitedStatesofAmerica.”404Manycorporationswillfindthemselves comporting with both regimes simultaneously, ratherthanconfiguring their servicesorofferingsby jurisdiction.Call thishybridthe“CDPR”—theCCPA+theGDPR.

Butthisdefactorealityonlygoessofar.Thoseoutsideeitherju-risdictionwillnotbeabletoassertthoserightsdirectlywitheitherregulatorsorcourts.Bothregimesgrantindividualrightsonlytotheirown residents. For example, themuch-embattled facial recognitioncompanyClearviewprovidesonlyCaliforniansandEuropeanUnionresidentstheopportunitytooptout.405

WepredictthatwithintheUnitedStates,theCCPAwillyetcon-tinue to drive both businesses and legislatures. The CCPA, both defactoanddejure,willlikelycallthetuneforthemarchofanewAmer-icandataprivacyspreadingtootherjurisdictions.California,notBrus-sels,hasemergedasthesuperregulatorofU.S.privacylaw.

IndiscretioninanInternetAge,inTHEOFFENSIVEINTERNET124,134(SaulLevmore&MarthaNussbaumeds.,2010). 402. Forasamplingofthisextensivedebate,seeJaneBambauer,IsDataSpeech?,66STAN.L.REV.57,60–61(2014);Richards,supranote137,at1521–22;andVolokh,supranote137,at1050–51. 403. Amoremathematicalanalogymightbetwocurvesmappingoutvariousis-suesonthexaxiswithybeingthelevelofstrictnessforeachissue,resultinginathirdoperationalcurveconsistingofthehighestpeaksbetweenthetwocurves. 404. Confessore,supranote295. 405. Privacy Request Forms,CLEARVIEW.AI, https://clearview.ai/privacy/requests[https://perma.cc/BU9L-8MG7] (including a separate reference to the UK necessi-tatedbyBrexit).