University of Colorado Law School University of Colorado Law School
Colorado Law Scholarly Commons Colorado Law Scholarly Commons
Articles Colorado Law Faculty Scholarship
2021
Catalyzing Privacy Law Catalyzing Privacy Law
Anupam Chander Georgetown University Law Center
Margot E. Kaminski University of Colorado Law School
William McGeveran University of Minnesota Law School
Follow this and additional works at: https://scholar.law.colorado.edu/articles
Part of the Constitutional Law Commons, European Law Commons, First Amendment Commons,
International Trade Law Commons, Internet Law Commons, Legislation Commons, Privacy Law
Commons, and the State and Local Government Law Commons
Citation Information Citation Information Anupam Chander, Margot E. Kaminski, and William McGeveran, Catalyzing Privacy Law, 105 MINN. L. REV. 1733 (2021), available at https://scholar.law.colorado.edu/articles/1336.
Copyright Statement Copyright protected. Use of materials from this collection beyond the exceptions provided for in the Fair Use and Educational Use clauses of the U.S. Copyright Law may violate federal law. Permission to publish or reproduce is required. This Article is brought to you for free and open access by the Colorado Law Faculty Scholarship at Colorado Law Scholarly Commons. It has been accepted for inclusion in Articles by an authorized administrator of Colorado Law Scholarly Commons. For more information, please contact [email protected].
1733
Article
CatalyzingPrivacyLaw
AnupamChander,†MargotE.Kaminski,††andWilliamMcGeveran†††
Introduction..........................................................................................................1734 I.Superregulators..............................................................................................1738 A. TheDelawareEffect............................................................................1740 B. TheCaliforniaEffect...........................................................................1742 C. TheBrusselsEffect..............................................................................1744
II.GDPRVersusCCPA......................................................................................1746 A. EuropeanDataProtectionVersusU.S.Consumer
Protection................................................................................................1747 B. SubstantiveSimilarities....................................................................1749 C. SubstantiveDifferences....................................................................1755
III.CatalyzingPrivacy......................................................................................1762
† ProfessorofLaw,GeorgetownUniversityLawCenter;J.D.,YaleLawSchool;B.A.,HarvardUniversity.Copyright©2021byAnupamChander.
†† AssociateProfessorofLaw,UniversityofColoradoLawSchool;Director,Pri-vacyInitiative,SiliconFlatironsCenter.J.D.,YaleLawSchool;B.A.,HarvardUniversity.Copyright©2021byMargotE.Kaminski.
†††AssociateDeanforAcademicAffairsandJuliusE.DavisProfessorofLaw,Uni-versityofMinnesotaLawSchool.J.D.,NewYorkUniversityLawSchool;B.A.,CarletonCollege.Copyright©2021byWilliamMcGeveran.
TheauthorsaregratefulforinsightfulcommentsbystudentsintheTechnologyLawColloquiumatGeorgetownandtheLawandEconomicsWorkshopatMinnesota,by professors and students at Cardozo School of Law, and by professors at facultyworkshopsatLoyola,Villanova,andWilliam&Marylawschoolsandatthe2019Pri-vacyLawScholarsConferencehostedatBerkeleyLaw.WethankinparticularWilliamBuzbee,LauraDickinson,RogerFord,LydiadelaTorre,MegJones,ChristinaMulligan,OrlaLynskey,PaulOhm,NeilRichards,andJorisvanHoboken.Wealsothankoursu-perbeditorsattheMinnesotaLawReview,especiallyMatthewCavanaugh,AlinaYasis,andMelanie Griffith. Anupam Chander gratefully acknowledges a Google ResearchAwardforrelatedresearch.WilliamMcGeverangratefullyacknowledgesfundingbytheWargoResearchScholarFund.WereceivedexcellentresearchhelpfromShiwenCai,LydiaDavenport,XingeHe,AnnaKvinge,RominaMontellanoMorales,PaigePa-pandrea,CarolineSchmitz,andlibrarianHeatherCasey.Theviewsherein(andaller-rors)aretheauthors’alone.
1734 MINNESOTALAWREVIEW [105:1733
A. BrusselsastheWorld’sPrivacyCatalyst...................................1765 B. ButSeetheUnitedStates.................................................................1767
1. StateLaws.......................................................................................1769 2. FederalLaws.................................................................................1777
C. CaliforniaasU.S.PrivacyCatalyst................................................1781 D. ConstraintsonCalifornianCatalysis...........................................1793
1. TheDormantCommerceClause...........................................1794 2. Preemption....................................................................................1797 3. TheFirstAmendment................................................................1800
Conclusion.............................................................................................................1802
INTRODUCTIONWhentheGeneralDataProtectionRegulation(GDPR)tookeffect
inMay2018,itpositionedtheEuropeanUnionastheworld’sprivacychampion.1Aflurryofemailsupdatingprivacypolicieslandedinin-boxesacrosstheglobe,attestingtotheinternationalreachoftheEu-ropean rule.2 Amonth later, California enacted the California Con-sumer Privacy Act (CCPA), establishing the nation’smost stringentomnibusprivacyprotections,effectiveasofJanuary1,2020.3Califor-nia,thehomeofmanyoftheworld’slargestdata-basedenterprises,4emergedasadarkhorsecontenderintheprivacyregulatorrace.Inthepastyear,stateafterstateconsideredbroaddataprivacylegisla-tion,5andelevencomprehensivefederalprivacybillswereintroducedinCongress.6
1. AdamSatariano,G.D.P.R.,aNewPrivacyLaw,MakesEuropeWorld’sLeadingTechWatchdog,N.Y.TIMES(May24,2018),https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.html[https://perma.cc/24RK-ZMJV]. 2. Brian Fung,Why You’re Getting Flooded with Privacy Notifications in YourEmail,WASH.POST(May25,2018,3:15PM),https://www.washingtonpost.com/news/the-switch/wp/2018/05/25/why-youre-getting-flooded-with-privacy-notifications-in-your-email[https://perma.cc/MGR2-XYGW]. 3. See CAL.CIV.CODE §§ 1798.100–.199 (2018); DaisukeWakabayashi, SiliconValley FacesRegulatoryFight on ItsHomeTurf,N.Y.TIMES (May13, 2018), https://www.nytimes.com/2018/05/13/business/california-data-privacy-ballot-measure.html[https://perma.cc/7XTE-3LU3]. 4. HankTucker,World’sLargestTechnologyCompanies2020:AppleStaysonTop,Zoom and Uber Debut, FORBES (May 13, 2020, 5:30 AM), https://www.forbes.com/sites/hanktucker/2020/05/13/worlds-largest-technology-companies-2020-apple-stays-on-top-zoom-and-uber-debut[https://perma.cc/L473-BYT3]. 5. SeeinfraPartIII.B.1. 6. SeeConsumerOnlinePrivacyRightsAct,S.2968,116thCong. (2019)(Sen.MariaCantwell);OnlinePrivacyActof2019,H.R.4978,116thCong.(2019)(Rep.AnnaEshoo);DesigningAccountingSafeguardsToHelpBroadenOversightandRegulationsonDataAct, S.1951,116thCong. (2019) (Sen.MarkWarner);DoNotTrackAct, S.
2021] CATALYZINGPRIVACY 1735
What is catalyzingU.S. privacy law? The conventionalwisdomholdsthatEuropeissettingtheglobalstandardforinformationpri-vacy.Thereismuchtruthtothis—some142countriesandcountingnowhaveabroaddataprivacylaw,typicallymodeledontheGDPR.7Scholarswritinginsightfullyabouttheglobalracetoinformationpri-vacyhavetrackedthespreadofdataprivacylawsacrosstheworld,notingEurope’sinfluenceonthesedevelopments.8Inarecentarticle,PaulSchwartzobservesthattheEuropeanUnionpioneeredinterna-tionalprivacylawtoenablecommerceamongnationswithintheblocitself.9HearguesthatothercountrieslargelyadoptedtheEuropean
1578,116thCong.(2019)(Sen.JoshHawley);PrivacyBillofRightsAct,S.1214,116thCong.(2019)(Sen.EdwardMarkey);BalancingtheRightsofWebSurfersEquallyandResponsibly(BROWSER)Actof2019,S.1116,116thCong.(2019)(Sen.MarshaBlack-burn);InformationTransparency&PersonalDataControlAct,H.R.2013,116thCong.(2019)(Rep.SuzanDelBene);OwnYourOwnDataAct,S.806,116thCong.(2019)(Sen.JohnKennedy);DataAccountabilityandTrustAct,H.R.1282,116thCong.(2019)(Rep.BobbyRush);SocialMediaPrivacyProtectionandConsumerRightsActof2019,S.189,116thCong.(2019)(Sen.AmyKlobuchar);AmericanDataDissemination(ADD)Actof2019,S.142,116thCong.(2019)(Sen.MarcoRubio);seealsoDataCareActof2018,S.3744,115thCong.(2018)(Sen.BrianSchatz);MindYourOwnBusinessActof2019,S.2637,116thCong.(2019)(Sen.RonWyden)(updatingSen.Wyden’s2018ConsumerDataProtectionAct);CustomerOnlineNotification forStoppingEdge-providerNet-workTransgressions(CONSENT)Act,S.2639,115thCong.(2018)(Sen.Markey).InJune2020,SenatorSherrodBrownreleasedthe“DataAccountabilityandTranspar-encyAct of 2020” as a discussiondraft.DataAccountability andTransparencyAct,SIL20719,116thCong(2020). 7. Theexactnumberofcountrieswithcomprehensivedataprotectionlawsde-pends on one’s characterization of any particular law and keeps changing asmorecountriesadoptnewlaws.WhileGrahamGreenleafidentifies142countriesandjuris-dictionswithsuchlaws,GrahamGreenleaf&BertilCottier,2020EndsaDecadeof62NewDataPrivacyLaws,in163PRIV.L.&BUS.INT’LREP.24,24–25(2020),theUnitedNationsConferenceonTradeandDevelopment(UNCTAD)counts128.DataProtectionand Privacy LegislationWorldwide, U.N.CONF. ONTRADE&DEV., https://unctad.org/page/data-protection-and-privacy-legislation-worldwide[https://perma.cc/W47P-RHL2].MostrecentlawsaremodeledontheGDPR.See,e.g.,NigeriaDataProtectionRegulation(2019),https://nitda.gov.ng/wp-content/uploads/2020/11/NigeriaDataProtectionRegulation11.pdf. Among other differences, the Nigerian lawpermitsfinesuptotwopercentofglobalturnover,notthefourpercentpermittedbytheGDPR.Compareid.§2.10(a),withGeneralDataProtectionRegulation2016/679,art.83(5),2016O.J.(L119)1,83[hereinafterGDPR]. 8. See,e.g.,GrahamGreenleaf,GlobalConvergenceofDataPrivacyStandardsandLaws:SpeakingNotesfortheEuropeanCommissionEventsontheLaunchoftheGeneralDataProtectionRegulation(GDPR)inBrusselsandNewDelhi,25May2018(U.N.S.W.L.Rsch.Series,PaperNo.18-56,2018),https://ssrn.com/abstract=3184548. 9. PaulM.Schwartz,GlobalDataPrivacy:TheEUWay,94N.Y.U.L.REV.771,810(2019)(“[TheEU’s]powerinthisregardfirstdevelopedinresponsetoissuesthatitfacedinternally.ItneededtoharmonizethedataprocessingpracticesofEUmemberstates. The inward-facing elements of EU data protection law then became an im-portantfactorinitsadaptabilitytotherestoftheworld.Hereisaglobaldiffusionstory
1736 MINNESOTALAWREVIEW [105:1733
Union’sdataprivacymodel,reflectingits“successinthemarketplaceofideas.”10
Schwartz cites the CCPA as an example of Europe’s success inspurringotherjurisdictionstoenactsimilarlaws.11Journalistsreport-ing on the CCPA’s enactment, too, have frequently referred to it as“GDPRlite”12and“California’sversionofGDPR.”13Andasthepushforfederal legislation intensifies,manycharacterize it asanational re-sponsetotheGDPR.14
ThisArticlechallengesthisemergingconsensus.DespitedecadesofEuropeanprivacylaw,theUnitedStatesshowedlittleappetiteuntilnowforbroadprivacy legislation.15 Instead,normentrepreneurs inCaliforniahelpedestablishanewprivacyframeworkthat,asweshow,differs significantly—and consciously—from theEuropeanmodel.16OurclosecomparisonofthenewCaliforniaandEuropeanlawsrevealsthat theCCPA isnot simplyGDPR-lite: it is bothmoreand lessde-mandingonvariouspoints.17 Itoffersa fundamentallydifferent re-gimefordataprivacy.Andthenumerouslegislativeproposalsinstate
thatbeginswitharesponsetointernalpoliticalconsiderations.”);seealsoMichaelD.Birnhack,TheEUDataProtectionDirective:AnEngineofaGlobalRegime,24COMPUT.L.&SEC.REP.508,510(2008). 10. Schwartz,supranote9,at818. 11. Id.at816(“Ideasmatter.Eventhoughtheadequacyrequirementprovidesanimpressivefulcrumforinternationalinfluence,theglobalsuccessofEUdataprotectionisalsoattributabletothesheerappealofhighstandardsfordataprotection.Thisap-pealcannotalonebeexplainedbytheforceofEUmarketpowerorevenspecificEUnegotiating strategies. To illustrate, this Article can point to an example from theUnitedStates,namely,theenactmentoftheCaliforniaConsumerPrivacyAct(CCPA)of2018.”).Global legalconvergencecan indeedbe theresultofnormativeagreement.See,e.g.,AnupamChander&RandallCosta,ClearingCreditDefaultSwaps:ACaseStudyinGlobalLegalConvergence,10CHI.J.INT’LL.639,640(2010)(arguingthatinthewakeofthe2008/2009financialcrisis,theUnitedStatesandEurope“convergedonasimilarclearingstructurelargelybecauseofitscompellinglogic”). 12. See, e.g.,KayvanAlikhani,RegulatoryDisruption: IsYourBusinessReadyToComply with the CCPA?, FORBES (June 6, 2019, 9:15 AM), https://www.forbes.com/sites/forbestechcouncil/2019/06/06/regulatory-disruption-is-your-business-ready-to-comply-with-the-ccpa[https://perma.cc/Y56A-BDRE]. 13. See,e.g.,GeorgeP.Slefo,MarketersandTechCompaniesConfrontCalifornia’sVersionofGDPR,ADAGE(June29,2018),https://adage.com/article/digital/california-passed-version-gdpr/314079[https://perma.cc/U7M7-7BKN]. 14. See,e.g.,ElizabethSchulze,TheUSWantsToCopyEurope’sStrictDataPrivacyLaw—butOnly Someof It, CNBC (May23,2019,1:16AM),https://www.cnbc.com/2019/05/23/gdpr-one-year-on-ceos-politicians-push-for-us-federal-privacy-law.html[https://perma.cc/3KEP-JXBQ]. 15. Seeinfranote20andaccompanyingtext. 16. SeeinfraPartII. 17. SeeinfraPartII(comparingtheGDPRandtheCCPA).
2021] CATALYZINGPRIVACY 1737
housesshowgreaterfealtytoCalifornia’smodelthantotheEuropeanantecedent.18BillspendingbeforeCongressreflectpressurenotfromBrussels,butfromSacramento.
Thus,Californiahasemergedasakindofprivacysuperregulator,catalyzingprivacylawintheUnitedStates.Ratherthanthesuprana-tionalEU,thesubnationalstateofCalifornia—and,morespecifically,asmallnetworkofdeterminedindividualswithinthatstate—isnowdrivingprivacyinasignificantpartoftheworld.TheemergenceoftheCCPAdemonstratesthecentralroleoflocalnetworksandnormentre-preneurship,contestingonthegroundofwhatwecall“dataglobali-zation.”19
Wearethuswitnessingaparadigmshiftinthepolicyconversa-tionarounddataprivacylaw.Untilnow,therulesoftransatlanticpri-vacyrestedonawkwardnegotiatedmechanismstotransferdatabe-tweentwoseeminglyirreconcilableregimes.20Nowwearewitnessingwhatmightbecharacterizedasaregulatoryraceonbothsidesoftheocean.21
ThisArticleisthefirsttocriticallyevaluatetherelationshipbe-tweenCalifornia’sprivacy law,Europe’sdataprotection regulation,andpossiblefuturestateandfederalprivacylaw.22Thisstudyisalsoof practical interest, answering questions for individuals and
18. Seesourcescitedsupranote6. 19. SeediscussioninfraPartIII.C(explaininghowdataglobalizationhelpedpro-peltheCCPAtoitscurrentstatus). 20. SeeDirective95/46/EC,1995O.J. (L281)31 (establishingpre-GDPRrulesregulatingtheprocessingandmovementofpersonaldata);PAULM.SCHWARTZ&JOELR.REIDENBERG,DATA PRIVACY LAW:A STUDY OFUNITED STATESDATA PROTECTION 1–2(1996)(comparingEuropeancountries’comprehensivedataprotectionlawstoothercountries’lessthoroughlaws).ButseeKennethA.Bamberger&DeirdreK.Mulligan,PrivacyontheBooksandontheGround,63STAN.L.REV.247,281–82(2011)(arguingthat the regimes are more similar than different in practice); see also WilliamMcGeveran, Friending the Privacy Regulators, 58 ARIZ. L. REV. 959, 1025 (2016)(demonstrating similarities in enforcement betweendifferent data privacy regimesdespitedifferencesinthelawonthebooks). 21. See,e.g.,SaraMerken,StatesFollowEU,CaliforniainPushforConsumerPri-vacy Laws (1), BLOOMBERG L., https://news.bloomberglaw.com/privacy-and-data-security/states-follow-eu-california-in-push-for-consumer-privacy-laws-1 (Feb. 6,2019,3:02PM). 22. Thefocusofourstudyisonregulationofthedataprotectionpracticesofpri-vateparties,ratherthanontheprotectionofprivacyagainstintrusionsbythestate—ontheregulationof“surveillancecapitalism”ratherthanonmoretraditionalstatesur-veillance.SeeShoshanaZuboff,BigOther:SurveillanceCapitalismandtheProspectsofanInformationCivilization,30J.INFO.TECH.75,75(2015)(defining“surveillancecapi-talism”asa“newformofinformationcapitalism[that]aimstopredictandmodifyhu-manbehaviorasameanstoproducerevenueandmarketcontrol”).
1738 MINNESOTALAWREVIEW [105:1733
businessesalike:Forbusinesses,whoselawsshouldIfollow?Forin-dividuals, who will protect my privacy? Studying these questionsleads,inturn,toanothersetofinquiriesaboutthewaysinwhichca-talysisfromtheGDPRandCCPAgovernprivacyoutsideeitherEuropeorCalifornia.WhenEurope’slawsmeetCalifornia’s,whowins?Ifin-deedEuropeanorCalifornianregulationwillbeappliedgloballydefacto,whythenshouldanyoneelselegislate?
Theanswerstoallofthesequestionshaveimplicationsnotonlyfortheshapeofinformationprivacylawbutforunderstandinginter-jurisdictionalregulatorydynamicsinthedigitaleconomy.Whiledatasharessomecharacteristicswithcars,pollution,andcorporatechar-ters—allthesubjectofpriorglobalizationsoflegalcomplianceandle-galrules23—italsodiffersbecauseofitssimultaneousandinstantane-ous global effects. Data disobeys borders and operates at Internetspeed.Equally important, theanswerstothesequestionsshedlighton the prospects of countries across theworld as they vie for ad-vantageintheinformationage.Ultimately,ouraccountofprivacyca-talysisteststheoperationofbothfederalismandinternationalregu-latorycompetitioninthetwenty-firstcentury.
Ouranalysisproceedsasfollows.PartIsituatesourdiscussionofregulatorycatalysis indataprivacywithinthebroaderframeofthetheoryofregulatorycompetition,borrowinglessonsfromareassuchascorporateandenvironmentallaw.PartIIcomparesthesubstanceoftheGDPRandtheCCPAandthewaysinwhichtheirstructurespro-motecatalysisinotherjurisdictions.PartIIIturnstotheracefordataprivacylaw.WearethefirsttodisentanglethecatalyticeffectsonU.S.federalandstatelawscomingfrombothBrusselsandSacramentoandtoshowthattheresultingproposalsaredistinctlyAmericanandoweagreaterdebttotheCCPAthantotheGDPR.Asitoncedidwithpio-neeringenvironmentalregulation,Californiahasemergedasasuper-regulatoragain,thistimewithrespecttodataintheinformationage.
I.SUPERREGULATORSU.S.privacylawcanbeperiodizedaspre-CCPAandpost-CCPA.
UntiltheCCPA,nostateorfederalstatuteintheUnitedStatesimposedprivacyprotectionsacrossallindustrysectorsandtechnologiesinthemannerthatEuropeandataprotectionlawhaddonefordecades.Eversince the CCPA, Congress and state legislatures across the country
23. Seegenerally,e.g.,RobertV.Percival,TheGlobalizationofEnvironmentalLaw,26PACEENV’TL.REV.451(2009).
2021] CATALYZINGPRIVACY 1739
havebeenconsideringhugenumbersofdataprivacyproposalsofthatscope.24
Whatispromptingthisnewinterestincomprehensivedatapri-vacylawintheUnitedStates?ManypointtotheEU’sGDPR.Afterall,theGDPRwent into effect inMay2018 tomuch fanfare. CountriesaroundtheworldchangedtheirlawstoconformmorecloselywiththeGDPR, drawnby hopes of achieving a finding of “adequacy,”whichwould facilitate their data trade with European economies.25 TheGDPRalsopromptedglobalcompaniestoestablishexpensivecompli-anceprogramsandinfrastructure.26Itmakessense,atfirstglance,tothinkthatEuropehas,throughtheGDPR,drivenU.S.statesandthefederalgovernmenttotakeprivacyseriouslyatlast.Ifso,thisdevel-opmentwould fitneatlywith the largerphenomenon that is some-timescalledthe“BrusselsEffect.”27
Butifthisisthecase,whydidittakesolong?AnuBradfordcoinedthephrasebackin2012,28andtheEUpromulgateditsoriginaldataprotectiondirectivein1995.29IfEuropeanlawpromptedsoul-search-ingamongAmericanlawmakers,itsvoyageacrosstheAtlanticprovedquiteslow.
ThisPartsummarizesoverlappingtheoriesofregulatorycompe-titionandcatalysis,drawnfromvariedsubjectmatterareas,includingcorporateandenvironmentallaw.Inallofthesedomains,earlyclaimsofaracetothebottomspurredbyglobalizationhavebeenchallengedbyscholarswhosuggestedalternativeregulatorydynamicsthatmightleadtoaracetothetoporaracetotheoptimum.30Oftentheseeffectsarenamedfortheplaceswheretheywerefirstdetected:Delaware,
24. Seesupranote6(listingrecentdataprivacybillsconsideredbyCongress). 25. Schwartz,supranote9,at783–86. 26. SeeMehreenKhan,CompaniesFaceHighCostToMeetNewEUDataProtectionRules, FIN.TIMES (Nov. 19, 2017), https://www.ft.com/content/0d47ffe4-ccb6-11e7-b781-794ce08b24dc. 27. MarkScott&LaurensCerulus,Europe’sNewDataProtectionRulesExportPri-vacyStandardsWorldwide,POLITICO(Jan.31,2018,12:00PM),https://www.politico.eu/article/europe-data-protection-privacy-standards-gdpr-general-protection-data-regulation[https://perma.cc/2RWQ-X4WB]. 28. AnuBradford,TheBrusselsEffect,107NW.U.L.REV.1,23(2012)(describingspreadofEU-styleprivacyprotectionsinthewakeoftheEU’s1995DataProtectionDirective). 29. Directive95/46/EC,1995O.J.(L281)31. 30. See,e.g.,RalphK.Winter,Jr.,StateLaw,ShareholderProtection,andtheTheoryof the Corporation, 6 J.LEGAL STUD. 251, 254 (1977) (“[C]ompetitive legal systemsshouldtendtowardoptimalitysofarastheshareholders’relationshiptothecorpora-tionisconcerned.”).
1740 MINNESOTALAWREVIEW [105:1733
California,orBrussels.31 Indifferentways, these three jurisdictionshaveemergedas“superregulators.”LaterintheArticlewewillcon-siderwhichof thesesuperregulatoreffectshavecatalyzeddatapri-vacyrulesacrosstheUnitedStates.
A. THEDELAWAREEFFECTRegulatory competition has been investigated in the greatest
depth in corporate law.32 An early view argued that corporationswouldcharterthemselves inthemostpermissivestate, leadingU.S.states to competewitheachother toofferevermore lax corporatelaw.33Somedubbedthisthe“DelawareEffect,”34becausetwo-thirdsofallFortune500companiesareincorporatedinthatstate.35
Acriticallegalrulemaderegulatorycompetitionpossible.Statelawsdefertoacorporation’sdecisiononitsstateofincorporation—knownasthe“internalaffairs”doctrine.36Thus,acorporationoperat-ingprincipally inCalifornia orKansas can incorporate inDelawareandbeassuredthatrelationsbetweenitsshareholders,directors,andofficerswillbegovernedbyDelawarelaw.37Withoutthis“internalaf-fairs”rule,acorporationmighthavetoconformtothecorporatelaw
31. SeeinfraPartsI.A–C. 32. See,e.g.,WilliamL.Cary,FederalismandCorporateLaw:ReflectionsuponDel-aware,83YALEL.J.663(1974). 33. JusticeLouisBrandeisexplainedtheliberalizationofcorporatelawthroughthisdynamic:
LesserStates,eagerfortherevenuederivedfromthetrafficincharters,hadremoved safeguards from their own incorporation laws.Companies wereearly formedtoprovidecharters forcorporations instateswherethecostwaslowestandthelawsleastrestrictive....Theracewasonenotofdiligencebutoflaxity.
LiggettCo.v.Lee,288U.S.517,557–59(1933)(citationsomitted). 34. See,e.g.,Bradford,supranote28,at5. 35. See DEL.DIV. OFCORPS., ANNUALREPORTSTATISTICS (2018), https://corpfiles.delaware.gov/Annual-Reports/Division-of-Corporations-2018-Annual-Report.pdf[https://perma.cc/8BRQ-QFLX].Andthisdoesnotapplyonlytolarge,establishedcor-porations:in2017,overeightypercentofinitialpublicofferingsintheUnitedStatesusedDelawareasacorporatehome.Id. 36. Rogersv.Guar.Tr.Co.ofN.Y.,288U.S.123,130(1933)(“Ithaslongbeenset-tleddoctrinethatacourt—stateorfederal—sittinginoneStatewillasageneralruledeclinetointerferewithorcontrolbyinjunctionorotherwisethemanagementoftheinternal affairsof a corporationorganizedunder the lawsof anotherStatebutwillleavecontroversiesastosuchmatterstothecourtsoftheStateofthedomicile.”);Van-tagePointVenturePartners1996v. Examen, Inc., 871A.2d1108, 1112 (Del. 2005)(“Theinternalaffairsdoctrineisalong-standingchoiceoflawprinciplewhichrecog-nizesthatonlyonestateshouldhavetheauthoritytoregulateacorporation’sinternalaffairs—thestateofincorporation.”). 37. SeeVantagePointVenturePartners1996,871A.2dat1112.
2021] CATALYZINGPRIVACY 1741
ofallofthejurisdictionsinwhichitoperates.Theinternalaffairsdoc-trinethusallowsacompanytoestablishasingleregulatorforthecor-poratelawaffairsofthecorporation.38
TheclassicanalysespositedthatDelawarehadcorneredthemar-ketforincorporationsthroughdubiouseffortstofavorcorporateof-ficersanddirectors.39RalphWinterfamouslyrejectedthisclaimofaninevitableracetothebottom,arguingthatcorporateleaderswerenotinfactfreetochoosethemostpermissivejurisdictionbecauseshare-holders would penalize them for failing to maximize shareholdervalue.40 Where some had derided Delaware’s efforts as “law forsale,”41RobertaRomanoarguedthatDelaware’seffortswerepartofthegeniusofAmericanlaw.42Insteadofseekingtoracetothebottomtoattractcorporatecharters,Delawarecourts,fortheirpart,sawtheirrole as providing special corporate law expertise.43 Regulatory
38. Withrespecttocorporatelaw,theEuropeanUniondidnotembraceasimilarapproachtothatintheUnitedStatesuntilrecently.Ratherthandeferringtothestateofincorporation,manyEUstatessoughttoestablishwherethe“realseat”ofthecor-porationlay.WernerF.Ebke,TheRealSeatDoctrineintheConflictofCorporateLaws,36INT’LL.1015,1015–16(2002).SuchanapproachwouldnotdefertothemailboxincorporationavailableinDelaware.Seeid.Thisrulewouldstilltypicallyresultinasingleregulator—butthiswouldmakegamingthelawmoredifficult.MatthewG.Dore,DéjàVuAllOverAgain?TheInternalAffairsRuleandEntityLawConvergencePatternsinEuropeandtheUnitedStates,8BROOK.J.CORP.FIN.&COM.L.317,317–18(2014).Onewouldactuallyhavetolocateone’sheadquarters(themanagementandcontrolcenter)inthejurisdictionwiththefriendliestlaws,ratherthansimplyfilloutsomeformstoincorporateviaamailbox.RecentEUcaselawhas,however,movedtowardstheU.S.internalaffairsrule,deferring to the jurisdictionof thestateof incorporation. Id.at325–29.ThisopensupthepossibilityofregulatorycompetitionforcorporatelawinEuropeaswell. 39. Cary,supranote32,at672.Accordingtothisview,statessuchasDelawaremightwishtoattractincorporationsbecauseofthefranchisetax—theannualfeescor-porationspaytomaintaintheirincorporationinthatstate.Indeed,Delawarehascometo fund one-quarter of its budget through this means. STEPHEN M. BAINBRIDGE,CORPORATEGOVERNANCEAFTERTHEFINANCIALCRISIS 24 (2012) (“Delaware generates$740–800millionperyearinfranchisetaxes,whichamountstoaquarterofthestate’sbudget.”); DEL.OFF. OFMGMT.&BUDGET,FINANCIALOVERVIEW (2018), https://budget.delaware.gov/budget/fy2018/documents/operating/financial-overview.pdf[https://perma.cc/R7KY-9YK6](estimatingfranchisetaxesof“$975.0millionforFis-calYear2017and$992.6millionforFiscalYear2018”). 40. Winter,supranote30,at257(“Ifmanagementistosecureinitialcapital...itmustattractinvestorsawayfromthealmostinfinitevarietyofcompetingopportuni-ties.”). 41. E.g.,Editors,Comment,LawforSale:AStudyoftheDelawareCorporationLawof1967,117U.PA.L.REV.861(1969). 42. ROBERTAROMANO,THEGENIUSOFAMERICANCORPORATELAW37–39(1993). 43. AsoneDelawareChanceryCourtjudgenoted,“Delawarehasasubstantialin-terest in providing an effective forum for litigating disputes involving the internal
1742 MINNESOTALAWREVIEW [105:1733
competition, seen fromthisperspective, canoccurnot just throughthecontentofthegoverningrulesbutalsothroughthequalityoftheiradjudication.
TheDelawareEffectthereforecanbesummarizedastheemer-genceofcertainjurisdictionsashighlyinfluentialoverseersofpartic-ularbehaviorbasedonproactiveelectionsmadeby regulatedenti-ties—anopt-intoaparticularjurisdiction.Ifenoughregulatedentitiesmake the same choice, that jurisdictionmay come to dominate thefield.Boththesubstantivelawandtheregulatorytechniquesofaju-risdictionmaythengaininfluenceoutsideitsbordersasotherregula-torsdefertoit.44Whilethisarrangementcouldresultinaracetothebottom,itcouldalsoenabletheemergenceofhighlyspecializedex-pert regulatoryoversight that thenbecomes the standard towhichotherjurisdictionsdefer.
B. THECALIFORNIAEFFECTDavidVogelfamouslychallengedasimilarhypothesisofaraceto
thebottominenvironmentalregulationandconsumerprotectionlaw.Wheremanyarguedthatinternationaltradewouldinevitablyleadtotheerosionofconsumerandenvironmentalregulation,Vogelcoun-teredthat“undercertaincircumstances,globaleconomicintegrationcanactuallyleadtothestrengtheningofconsumerandenvironmentalstandards.”45Insteadofaracetothebottom(whathe,adoptingthetraditionalview,calleda“DelawareEffect”)heofferedthatregulatorycompetition might result in a “California Effect.”46 This outcomehingedon“thecriticalroleofpowerfulandwealthy‘green’political
affairsofDelawarecorporations.”InreActivisionBlizzard,Inc.,86A.3d531,547(Del.Ch.2014).For support for this statement,ViceChancellorLaster citedRobertaRo-mano’sbookTheGeniusofAmericanCorporateLaw:“‘Themostimportanttransaction-specificassetinthecharteringrelationisanintangibleasset,Delaware’sreputationforresponsivenesstocorporateconcerns,’whichstemsfrom‘acomprehensivebodyofcaselaw,judicialexpertiseincorporationlaw,andadministrativeexpertiseintherapidprocessingofcorporatefilings.’”Id.at547n.7(citingROMANO,supranote42,at38–39). 44. See,e.g.,Dore,supranote38,at325–29(describingtheEU’sshifttowardtheinternalaffairsrule). 45. DavidVogel&RobertA.Kagan,Introduction:NationalRegulationsinaGlobalEconomy,inDYNAMICSOFREGULATORYCHANGE1,1(DavidVogel&RobertA.Kaganeds.,2004);DAVIDVOGEL,TRADINGUP:CONSUMERANDENVIRONMENTALREGULATIONINAGLOBALECONOMY5(2004)(“Totheextentthattradeliberalizationhasaffectedthelevelofcon-sumerandenvironmentalprotection,ithasmoreoftenstrengthenedthanweakenedit.”). 46. VOGEL,supranote45,at5–8.
2021] CATALYZINGPRIVACY 1743
jurisdictionsinpromotingaregulatory‘racetothetop’amongtheirtradingpartners.”47
UnliketheDelawareEffect,inwhichajurisdictiontemptscompa-niestooptintoitsregulatoryschemeandotherjurisdictionsthende-fertothatone’sexpertise,theCaliforniaEffectoccurswhenonejuris-dictionpushesotherjurisdictionstoimprovetheirownlaws.48Thisracetothetopisdejureinnature,ratherthandefactoordeferential;otherjurisdictionspasslawsthatmimicthesuperregulatorjurisdic-tion.
VogelidentifiedthreeconditionsunderwhichaCaliforniaEffectmightoccur.49First,aracetothetopismorelikelytobetriggeredifthestandardsaresupportedbyacoalitionofpublicinterestgroupswith regulated companies thatwish to impose the regulatory coststheyfaceontheircompetitorsinother,morelaxjurisdictions.50Sec-ond,thesuperregulatormusthavealargemarketthatissufficientlyattractivethatcompanieswouldratherabsorbthecostofregulationthanforegothemarket.51Third,aracetothetopismorelikelytooc-curifthereisastronginstitutioncapableofharmonizingstandardsacrossjurisdictions,suchastheU.S.federalgovernmentortheEU.52
TheclassicexampleoftheCaliforniaEffect isCalifornia’semis-sionsregulationsforautomobiles.AsAnnCarlsonexplains,fromthemid-1960s onward, the state pioneered strong tailpipe emissionsstandards.53WhenCongressamendedtheCleanAirAct topreemptstatestandardsforemissions,itgrandfatheredin“anystate”thathademissionscontrolsinplacepriortoMarch30,1966—astandardap-plicableonlytoCalifornia,aslawmakersunderstoodperfectlywell.54TheCleanAirActof1970explicitlyrecognizedCaliforniaasasuper-regulator:itbecametheonlystateallowedtosetstricter-than-federalstandards,andotherstatescouldthenopttofollowCalifornia’sstand-ards.55TwelveeasternstatesandtheDistrictofColumbiaannounced
47. Id.at6. 48. Seeid.at5–8. 49. Id.at260–68;seealsoSebastiaanPrincen,TradingUpintheTransatlanticRe-lationship,24J.PUB.POL’Y127,128(2004)(discussingVogel’sproposedconditions). 50. VOGEL,supranote45,at260–61. 51. Id.at261–63. 52. Id.at263–68. 53. AnnE.Carlson, IterativeFederalismandClimateChange,103NW.U.L.REV.1097,1111(2009). 54. Id. 55. SeeRockyMountainFarmersUnionv.Corey,730F.3d1070,1078–79(9thCir. 2013) (“Other states could choose to followeither the federalor theCaliforniastandards,buttheycouldnotadoptstandardsoftheirown.”);Carlson,supranote53,
1744 MINNESOTALAWREVIEW [105:1733
in1994thattheywouldfollowCalifornia.56Autoemissionsrulesillus-trate all three of Vogel’s conditions: a coalition of public interestgroupsalongsideregulatedcompanies,asuperregulatorwithalargeandattractivemarket, anda strong institution (the federal govern-ment)capableofharmonizingstandards.
ThemechanismoftheCaliforniaEffectdiffersfromtheDelawareEffect.UndertheDelawareEffect,otherjurisdictionsdefertothereg-ulatorychoicesofthesuperregulator,magnifyingtheimpactofthosechoices.57UndertheCaliforniaEffect,otherjurisdictionsthemselvesadoptthesamerulesasthesuperregulatorjurisdiction.58
C. THEBRUSSELSEFFECTInthelatetwentiethcentury,astheauthorityandinstitutionsof
theEuropeanUniongrew,anothersuperregulatoremerged:Brussels,theseatoftheEUbureaucracy.AsAnuBradfordvividlydescribesit:“FewAmericansareawarethatEUregulationsdeterminethemakeuptheyapplyinthemorning,thecerealtheyeatforbreakfast,thesoft-waretheyuseontheircomputer,andtheprivacysettingstheyadjustontheirFacebookpage.Andthat’sjustbefore8:30AM.”59
Where the California Effect depends on jurisdictions racing tostrengthentheirregulations inresponsetoeachother, theBrusselsEffectoperatesprincipallyasadefactomechanism,whenmarketac-torsconformtheirglobalproductstoEuropeanrules.60Bradfordob-serves,“[T]heBrusselsEffectismoreaboutonejurisdiction’sabilitytooverrideothersthanitisabouttriggeringanupwardrace.”61
at1134(notingCalifornia’sspecialstatus);NicholasBryner&MeredithHankins,WhyCalifornia Gets To Write Its Own Auto Emissions Standards: 5 Questions Answered,CONVERSATION,https://theconversation.com/why-california-gets-to-write-its-own-auto-emissions-standards-5-questions-answered-94379[https://perma.cc/H7U4-CLJQ]. In 2019, the EPA and NHTSA formally withdrew California’s Clean Air Actwaiver.CoralDavenport,TrumpToRevokeCalifornia’sAuthorityToSetStricterAutoEmissionsRules,N.Y.TIMES(Sept.20,2019),https://www.nytimes.com/2019/09/17/climate/trump-california-emissions-waiver.html[https://perma.cc/QCL6-TDZ6]. 56. PeterP.Swire,TheRacetoLaxityandtheRacetoUndesirability:ExplainingFailuresinCompetitionAmongJurisdictionsinEnvironmentalLaw,14YALEL.&POL’YREV.67,82(1996). 57. SeesupraPartI.A. 58. Seesupranotes47–50andaccompanyingtext. 59. Bradford,supranote28,at3(citationsomitted). 60. Seeid.(“Unilateralregulatoryglobalizationoccurswhenasinglestateisableto externalize its laws and regulations outside its borders throughmarketmecha-nisms,resultingintheglobalizationofstandards.”). 61. Id.at8.
2021] CATALYZINGPRIVACY 1745
Whymight a corporation change its practices outside Europe,adoptingstrictercodesabsent legalcompulsion?Bradfordexplains,“[M]ultinationalcorporationsoftenhaveanincentivetostandardizetheir production globally and adhere to a single rule.”62 Of course,sometimestheseenterprisesdodecidetoobservedifferentregulatoryregimesindifferentlocations.JustasVogeldistilledtheconditionsforaCaliforniaEffect,Bradford identifiescircumstancesunderwhichaBrusselsEffectismorelikelytooccur.63First,aswiththeCaliforniaEffect,theBrusselsEffectislikelytooccuronlywhentheunilateralregulatorrepresentsalargeandattractivemarket.64Second,thatsu-perregulatormusthavesignificantregulatorycapacity,throughwhichittendstoaimstrictrulesat“inelastictargets”suchasconsumermar-kets,thuscreatingrulesthatcan’tbereadilyevaded.65Third,theop-erations of the firmmust be “nondivisible,”meaning that it is lesscostlyforafirmtocomplywiththeonehigherstandardworldwidethantosetupdifferentcompliancestandards.66
UnliketheeffectsnamedforDelawareandCalifornia,theBrus-selsEffectdependson the choicesof the entities subject to regula-tions,notthoseofgovernmentsorregulators.67 Indeed, iforganiza-tions decide to obey a particular jurisdiction’s requirements in alltheiractivities,thenthatjurisdictionwillgaininfluenceevenifotherjurisdictionsmightstronglypreferadifferentrule,solongasthesu-perregulator’sdemandsdonotactuallyviolatethelawinotherplaces.
Whiletheliteraturenamescertaincross-jurisdictionaleffectsaf-terparticularsuperregulatorswhoareespeciallylikelytocausethem,itisamistaketooverinterpretthesenames.Asweshallsee,superreg-ulatorscanaffectotherjurisdictionsinvariousways.68So,forexam-ple,whenothernationsadoptnewdataprotectionlawstoharmonizetheirruleswiththoseintheEU,thisisaCaliforniaEffectthathappenstoemanatefromBrussels.Whenwebsitesbeganpostinggloballyap-plicableprivacypoliciespartlyinresponsetoa2003Californiastatuterequiringtheydoso,69thiswasaBrusselsEffecttriggeredbyaCali-fornia law.Wewill delve into these catalytic effects in privacy law
62. Id.at6. 63. Id.at10–19;seealsoSchwartz,supranote9,at780–83(discussingandapply-ingBradford’sfactors). 64. Bradford,supranote28,at11–12. 65. Id.at12–17. 66. Id.at17–19. 67. SeesupraPartsI.A–B;Bradford,supranote28,at48–49. 68. SeeinfraPartIII. 69. California Online Privacy Protection Act of 2003, CAL. BUS. & PROF. CODE§§22575–22579(2018).
1746 MINNESOTALAWREVIEW [105:1733
more fullybelow.70 First,however,weexplain the substanceof theGDPRandtheCCPA,demonstratingintheprocessboththeiroverlapsanddifferencesandrevealing theemergenceofCaliforniaasacon-tendertobeadataprivacysuperregulator.
II.GDPRVERSUSCCPAWhichdataprivacyregimeisdrivingthewaveoflegislativeac-
tivityrelatedtodataprivacyacrosstheUnitedStates,andwhatisthemechanismofthatinfluence?Toanswerthisquestion,weneedfirsttounderstandthetworegimes.ThisPartrevealsbothsimilaritiesanddifferencesbetweentheGDPRandtheCCPA.Afterall,iftheCCPAcanbedescribedasacopyoftheGDPR,thenevenifwecanshowthatstatelegislatorsandCongressarecopyingCalifornia,SchwartzandotherswouldbecorrectthattheEuropeanUnionistheultimatesourcebe-hindnewU.S.privacyproposals.71Butif,asweargue,theCCPAisafundamentallydifferentregime—onlysimilartotheGDPRatthesur-face,whilelackingmajorstructuralelementsoftheGDPR—thenthequestionofwhothesuperregulatorisbecomesonewithmeaningfulconsequences for understanding all these federal and state pro-posals.72
ApaperbackoftheGDPRrunssome130pages,itssectionsliter-ally divided into chapters.73 The CCPA, by contrast, is around 25pages.74Thetwolawswerealsowrittenonvastlydifferenttimelines.IftheGDPRisadoctoralthesis,theCCPAisatermpaperwrittenthenightbeforethedeadline.75
InthisPart,wecomparethetworegimes,addressingwheretheyapply,whomtheycover,andwhattheyrequire.Wealsoaddressdif-ferencesintheregulatorystyle,enforcementmechanisms,andlegal
70. SeeinfraPartIII. 71. Seesupranotes7–14andaccompanyingtext. 72. Seesupranote6(listingdataprivacybillsproposedinCongressin2019and2020). 73. Eur.Union,EuropeanDataProtectionLaw:GeneralDataProtectionRegula-tion 2016, AMAZON, https://www.amazon.com/European-Data-Protection-Law-Regulation/dp/1533170835[https://perma.cc/2JW7-YDHP]. 74. SeeCaliforniaConsumerPrivacyActof2018,CAL.CIV.CODE§§1798.100–.199(2018). 75. Compare Katelyn Ringrose& JeremyGreenberg,California Privacy Legisla-tion:ATimelineofKeyEvents,FUTUREPRIV.F. (Aug.31,2020),https://fpf.org/blog/california-privacy-legislation-a-timeline-of-key-events[https://perma.cc/C6NC-WVZR],with Adam Deakin, GDPR Timeline: A History of Data Protection, VUTURE,https://vutu.re/blog/gdpr-timeline--a-history-of-data-protection.aspx[https://perma.cc/2JS2-SHS7].
2021] CATALYZINGPRIVACY 1747
settingsoftheGDPRandtheCCPA.Thisunderstandingofthetwosys-temssetsupouranalysisinPartIII,whereweconsidertheinfluenceofthenewEuropeanandCalifornianlawsacrosstheUnitedStates.
A. EUROPEANDATAPROTECTIONVERSUSU.S.CONSUMERPROTECTIONFirst,ithelpstounderstandthefundamentaldifferencesbetween
aU.S.-styleandanEU-styledataprivacyregime.Whendiscussingdatagovernance,EuropeanlawyersdonotevenusethesamelanguageasAmericanlawyers;theyrefertostatutesthatgovernthehandlingofpersonaldataas“dataprotection”laws,not“privacy”laws.76Thisre-flectsafundamentaldifferenceinapproach:“dataprotection”isuni-versalinEurope,whilemostAmericanlawfocuseson“consumerpro-tection.”77 Data protection laws like the GDPR proceed from theprinciple that data protection is a fundamental human right safe-guardedthroughconstitutionalprotectionsintheEuropeanConven-tiononHumanRightsandtheEUCharter.78Thisplacesdataprotec-tionrightson thesameplaneas freespeechordueprocess.79Asaresult, thedefault inEurope is thatpersonal informationcannotbecollectedorprocessedunlessthereisaspecificlegaljustificationfordoingso.80
IntheUnitedStates,bycontrast,privacylawmostoftenfollowsa“consumerprotection”model,withregulatorsfocusedonensuringthatconsumersreceivethebenefitoftheirbargaininindividualbusi-ness-to-consumertransactions.81Theconsumerprotectionmodelfre-quently relieson themuch-criticizedpremise thatdisclosureandarightofrefusal(so-called“noticeandchoice”)adequatelyempower
76. SeePaulM.Schwartz&Karl-NikolausPeifer,TransatlanticDataPrivacyLaw,106 GEO. L.J. 115, 138, 147 (2017); see also CHRISTOPHER KUNER, EUROPEAN DATAPROTECTIONLAW:CORPORATECOMPLIANCEANDREGULATION2–3(2ded.2007);JamesQ.Whitman,TheTwoWesternCulturesofPrivacy:DignityVersusLiberty, 113YALEL.J.1151,1159–60(2004);PaulM.Schwartz,PreemptionandPrivacy,118YALEL.J.902,909–10(2009);JoelR.Reidenberg,SettingStandardsforFairInformationPracticeintheU.S.PrivateSector,80IOWAL.REV.497,500–01(1995). 77. McGeveran,supranote20,at966(“[D]ataprotectionlawbeginswithanas-sumptionthatcontroloverpersonalinformationisahumanright....U.S.regulators,suchastheFTCorstateattorneysgeneral,regulateprivacybypolicingthefairnessofparticulartransactions.”). 78. CharterofFundamentalRightsoftheEuropeanUnion,arts.7–8,2000O.J.(C364)11;ConventionfortheProtectionofHumanRightsandFundamentalFreedomsart.8,Nov.4,1950,213U.N.T.S.221. 79. CharterofFundamentalRightsoftheEuropeanUnion,supranote78,arts.7,11. 80. Seeid.art.8. 81. SeeMcGeveran,supranote20,at966.
1748 MINNESOTALAWREVIEW [105:1733
consumers.82UnlikeinEurope,thereisnoprotectionintheU.S.Con-stitution against activities by nongovernmental entities,83 includingthecollectionofpersonaldata.Andunlikeadataprotectionregime,inwhichprotectionsfollowthedata,theconsumerprotectionmodelfo-cusesongoverningbothamorediscreteinteractionandamoredirectrelationship.UntiltheCCPA,mostAmericanlawpermittedentitiestocollectandusepersonaldatahowevertheywishedbydefault,absentaspecificlegalruleforbiddingaparticularpractice.84
AseconddifferencebetweenEuropeandtheUnitedStatesisthatU.S.privacylawhasalwaysbeenfragmentedand“sectoral.”85Differ-entstatutesareenforcedbydifferentregulatorsindifferentsectorssuchashealthcare,financialservices,education,orcreditreporting.Afewofthesesectoralregimesareconstructedlikedataprotectionrules,but theyapplyonlywithin theirnarrowdomains.86MostU.S.laws function on the transactional consumer protectionmodel de-scribedabove.Asafinalbackstop,general-purposeconsumerprotec-tionregulators,suchastheFederalTradeCommission(FTC)andstateattorneysgeneral,addressasubsetofcases fallingoutsideanysec-toralrules,againlargelyfollowingaconsumerprotectionmodel.87
Bycontrast, ineveryEuropeannation,specializeddataprotec-tionregulatorshavelongenforcedomnibusstatutesapplicabletoallorganizationswhentheyhandleanypersonaldata.88Whilethesedataprotection laws contain extra protections for especially sensitive
82. See,e.g.,WOODROWHARTZOG,PRIVACY’SBLUEPRINT:THEBATTLETOCONTROLTHEDESIGNOFNEWTECHNOLOGIES62–67(2018); JulieE.Cohen,WhatPrivacy IsFor,126HARV.L.REV.1904,1930(2013). 83. SeeDeShaneyv.WinnebagoCnty.Dep’tofSoc.Servs.,489U.S.189,195–96(1989)(“[N]othinginthelanguageoftheDueProcessClauseitselfrequirestheStatetoprotectthelife,liberty,andpropertyofitscitizensagainstinvasionbyprivateac-tors.”). 84. SeeSchwartz&Peifer,supranote76,at147. 85. SeeReidenberg,supranote76,at505–06;Schwartz,supranote76,at908–13. 86. HealthInsurancePortabilityandAccountabilityAct,45C.F.R.§§160,162,164(2020);Children’sOnlinePrivacyProtectionAct,15U.S.C.§§6501–6506. 87. DanielleKeatsCitron,ThePrivacyPolicymakingofStateAttorneysGeneral,92NOTREDAMEL.REV.747,748(2016);DanielJ.Solove&WoodrowHartzog,TheFTCandthe New Common Law of Privacy, 114 COLUM. L. REV. 583, 590 (2014); see alsoMcGeveran,supranote20,at977–78(describingthe“cleanuprole”ofconsumerpro-tectionregulatorsinenforcementofU.S.privacylaw). 88. CharterofFundamentalRightsoftheEuropeanUnion,supranote78,art.8(“Everyonehastherighttotheprotectionofpersonaldataconcerninghimorher.”);Consolidated Version of the Treaty on the Functioning of the European Union art.16(1),Oct.26,2012,2012O.J.(C326)47(“Everyonehastherighttotheprotectionofpersonaldataconcerningthem.”).
2021] CATALYZINGPRIVACY 1749
information,theirbasichumanrightsframeworksimposeuniformre-quirementseverytimepersonaldataiscollected,processed,ortrans-ferred.89Theserulesapplythroughsweepingdefinitionsof“datacon-trollers”and“dataprocessors”thatencompassnotonlybusinessesofevery size and type but also governments, nonprofit organizations,political campaigns, and even individuals—anyone engaged in the“processing”ofpersonaldata.90
B. SUBSTANTIVESIMILARITIESAtfirstglance,theCCPAmayseemmore“European”thanexist-
ingU.S.privacylaws.True,itisthefirstU.S.statutethathassomedataprotectioncharacteristicswithoutbeingnarrowlysectoral.Forexam-ple,undertheCCPA,legalprotectionsfollowpersonaldata,regardlessofwhetheranindividualhasadirectrelationshipwiththeregulatedcompany.91ThisdiffersfrommanyexistingregulatorymodelsintheUnitedStates.BecausetheFTC’sgeneralconsumerprotectionauthor-ityfocusesonlyontherelationshipbetweenindividualsandcompa-nies,itclaimstohavelittlepoweroverdatabrokerswhoobtainindi-vidual information from other companies or public sources ratherthanfromconsumersthemselves.92TheCCPA,bycontrast,regulates
89. TheEuropeanCommission’sreviewoftheoperationoftheGDPRatitssecondanniversarynotedthattheEUmemberstateshadnotofferedasmuchuniformityintheirlocalimplementationsoftheGDPRasmightbedesired.CommunicationfromtheCommissiontotheEuropeanParliamentandtheCouncil:DataProtectionasaPillarofCitizens’EmpowermentandtheEU’sApproachtotheDigitalTransition–TwoYearsofApplication of the General Data Protection Regulation, at 12, COM (2020) 264 final(June 24, 2020), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0264[https://perma.cc/HSY9-LCUU]. 90. GDPR,supranote7,art.4(2)(defining“processing”as“anyoperationorsetofoperationswhichisperformedonpersonaldataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection, recording,organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmis-sion, dissemination or otherwise making available, alignment or combination, re-striction,erasureordestruction”);seeCaseC-40/17,FashionIDGmbH&Co.KGv.Ver-braucherzentraleNRWe.V., ECLI:EU:C:2019:629 (July 29, 2019) (holding Facebookjointlyresponsibleasadatacontrollerwhenathird-partywebsiteusesaFacebook“Like”buttonthatfacilitatesusertracking).ThefirstEuropeanCourtof JusticecasedealingwiththeGDPR’spredecessor,theDataProtectionDirective,involvedacrimi-nalchargeagainstanindividualwhohadposted(seeminglyinnocuous)informationabout fellowparishioners to awebpagewithout their consent. CaseC-101/01, Lin-dqvistv.ÅklagarkammareniJönköping,2003E.C.R.I-12971. 91. CAL.CIV.CODE§1798.105(d)(Deering2018). 92. U.S. FED. TRADE COMM’N, DATA BROKERS: A CALL FOR TRANSPARENCY ANDACCOUNTABILITY (2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf[https://perma.cc/TR62-497D].
1750 MINNESOTALAWREVIEW [105:1733
databrokersdirectly—acriticalmovetargetinganindustrythathasanenormousimpactonindividuals’privacy.93
SomecoreelementsoftheCCPAalsoseemtoechoaspectsoftheGDPR.Bothlawsdefinepersonalinformationverybroadly,farbeyondmostexistingU.S.privacylaws.94Bothlawsfoundationallyemphasizetransparency, reflecting the Fair Information Principles on whichmanydataprivacyregimesinbothEuropeandtheUnitedStatesarebuilt,andbothlawssharethecontoursofanumberofadditionalindi-vidualrights.95
In the past, narrow definitions of personal information havesharplylimitedtheeffectofmanyU.S.privacylaws.96UndermostU.S.laws,onlycertaintypesofinformationcountedaspersonaldata,mak-ingthedefinition limited, technical,andstatic.TheGDPRandCCPAbothbreakwiththispastbyusingthereal-worldpotentialforidenti-fiabilityasthetouchstone.TheGDPR’sbroadandopendefinitionofpersonaldataincludesnotjustinformationthatdirectlyidentifiesaperson,butalsoinformationthatrendersapersonidentifiable.97TheCCPAsimilarlyappliestoinformationthatis“capableofbeingassoci-atedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticular consumer or household.”98 Both laws provide expansiveandopenlistsofexamplesofcoveredpersonalinformation,fromIPaddressestobiometricinformation.
AnothersimilaritybetweentheGDPRandtheCCPAisthecentralroleoftransparency.TransparencyisacoreprincipleoftheGDPR.99TheGDPR’srecitalsproclaimitafundamentaltenetofdataprotectionlaw thatpeople shouldknow thatpersonaldatahasbeencollectedandbeabletounderstandtheextenttowhichthatinformationispro-cessed.100 The CCPA likewise focuses on giving people notice and
93. JULIAANGWIN,DRAGNETNATION7(2014)(“Stalkersandrogueemployeeshaveconsistentlyfoundwaystoabusethesedatabases.”).ThefederalFairCreditReportingAct,anarrowsectoralstatute,doesregulatesomesegmentsofthedatabrokerindus-try,but largelywithin thecontextofbusiness relationshipsamongcredit reportingagenciesandthelendersoremployerswhorelyontheirproducts.15U.S.C.§1681. 94. SeeGDPR,supranote7;CAL.CIV.CODE§1798. 95. GDPR,supranote7;CAL.CIV.CODE§1798. 96. PaulOhm,BrokenPromisesofPrivacy:RespondingtotheSurprisingFailureofAnonymization,57UCLAL.REV.1701(2010);PaulM.Schwartz&DanielJ.Solove,ThePIIProblem:PrivacyandaNewConceptofPersonallyIdentifiableInformation,86N.Y.U.L.REV.1814(2011). 97. GDPR,supranote7,art.4(1). 98. CAL.CIV.CODE§1798.140(o)(1). 99. GDPR,supranote7,art.5(1)(a). 100. Id.recital39.
2021] CATALYZINGPRIVACY 1751
accessrightssothattheycantracewhatishappeningtotheirpersonalinformation. The California legislature’s articulated intent for theCCPAwastogiveconsumers“aneffectivewaytocontrol theirper-sonalinformation”bygivingthem“[t]heright...toknowwhatper-sonalinformationisbeingcollectedaboutthem,”and“[t]heright...toknowwhethertheirpersonalinformationissoldordisclosedandtowhom.”101
Beyondthishortatorylanguage,bothlawsembedtransparencyprinciplesintheirrequirements.UndertheGDPR,organizationsmustprovideindividualsbothnoticeandaccess.102Theymustaffirmativelyprovidedetailedgeneralnoticethatincludesthepurposeofdatapro-cessing,therecipientsofthedata,theperiodforwhichthedatawillbe stored, and other information.103 Organizations that collect per-sonalinformationfromathirdpartymustalsoprovidesuchnotice,104andallthesedisclosuresmustbeclearandintelligible.105
TheGDPRalsoestablishesarightofindividualaccess,106buildingon“subjectaccessrights”thathavebeeninplacethroughoutEuropeatleastsincethe1990sundertheDataProtectionDirective.107Inre-sponse to an individual’s access request, data controllersmustdis-close,amongotherthings:thepurposesofprocessing,thecategoriesofpersonalinformationconcerned,therecipientsofpersonaldata,re-tentionorstorage time,and thesourceof thedata if theyhavenotbeencollectedfromtheindividual.108Additionally,theymustprovideacopyofthedataitselfinacommonlyusedelectronicform.109
The CCPA likewise gives individuals both notice and accessrights.LiketheGDPR,itrequirescompaniestodisclosethepurposeofprocessing,categoriesof informationgathered,andtheexistenceofindividualrightswithrespecttothatdata(itdoesnot,however,re-quiredisclosureofthepreciseidentitiesoftherecipientsofthedataorthestorageperiod).110Suchdisclosures,accordingtoregulations
101. SeeAssemb.375,2018Leg.§2(i)(Cal.2018). 102. GDPR,supranote7,arts.13–14. 103. Id. 104. Id.art.14(1)(d). 105. Id.art.12. 106. Id.art.15. 107. JefAusloos&PierreDewitte,ShatteringOne-WayMirrors—DataSubjectAc-cessRightsinPractice,8INT’LDATAPRIV.L.4,4–28(2018). 108. GDPR,supranote7,art.15. 109. Id.art.15(3);seealsoid.recital63(“Wherepossible,thecontrollershouldbeabletoprovideremoteaccesstoasecuresystemwhichwouldprovidethedatasubjectwithdirectaccesstohisorherpersonaldata.”). 110. CAL.CIV.CODE§1798.185(2018);CAL.CODEREGS.tit.11,§999.305(2020).
1752 MINNESOTALAWREVIEW [105:1733
promulgatedbyCalifornia’sattorneygeneral,mustbe“designedandpresentedinawaythatiseasytoreadandunderstandabletoconsum-ers.”111TheCCPAgoeswellbeyondnoticerequirementsinpriorU.S.law,suchasaCaliforniastatuterequiringwebsitestopostprivacypol-icies.112
LiketheGDPR,theCCPAalsogivesindividualsaccessrights.Thestatutecreatesarightforconsumerstorequestboththecategoriesandspecificpiecesofpersonal information thatabusinesshas col-lected.113Consumershavearighttorequestdisclosureofthecatego-riesofsourcesfromwhichthepersonalinformationiscollected,thebusinessorcommercialpurposeforcollecting,andthecategoriesofthirdpartieswithwhomthebusinesssharespersonalinformation.114Unusually foraU.S. law, the rulesapplynot just to companies thathaveadirectrelationshipwiththeconsumer,butalsotocompaniesthatcollectandsellpersonalinformationeveniftheyobtainthatin-formationfromsomebodyotherthantheconsumer.115CCPAaccessrightsrepresentasignificantadvancefromverylimitedrightsunderpreviouslaw,suchasaccesstocreditscoringinformationandthean-nualfreecreditreport.116
Thetworegimesshare,too,thecoreelementsofanumberofad-ditionalindividualrights(thoughtheydifferinthedetails):dataport-ability,opt-outrights,adutyofnondiscrimination,andarighttodele-tionorerasure.TheGDPRcontainsarighttodataportability—thatis,arighttoreceiveone’spersonaldatainaformatthatenablesanindi-vidualtoswitchserviceproviders.117Thisrightisaimedatgivingin-dividualsmorecontrolovertheirdataandmorechoicesaboutITser-vices118butisalsounderstoodtopotentiallyenhancecompetition.119TheCCPAquietlycreatesadataportability“right”ofitsown:personaldatadeliveredelectronicallyinresponsetoanaccessrequest“shallbe
111. CAL.CODEREGS.tit.11,§999.305(2). 112. CAL.CIV.CODE§22575(Deering2014). 113. Id.§§1798.100(a),.110(a);CAL.CODEREGS.tit.11,§§999.300(q),.308(c)(1),.318. 114. CAL.CIV.CODE§1798.110(a). 115. UndertheCCPA,consumerscanrequestaccesstocertaininformationfrom(a)abusinessthatcollectspersonalinformationand(b)abusinessthatsellspersonalinformationordisclosesitforabusinesspurpose.Id.§§1798.100(a),.110(a),.115(a). 116. 15U.S.C.§1681(g). 117. GDPR,supranote7,art.20,recital68;ARTICLE29DATAPROT.WORKINGPARTY,GUIDELINESONTHERIGHTTODATAPORTABILITY(2017). 118. ARTICLE29DATAPROT.WORKINGPARTY,supranote117,at3–4. 119. Id.at4.
2021] CATALYZINGPRIVACY 1753
inaportableand...readilyusableformat.”120Infact,theCCPA’sdataportability“right”maybebroaderthantheGDPR’sinsomeways,asitappliestoinferreddataaboutanindividual,wheretheGDPR’srightdoesnot.121
Both theCCPAand theGDPRcontaina right for individuals to“optout”anddenypermissionforhandlingoftheirpersonaldataincertainways.TheCCPAestablishesanopt-outrightforconsumerstotellabusinessnottoselltheirpersonalinformation.122Ifabusinesshasactualknowledgethataconsumerissixteenyearsoldoryounger,itmustobtainaffirmativeauthorization(“opt-in”)foranysaleofper-sonal information—from the individual themselves if they are be-tweenthirteenandsixteenyearsoldorfromaparentorguardianiftheindividualisunderthirteenyearsold.123TheGDPR,bycompari-son,establishesthreeanalogousrights:therighttorestrictdatapro-cessing,124 theright toobject todataprocessing,125andtheright towithdraw consent.126 Although theGDPRhas broader rights to optout—theyapplywellbeyondthesaleof information—theyarealsolessabsolutethanthoseintheCCPA.127
Both regimes contain a duty of nondiscrimination: companiescannot “discriminate” against individuals who choose to exerciserightsrelatedtopersonaldata.128Thismeansthatabusinesscannot,for example, denygoodsor services, chargedifferent rates, impose
120. CAL.CIV.CODE§1798.100(d). 121. ARTICLE29DATAPROT.WORKINGPARTY,supranote117,at10;CAL.CIV.CODE§1798.140(o),(l),(k),(m). 122. CAL.CIV.CODE§1798.120.Vermont’snewdatabrokerlaw,H.764,requirestransparencyastowhetheradatabrokerallowsconsumerstooptoutofcollectionorsaleofinformationbutdoesnotrequireadatabrokertodoso.SeeVT.STAT.ANN.tit.9,§2430(2019). 123. CAL.CIV.CODE§1798.120(d). 124. GDPR,supranote7,art.18. 125. Id.art.21,recitals60,70. 126. Id.art.7(3). 127. Id.art.2(1).There isalsoabalancingtestspecific toscientificorhistoricalresearchpurposesorstatisticalpurposes.Id.art.21(6). 128. CAL.CIV.CODE§1798.125;GDPR,supranote7,recital42;EUR.DATAPROT.BD.,GUIDELINES05/2020ONCONSENTUNDERREGULATION2016/679¶48 (2020),https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf[https://perma.cc/PK3G-F7MP](givingasanexampleof“consentwithoutdetriment”thatacompanymay“showthataserviceincludesthepossibilitytowithdrawconsentwithout negative consequences e.g. without the performance of the service beingdowngradedtothedetrimentoftheuser”);CAL.CODEREGS.tit.11,§999.336(a)(2020)(“Afinancialincentiveorapriceorservicedifferenceisdiscriminatory,andthereforeprohibited...ifthebusinesstreatsaconsumerdifferentlybecausetheconsumerex-ercisedarightconferredbytheCCPAortheseregulations.”).
1754 MINNESOTALAWREVIEW [105:1733
penalties,orprovideadifferentlevelofservicestocustomerswhooptoutofdatatransactions.TheCCPAregulations,however,contemplateacompensationschemewherebyabusinesscanofferfinancialincen-tivesorapriceorservicedifferenceiftheyare“reasonablyrelatedtothevalueoftheconsumer’sdata.”129Thischangesthedutyofnondis-criminationinatleastsomecircumstancesfromanabsolutedutyintoan information-forcingmechanism regarding how companies valueconsumerdata.130
TheGDPRfamouslycontainsarighttoerasure,alsoknownasthe“righttobeforgotten.”131TheCCPAcreatesamorelimitedrighttode-letion.132TheGDPR’srighttoerasuregivesindividualstherighttoob-tain the erasure of personal data both from companieswithwhichtheyhaveadirectconsumerrelationshipandfromthirdparties,un-dercertaincircumstances.133Thereareexceptionstotherighttoeras-ure,includingfreedomofexpressionandpublicinterestintheareaofpublichealth.134Asmanyhavenoted,thisso-called“righttobeforgot-ten”isnotabsolutebutisinlargepartabalancingtestbetweencom-petingvalues,outsourcedtoprivatecompanies.135TheCCPAcreatesamuchnarrowerrighttodeletion.UnliketheGDPR’srighttoerasure,whichappliestothirdparties,theCCPA’srighttodeletionappliesonlytobusinessesthatcollectinformationdirectlyfromtheconsumer.136
129. CAL.CODEREGS.tit.11,§999.336(b). 130. Seeid.§999.337. 131. GDPR,supranote7,art.17.SeegenerallyMEGLETAJONES,CTRL+Z:THERIGHTTOBEFORGOTTEN(2016). 132. CAL.CIV.CODE§1798.105(2018). 133. GDPR,supranote7,art.17(1)(a)–(f)(permittinganindividualtoexercisetherighttoerasureincircumstancesincluding,butnotlimitedto,whenthepersonaldataisnolongernecessaryforthepurposeitwasoriginallycollectedorprocessedfor,theindividualwithdrawstheirconsentwheretheorganizationreliedonsaidconsentasthelawfulbasisofprocessing,orwhentheindividualobjectstotheprocessingoftheirdatafordirectmarketingpurposes). 134. Id.art.17(3)(a),(c). 135. See CHRISTINA ANGELOPOULOS, ANNABEL BRODY, WOUTER HINS, BERNTHUGENHOLTZ,PATRICKLEERSSEN,THOMASMARGONI,TARLACHMCGONAGLE,OTVANDAALEN&JORISVANHOBOKEN,INST.FORINFO.L.,STUDYOFFUNDAMENTALRIGHTSLIMITATIONSFORONLINE ENFORCEMENT THROUGH SELF-REGULATION 52 (2015), https://scholarlypublications.universiteitleiden.nl/access/item%3A2869513/view [https://perma.cc/AAM8-UABW]; see also Case C-131/12, Google Spain SL v. AEPD,ECLI:EU:C:2014:317,16–22(May13,2014);EdwardLee,RecognizingRightsinRealTime:TheRoleofGoogle intheEURightToBeForgotten,49U.C.DAVISL.REV.1017(2016);StefanKulk&FrederikZuiderveenBorgesius,CaseNote,GoogleSpainv.Gon-zález:DidtheCourtForgetAboutFreedomofExpression?,5EUR.J.RISKREGUL.389,389–98(2014). 136. CAL.CIV.CODE§1798.105(a).
2021] CATALYZINGPRIVACY 1755
ThismorerestrictedscopeisanaccommodationofFirstAmendmentlawandvaluesintheUnitedStates,whichmayconstrainerasurere-quirementsimposedonthirdparties.137
Insum,theCCPAmovesclosertoadataprotectionregimelikethe GDPR in certainways,which helps explain thewidespread as-sumptionthatitrepresentsaU.S.embraceoftheEuropean-styledataprotectionmodel.WhiletheCCPA’sbroaddefinitionofpersonaldata,emphasis on transparency, and establishment of some individualrights do go further thanpreviousU.S. law, noneof these shifts gonearlyasfarastheGDPR.AsweshallseeinthenextSection,thesesimilarities are overshadowed by fundamental substantive differ-encesbetweenthetwomodels.
C. SUBSTANTIVEDIFFERENCES Once an analysis moves beyond these similarities, it becomes
clearthattheCCPAregimedifferssharplyfromtheGDPR.First,andperhapsmostimportantly,thetwolawsdonotsharethesameunder-lyingprinciples,leadingtogreatdifferencesinthescopeandnatureoftherightsanddutiesimposedbyeach.Second,whiletheCCPAisbroaderthanpastAmericansectorallaws,itstillregulatesamuchnar-rowersetofentitiesthandoestheGDPR.Third,thetwolawshavedif-ferentenforcementmechanisms.Fourth,theirregulatorystylescon-trast, with significant practical and substantive consequences. Andfinally,CaliforniaandEuropeareeachquitedistinctinwhatwecalltheir“legalsetting”—thebackdropagainstwhichprivacylawsexistandwilldevelopovertime.Weconsidereachofthesedifferencesinorder.
Firstandforemost,forallitsmovestowardbroadercoverageandthecreationofindividualrights,theCCPAdoesnottreatprivacyasahumanrightinthewaydataprotectionlawsliketheGDPRdo.138 It
137. Sorrellv.IMSHealth,Inc.,564U.S.552,557(2011);seeAnupamChander&UyênP.Lê,FreeSpeech,100IOWAL.REV.501,522(2015)(arguingthatSorrelldemon-strates“theseriousnessofFirstAmendmentconstraintsonprivacyregulationsonin-formationintermediaries”).CasessuchasFloridaStarv.B.J.F.,491U.S.524(1989),CoxBroadcastingCorp.v.Cohn,420U.S.469(1975),andSmithv.DailyMailPublishing,443U.S.97(1979),arguablysuggestthatonceinformationislegallydistributed,thegov-ernmentcannotrestrictitsuseabsentstateinterestofthehighestorder.However,anumberofscholarsarguethatmostprivacylawscanpassFirstAmendmentmuster.See,e.g.,NeilM.Richards,WhyDataPrivacyLawIs(Mostly)Constitutional,56WM.&MARYL.REV.1501(2015);JackM.Balkin,InformationFiduciariesandtheFirstAmend-ment,49U.C.DAVISL.REV.1183(2016).ButseeEugeneVolokh,FreedomofSpeechandInformationPrivacy:TheTroublingImplicationsofaRightToStopPeoplefromSpeakingAboutYou,52STAN.L.REV.1049(2000). 138. CompareCAL.CIV.CODE§1798.105,withGDPR,supranote7,art.1.
1756 MINNESOTALAWREVIEW [105:1733
remains, intheAmericantradition,atransactionalprivacylawcon-cernedwithprotectingconsumers intheirdealingswithcommercialentities.Forthisreason,theCCPAdoesnotembraceseveralprinciplesthat have been at the core of constitutionally influenced EuropeandataprotectionlawsincelongbeforetheGDPR—backtoitspredeces-sor,the1995DataProtectionDirective,139andbackevenfurthertonationaldataprotectionlawsinmanyEuropeancountriesdatingfromthe1970sand1980s.140
TheGDPRisbuiltaroundtheconceptof“lawfulprocessing”ofdata.Thatis,personaldatacannotbeprocessedunlessadatacontrol-lerhasobtainedindividualconsent141oroneoffiveotherenumeratedcategoriesoflawfulprocessingapplies.142TheCCPAdoesnotrequirethatprocessingbelawful.143Rather,itsharesthepresumptionofmostotherAmericanprivacylawthatpersonaldatamaybecollected,used,ordisclosedunlessaspecificlegalruleforbidstheseactivities.144Thisis likely the singlemostmeaningfuldifferencebetween the twore-gimes.
Moreover, theGDPRimposesmultipleadditionalconditionsonalldataprocessing,evenwhenitisauthorizedbyconsentoranotherof the legitimizing conditions.145 The GDPR requires that personaldatamaybecollectedonlyfor“specified,explicitandlegitimatepur-poses,”statedatthetimeofcollection.146Additionalprinciplesincludepurposelimitation(processingdataonlyforthosepreviouslystatedpurposes),dataminimization(collectingnomoredatathannecessaryforthosepurposes),dataretention(limitingstorageofdatatoperiodsjustifiedbythosepurposes),privacybydesign,aswellasprivacyim-pactassessmentsforhighriskdataprocessing,amongothers.147
139. Directive95/46/EC,1995O.J.(L281)31. 140. See,e.g.,GesetzzumSchutzvorMiBbrauchpersonenbezogenerDatenbeiderDatenverarbeitung(Bundesdatenschutzgesetz-BDSG)[LawonProtectionAgainsttheMisuse of PersonalData inDataProcessing (FederalDataProtectionAct)], Jan. 27,1977,BUNDESGESETZBLATT[BGBI]at1201(W.Ger.);Loi78-17du6janvier1978de informatiquéet libertés [Law78-17of January6,1978on InformationandCivilLiberties], COMMISIONNATIONALE DE L’INFORMATIQUÉ ET DES LIBERTÉS [COMMISSION ONINFORMATIONTECHNOLOGY,DATAFILES ANDCIVILLIBERTIES] (Fr.); Data Protection Act1984,c.35(U.K.). 141. GDPR,supranote7,art.6(1)(a). 142. Id.art.6(1)(a)–(f). 143. CAL.CIV.CODE§1798.100. 144. Id. 145. GDPR,supranote7,art.5(1). 146. Id.art.5(1)(b). 147. Id.art.5(1)(b)–(f).
2021] CATALYZINGPRIVACY 1757
The CCPA imposes few requirements concerning the purposesfordatacollectionortheproportionalityofdatahandlingtothosepur-poses.TheCCPA’stextdoesnotevengoasfarastheHealthInsurancePortability and Accountability Act (HIPAA), which requires thatdownstreamdisclosuresofpatientdatabethe“minimumnecessary”toachieveapurpose.148Instead,theCCPArequiresabusinesstopro-videnoticeifitis“collect[ing]personalinformationcollectedforad-ditionalpurposes.”149Thisruleon its facedoesnotstopcompaniesfromusingdatafornewpurposes—itjustrequiresdisclosureiftheydoso.Asinmanyotherplaces,theCCPA’sapproachreliesontrans-parencyratherthanfollowingtheGDPRbyimposingsubstantivedu-tiesoncompaniesthatcollectandprocesspersonaldata.Theimple-mentingregulationspromulgatedbytheCaliforniaattorneygeneraldorequirethatabusiness“shallnotuseaconsumer’spersonalinfor-mationforapurposemateriallydifferentthanthosedisclosedinthenotice at collection.”150 If a business wishes to use personal infor-mationforanew,undisclosed,materiallydifferentpurpose, itmustobtainexplicitconsentfromtheconsumerforthatuse.Whilethisismorethanmeretransparency,itisfarfromtheextensiveconditionsonalldataprocessingintheGDPR.
Thedivergenceinthetworegimes’animatingprinciplesalsoin-fluencestheirtreatmentofindividualrights.TheCCPA,apartfromal-lowingindividualstooptoutofsalesof theirpersonaldata,affordsindividualslittlecontrol.Itdoesnothingtoenableindividualstore-fusetogivecompaniestheirdatainthefirstplace.TheGDPRstrivestodosobyrequiringstringentformsofconsentinanumberofcir-cumstances151andbygranting individualsrobustrightsthroughoutthelifecycleofdataprocessing,includingtherighttorectificationofincorrect information;152 the right to prevent automated individualdecision-makingand to receiveexplanationof anyautomateddeci-sion;153andbroaderrightsrelatedtoerasureofdataandwithdrawal
148. 45C.F.R.§§164.502(b),.514(d)(2021). 149. CAL.CIV.CODE§1798.100(b)(2018). 150. CAL.CODEREGS.tit.11,§999.305(a)(5)(withdrawnJuly29,2020). 151. Regardingbothparticularlysensitivedata(specialcategoriesofdata)andau-tomateddecision-making,theGDPRrequiresthemorestringent“explicitconsent”ifconsent is tobe thebasisofprocessing.GDPR,supranote7;ARTICLE29DATAPROT.WORKINGPARTY,GUIDELINESONAUTOMATEDINDIVIDUALDECISION-MAKINGANDPROFILINGFORTHEPURPOSESOFREGULATION(2017). 152. GDPR,supranote7,art.16. 153. Id.art.22;seealsoMargotE.Kaminski,TheRighttoExplanation,Explained,34BERKELEYTECH.L.J.189,201(2019).
1758 MINNESOTALAWREVIEW [105:1733
of consent.154 Additionally, the GDPR’s requirement of lawful pro-cessingbestowsmoreindividualcontrolthantheCCPA.155TheCCPArelies primarily on transparency, and apart fromaccess andnoticerights,grantsindividualsonlythetwolimitedrightsdiscussedabove:tooptoutofsaleandtorequestdeletion.156
Fundamentally,then,theCCPAisnotacomprehensiveEuropean-styledataprotectionregime.TheGDPRquintessentiallytargetscom-pliancefromanorganizationalperspective:itattemptstobuildupaparticularkindofresponsiblecorporateinfrastructure,includingin-ternalpositionsandprocesses.157TheGDPR’saffirmativeregulatoryrequirementsrangefromdataminimizationtoriskassessmentstore-cordingrequirements,andtheyareimposedondatacollectorsevenwherethereisnotacorrespondingindividualright.158TheCCPAreg-ulationsrequirecompliancetrainingandrecord-keeping,159butover-allappeartobegearedmoretowardsprovidingtransparencyintoin-dustrypractices—inthiscase,howacompanyrespondstoconsumerrequestsundertheCCPA—thantowardsreinforcinggooddataprac-ticesorcreatingsubstantiveprotectionsforconsumers.ItremainstobeseeniftheGDPRwillsucceedinentrenchingmoreprivacy-protec-tivecorporatepractices,butitsaimsarefarbroader,andapproachfardeeper,thantheCCPA’s.
AseconddifferencebetweentheGDPRandCCPArelatestoregu-latedentities.Asnotedearlier,theGDPRcoversanyonethatprocessespersonaldata,includingnotonlycompaniesbutalsoindividuals,non-profit organizations, andgovernments.160 TheCCPAappliesonly tobusinesses,andonlytothosethatmeetacomplexsetofoverlappingrequirementsrelatedtotheirsizeortheextentoftheirinvolvementin personal data trade.161 Here again, the two laws reflect the
154. GDPR,supranote7,art.17. 155. Id.art.6(1)(a). 156. CAL.CIV.CODE§1798.120(2018). 157. SeeMargotE.Kaminski,BinaryGovernance:LessonsfromtheGDPR’sApproachtoAlgorithmicAccountability,92S.CAL.L.REV.1529,1596(2019). 158. GDPR,supranote7,art.5(2);seealsoKaminski,supranote157. 159. CAL.CODEREGS.tit.11,§999.317(2020). 160. GDPR,supranote7,art.2(1). 161. CAL.CIV.CODE§§1798.100,.105,.110,.115,.120.TheCCPAtargetsthreekindsof commercial entities as “businesses.” Id. § 1798.140(c). It targets (1) larger busi-nesses(withovertwenty-fivemilliondollarsinannualgrossrevenue)thatcollectCal-iforniaresidents’personaldata,regardlessofhowmanypeopleareimpactedbythiscollection;(2)for-profitbusinessesofanysizethatbuy,receive,sell,orsharepersonalinformationconcerningasignificantnumberofresidents(50,000ormore);and(3)businessesthatderivehalformoreoftheirannualrevenuesfromsellingpersonalin-formation—regardlessoftheirsizeorhowmanypeopleareaffectedbythisactivity.
2021] CATALYZINGPRIVACY 1759
dominant approach on each side of the Atlantic. A data protectionmodelinherentlyaimstobecomprehensive.TheCCPA,whilebroaderthanmanysectoralU.S.privacylawsofthepast,stilllimitsitsaimtoprotectingconsumers fromcertaindatahandlingpracticeswithinaspecificcontextdefinedbycommerciality,geography,andscale.
The regimes’ respective enforcement mechanisms are a thirdareaofdivergence.Bothprovideformonetarypenaltiesfornon-com-pliance.TheGDPRauthorizesadministrativefinesissuedbynationaldataprotectionregulatorsofupto4%ofacompany’sannualworld-widerevenue,whiletheCCPAincludescivilpenaltiesofupto$2,500perviolationor$7,500per intentionalviolation,anumberthatcanexactenormoussumswhenmultipliedby thenumberofpeopleaf-fectedinmanyprivacyviolations.162However,thereisnoprivaterightof action for affected individuals to enforce most elements of theCCPA.ThisisinkeepingwiththetrendforU.S.privacylawsofatleastthelasttwentyyears,includingtheFTCAct,163HIPAA,164andtheChil-dren’s Online Privacy Protection Act (COPPA).165 There have beenproposalsintheCalifornialegislaturetoauthorizeprivateCCPAlaw-suits,butfornowonlythestateattorneygeneralmayenforcemostprovisionsofthelaw.166InEurope,aconstitutionallyguaranteedrightofredressforviolationsofindividualrightsmeanstheGDPRcanbeenforcedbyindividualcomplaints.167WhileclassactionsarelargelyunfamiliarinEuropeanlaw,theGDPRdoesallowaclaimsrepresen-tationmodelsothatindividualsdonothavetofileclaimsontheirownbehalfonly.Thereisalsoawell-developedregulatorystructureintheGDPR,withspecializeddataprotectionregulatoryauthoritiesineachEUcountryandcoordinationoftheireffortsthroughaEuropeanDataProtectionBoard.168AlthoughtherecentlyenactedCaliforniaPrivacyRights Act (CPRA) establishes a new privacy-specific regulator,169there is no tradition of dedicated data protection regulators in theUnitedStates,whichinsteadreliesonagencieswithnumerousother
162. GDPR,supranote7,art.83;CAL.CIV.CODE§1798.155(a)–(b). 163. FederalTradeCommissionAct,15U.S.C.§§41–58. 164. Health Insurance Portability and Accountability Act, 45 C.F.R. § 160.203(2002). 165. 15U.S.C.§§6501–6506. 166. TheCCPAdoes,however,authorizeprivatelawsuitsforanarrowsetofclaimsrelatedtodatasecuritybreaches. 167. GDPR,supranote7,arts.77–79. 168. Id.arts.51–59. 169. SeeLydiadelaTorre&GlennBrown,WhatIstheCaliforniaPrivacyProtectionAgency?, IAPP (Nov. 23, 2020), https://iapp.org/news/a/what-is-the-california-privacy-protection-agency[https://perma.cc/QL6A-CYDP].
1760 MINNESOTALAWREVIEW [105:1733
obligations, including theFTC, stateattorneysgeneral, and sectoralregulatorsinareassuchashealth,banking,oreducation.
Fourth, the regulatory styles of the two regimes differ greatly.Thiscancreatebothsubstantiveandculturalgaps.TheCCPAestab-lishes limited but granular requirements that California’s attorneygeneral has fleshed out further in recently promulgated regula-tions.170TheGDPR,ontheotherhand,consistsofbroadstandardsinitstextandreliesheavilyoncooperationwithcompaniesandvariousformsofguidance(includingtheGDPR’sRecitals,EuropeanDataPro-tectionBoardGuidelines,andinterpretationsfromindividualnationaldataprotectionauthorities)tofillinthedetails.171Inotherwords,theGDPR’sapproachtoregulationexemplifiescollaborativegovernance,also known as “coregulation” or “new governance.”172 The GDPR’svaguenessisarguablydeliberate.EUauthoritieswantedtoallowcom-paniesandsectorstofillindetailsofhowtocomplywiththelawovertime,whetherformallybyestablishingcodesofconductorcertifica-tionmechanisms(althoughthesehaveyettomaterializemorethantwoyearsaftertheGDPRcameintoforce),173orinformallythroughself-regulation,recordingandreporting,impactassessments,andon-goingconversationswithregulators.174Bycontrast,theCCPA’sgran-ularityappears,inplaces,tovaluedetailandcertaintyoveradaptabil-ity.
Forexample,wheretheGDPRsimplystatesthatitrequiresclar-ityandintelligibilityinitsaccessandnoticerights,thestatutorytextof the CCPA specifies that companies provide a toll-free telephonenumber and website address for consumers to make access re-quests.175 For those businesses subject to the CCPA’s opt-out, theCCPAmandatesaclearandconspicuous link titled “DoNotSellMyPersonalInformation”andadescriptionoftheconsumer’srighttooptoutofthesaleofpersonaldata.176TheCCPAregulationsgointoevenmoredetailabouttheprecisemodeandcontentrequiredfornoticeat
170. FinalTextofProposedRegulations,Cal.CodeRegs.tit.11,§§999.300–.337,CAL.OFF.ATT’Y GEN., https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf[https://perma.cc/CT9M-4G7M]. 171. SeeKaminski,supranote157;McGeveran,supranote20. 172. See,e.g.,JodyFreeman,CollaborativeGovernanceintheAdministrativeState,45UCLAL.REV.1,31(1997);OrlyLobel,TheRenewDeal:TheFallofRegulationandthe Rise of Governance in Contemporary Legal Thought, 89 MINN. L.REV. 342, 349(2004). 173. GDPR,supranote7,arts.40,42. 174. SeeKaminski,supranote157;McGeveran,supranote20. 175. CAL.CIV.CODE§1798.130(a)(1)(2018). 176. CAL.CODEREGS.tit.11,§999.305(f)(1)(2020).
2021] CATALYZINGPRIVACY 1761
collection,noticeofopt-out,noticeoffinancialincentive,andprivacypolicies.177 These examples demonstrate a stylistic difference be-tweenthetwolawsthatcouldhaverealconsequencesforbusinessestryingtocomplywithboth.Forcertainobligations,theCCPAanditsregulationsofferaclear,ifinflexible,roadmapforcompliance.Often,however,itissodetailedthatitcreatesthepossibilityofdivergencefromtheGDPR—evenwhereinbroadstrokesthetwolawsmightap-pearsimilar.
Finally,thebackdropagainstwhichthesetwoprivacylawswereenacted,orwhatwecalltheirlegalsetting,differssignificantly.Whilethe CCPA is constrainedby increasingly deregulatory FirstAmend-mentdoctrine,theGDPRisbackedbyEuropeancourtsthathavein-creasinglyrecognizedtheimportanceofbothprivacyanddataprotec-tion as fundamental rights.178 In recent years, these courts haveappliedtherighttobeforgottentosearchengines,179foundtheDataRetentionDirectivetoviolatefundamentalrights,180andtwiceinvali-dated the primary mechanism for transferring data to the UnitedStatesbecauseof fears thatAmericannationalsecuritysurveillancewouldtrampleonEuropeans’rights.181
Crucially,Europeanconstitutionalstructuresenforceaffirmativerightsagainstprivateconduct,notjustagainststateactorsasintheUnitedStates.182And,whileEuropeanconstitutionaltraditionssafe-guardtherighttofreedomofexpression,itisusuallybalancedagainstotherrights,anditcananddoesoftenloseouttoconstitutionaldataprotection rights.183 By contrast, the U.S. Supreme Court in recentyearshas interpretedfreespeechdoctrinetorestrictbothdatapri-vacy regulations and other consumer protection disclosure re-gimes.184SomeobserversworrythattheFirstAmendmentisbecom-inganincreasinglyblunttool,subjectingmanyregulationsconcerning
177. Id.§§999.305–.308. 178. Schwartz&Peifer,supranote76. 179. CaseC-131/12,GoogleSpainSLv.AEPD,ECLI:EU:C:2014:317,22(May13,2014). 180. CaseC-293/12,Digit.Rts.Ir.Ltd.v.MinisterforCommc’ns,Marine&Nat.Res.,ECLI:EU:C:2014:238,19(Apr.4,2014). 181. CaseC-362/14, Schremsv.DataProt. Comm’r, ECLI:EU:C:2015:650, 10–31(Oct. 6, 2015); Case C-311/18, Data Prot. Comm’r v. Facebook Ir. Ltd.,ECLI:EU:C:2020:559(July16,2020). 182. SeeSchwartz&Peifer,supranote76,at126,155. 183. AlecStoneSweet&JudMathews,ProportionalityBalancingandGlobalConsti-tutionalism,47COLUM.J.TRANSNAT’LL.73,90–149(2008);BilyanaPetkova,PrivacyasEurope’sFirstAmendment,25EUR.L.J.140,152(2019). 184. SeeinfraPartIII.D.2.
1762 MINNESOTALAWREVIEW [105:1733
privacyandothertopicstooften-fatalstrictscrutiny.185Additionally,theSupremeCourthasbeenskepticalofdataprivacyharms,incasesaddressingbothprivacydamagesandstandingtosue.186TheU.S.Con-stitution contains no explicit data privacy right, and the FourthAmendmentprotectsonlyagainststateaction,nottheactionsofpri-vateparties.187
Overall, these five differences overshadow the similarities. As-sertingthattheCCPAisremotelyequivalenttoadataprotectionre-gimeliketheGDPRoverstatestheimportanceofafewresemblances.ItistruethattheCCPAdepartsfromsomecommoncharacteristicsofpreviousU.S.privacylawandthatitoverlapswithsomeaspectsoftheGDPR.ButtheCalifornia law’smotivations,mechanisms,scope,andlegalsettingkeepitwellwithintheconsumerprotectiontraditionofAmericanprivacylaw.Thequestionnowiswhichofthesetwofunda-mentally different laws is catalyzing the recent legislative activityaroundprivacyinCongressandstatelegislatures.
III.CATALYZINGPRIVACYThestandardaccountoftransatlanticprivacydescribestwofun-
damentallyincompatibleprivacyregimesreflectingdeepphilosophi-caldividesbetweenlegalcultures.Accordingtothisstory,alaissez-faireapproach todataprivacy in theUnitedStates reflectsbroaderliberal norms thatprioritize individual autonomy in the faceof biggovernment,whilethemoreinterventionistEUapproachreflects“so-cial-protection norms” aimed at protecting human dignity.188 Re-searchers (including one of us) have argued that this conventionalwisdomoversimplifiesmattersbyfocusingondisparitiesinlaw-on-the-books and ignoring similarities in practices-on-the-ground.189Nonetheless,theEUandUnitedStateshavebeenunable,orat least
185. See,e.g.,MargotE.Kaminski,PrivacyandtheRightToRecord,97B.U.L.REV.167,173(2017);Scott Skinner-Thompson,RecordingasHeckling, 108GEO.L.J. 125,146(2019);Richards,supranote137,at1524.SeegenerallyAmandaShanor,TheNewLochner,2016WIS.L.REV.133. 186. SeeDoev.Chao,540U.S.614(2004);FAAv.Cooper,566U.S.284(2012);Clapperv.AmnestyInt’lUSA,568U.S.398(2013);Spokeo, Inc.v.Robins,136S.Ct.1540(2016);Frankv.Gaos,139S.Ct.1041(2019). 187. Some state constitutions do, however, provide an explicit right to privacy,evenagainstprivateparties.See,e.g.,CAL.CONST.art.1,§1(“Allpeoplearebynaturefreeandindependentandhaveinalienablerights.Amongtheseareenjoyingandde-fending...privacy.”). 188. SeeJoelR.Reidenberg,ResolvingConflictingInternationalDataPrivacyRulesinCyberspace,52STAN.L.REV.1315,1343(2000);Whitman,supranote76,at1161. 189. Bamberger&Mulligan,supranote20,at260;McGeveran,supranote20,at960.
2021] CATALYZINGPRIVACY 1763
disinclined,tocometoaninternationalconsensusondataprivacy,in-steadforgingsuigenerisandunstablebilateralarrangementsgovern-ingdatatransfersbetweenthetworegimes.190
TheCCPAandtheGDPRheraldapossibleparadigmshiftfordataprivacy. Rather than two fundamentally incompatible frameworks,oneEuropeanandoneAmerican,weidentifytheemergenceofaracebetweenCaliforniaandtheEuropeanUnionasregulatorycatalysts,drivingtheU.S.states,andpossiblytheU.S.federalgovernment,toen-actnewdataprivacylaws.191
ThisPartfirstoutlinestheargumentthattheGDPRhasbeenthedominantinfluenceonbothdefactoanddejurespreadofprivacylawworldwide.WearguethattheUnitedStatesrepresentsanexceptiontothisnarrative—anarrativethatlargely,andinourviewmistakenly,adheres to anotionofnation-states (and supranational entities) asunitary actors rather than considering the various players withinthem.192
Wethenexamineanumberofrecentlyproposedandseveralre-centlyenactedstateandfederaldataprivacylaws,aimingtoanswerthequestion:whichjurisdictionisdrivingthisracetoproposeanden-actnewprivacyrules?WefindthatalthoughthecommonlyacceptednarrativecreditsnewstrongEuropeanrulesasthedriver,193infact,the proposals in U.S. states have largely copied California. And alt-houghtheCCPAdoesnotalwaysprovidethesubstantivecontentforrecentlyproposedfederallegislation,ithasbeentheimpetusbehindthosebills.California,notEurope,iscatalyzingtherecentandongoingdevelopmentofU.S.dataprivacylaw.
ThestoryoftheCCPAanditsimitators,weargue,isnotthecom-monly assumed story about the unilateral power of Brussels. It
190. Seecasescitedsupranote181. 191. SaraMerken,StatesFollowEU,CaliforniainPushforConsumerPrivacyLaws(1),BLOOMBERGL.(Feb.6,2019,3:02PM),https://news.bloomberglaw.com/privacy-and-data-security/states-follow-eu-california-in-push-for-consumer-privacy-laws-1. 192. See, e.g., Harold Hongju Koh,How Is International Human Rights Law En-forced?,74IND.L.J.1397,1401–09(1999)(contrastingfivetheoriesofhowinterna-tionalhumanrightslawisenforced:power,self-interest,liberalexplanations,commu-nitarian explanations, and legal process explanations—and noting the role of“transnationalnormentrepreneurs”inlegalprocess(incontrasttostate-centrictheo-riessuchasrealism));Anne-MarieSlaughter,ALiberalTheoryofInternationalLaw,94AM.SOC’YINT’LL.PROC.240,241(2000)(describingliberalIRtheoryas“aviewthatpreservesanimportantroleforstatesbutdeprivesthemoftheirtraditionalopacity”incontrasttotraditionalIRtheory,“whichconceive[s]oftheinternationalsystemascomposed of unitary, identical state actorswith fixed preferences (the billiard ballmodel)”). 193. Seesupranotes10–14andaccompanyingtext.
1764 MINNESOTALAWREVIEW [105:1733
demonstrates instead hownetworked individuals can harness pro-cessesatthestateandlocalleveltopromotetheadoptionofnewlegalnorms.194Ratherthancausingaracetothebottom,thebackdropofwhatwecall“dataglobalization”bothinfluencesandempowersnormentrepreneursadvocatingforstricterrequirements.195
WhyareotherstatesnowcopyingtheCCPA?Wepositanumberofreasons.First,inanechooftheDelawareEffect,Californiamayhaveestablisheditselfnationallyasanexpertjurisdictionondataprivacylaw,throughboththeCCPAandnumerousearlierstatutesregulatingdataprivacy.196Second,sincesomanydata-centeredcompanieshaveasignificantpresenceinCalifornia,otherstatesmaybepresumingaCalifornia-driven“Brussels”Effect: that is,manycompaniesalreadycomplyingwiththeCCPAwithrespecttoCaliforniaresidentswoulddefactocomplywith,orbereadilyabletocomplywith,CCPA-likere-quirementsinotherstates.Third,statelegislatorsmotivatedtoenactprivacy protections are far more likely to model their laws on aroughly twenty-page lawfromaU.S. jurisdictionthana foreign lawconsistingof99articlesand173recitals.
WedonotdenythattheGDPRinfluencedthedirectionofAmeri-canprivacylaw.ItcertainlyreducedthecostsofcompliancewithnewAmericanprivacylawformultinationalsthatwerealreadybringingthemselvesintocompliancewiththeGDPR.ThestrongnewEuropeanlawalsobroughtattentiontothecomparativedeficitinU.S.law.Buttheeffect fromtheEUhasbeenmorecircumscribedthangenerallyreported,anditisclearlysecondarytoaveryrealCaliforniaEffect.
WewillclosePartIIIwithsomecautiouspredictions.Weexam-inesomeofthecountervailingforcesuniquetotheUnitedStatesthatmaycontainthespreadofprivacyrulesfromonejurisdictiontothenext,includingthedormantcommerceclause,thepossibilityoffed-eralpreemption,andtheFirstAmendment.Wehypothesize,however,thatthespreadofdataprivacylawintheUnitedStateswillcontinue,withtheCCPAasthenewminimumthresholdforprotection.Anewdata privacy equilibrium is being established in the United States,whether it progresses state-by-state, encourages development of
194. Seesupranote192. 195. For an argument of how to curtail the race to the bottomwith respect toonline service providers, see ANUPAMCHANDER,THEELECTRONICSILKROAD:HOWTHEWEBBINDSTHEWORLDINCOMMERCE166–69(2013). 196. See,e.g.,CAL.BUS.&PROF.CODE§22580(California“EraserLaw”allowingmi-norstherighttodeleteInternetcontentundercertaincircumstances);CALCIV.CODE§§1798.80–.84(California’spioneeringdatabreachnotificationlaw);CAL.BUS.&PROF.CODE §§22575–22579 (CaliforniaOnlinePrivacyProtectionAct of 2003,which re-quiredonlineprivacypoliciesandotherdisclosuresabouthandlingofpersonaldata).
2021] CATALYZINGPRIVACY 1765
modelstatelegislation,resultsinauniformfederallaw,orsomecom-binationoftheabove.
A. BRUSSELSASTHEWORLD’SPRIVACYCATALYSTAsPaulSchwartzandothershaveobserved,theGDPRisdriving
the enactment of new data privacy laws around theworld.197 Thismatcheswhatwedescribed in Part I as a (de jure) “California” Ef-fect.198
TheEUhasstrictlylimitedtheexportofpersonaldataoutsideoftheEUsincethe1995DataProtectionDirectivecameintoeffect,andthispolicycontinuedintheGDPR.199BoththeDirectiveandtheGDPRallowcrossbordertransfersofpersonaldataonlyinoneofthreeways.Twoofthemethodsarecumbersome,requiringindividualcompaniestogothroughcomplex,inflexible,andoftenbureaucraticprocessestoadopteither“bindingcorporaterules”or“modelcontractclauses.”200Thethirdmethodisthe“adequacymechanism,”whichoperatesonthenationallevelinsteadofatthelevelofanindividualorganization.IftheEuropeanCommissiondeclaresa foreigncountry’sdataprotec-tion laws and enforcement to offer an “adequate level of protec-tion,”201thendatacanflowtoanyorganizationinthatcountrywithnofurtherconstraint.Becauseanadequacyrulinggreatlysimplifiesdatatransferincomparisontothemoreonerousoptions,manycountrieshavesoughttomodifytheirlawstoobtainsucharuling.202
Theadequacyprocesscanthusbecharacterizedasadeliberatelegalexportstrategy.BymakingitmucheasierforcompaniesdoingbusinessintheEUtotransferdataacrossbordersiftheirhomejuris-dictionsadoptdataprotectionlawsthatsatisfyEuropeanauthorities,theEUdeployedtheBrusselsEffect(defactocompliance)tocauseaCaliforniaEffect(dejureregulatorychanges).AsSchwartzcautions,thedynamic ismore complicated in reality, becauseother jurisdic-tions have pushed back against the adequacy process, resulting in
197. SeegenerallySchwartz,supranote9,at771(“ThecornerstoneofEUlawinthisarea,theGeneralDataProtectionRegulation(GDPR),isnowwidelyregardedasaprivacylawnotjustfortheEU,butfortheworld.”). 198. SeesupraPartI.B. 199. SeeGDPR,supranote7,art.45;Directive95/46/EC,art.25,1995O.J.(L281). 200. GDPR, supra note 7, arts. 46–47 (describing binding corporate rules andstandardcontractualclauses,amongothermechanisms);Directive95/46/EC,art.25(outlining procedures for derogations from Article 25 limitations on cross-bordertransfers). 201. Directive95/46/EC,art.25(1). 202. SeeSchwartz,supranote9,at786–95(comparingUK,Japan,U.S.andnotingthatIsraelandothershavereceivedadequacydeterminations).
1766 MINNESOTALAWREVIEW [105:1733
moreofagive-and-takethanpureexport.203Butattheendoftheday,thelawsofothercountriesdolookmuchmorelikeEUlawthantheydidbeforetheiradequacydeterminations.
TheGDPRalsodemonstratesa(defacto)BrusselsEffect,spur-ring many multinational companies to comply with its provisionsworldwide,evenwhereother jurisdictionsdonotadjust their laws,andnotonlyforoperationsdealingwithEuropeanpersons.Someen-terprisesdecidedtoavoidGDPRexposurebyexcludingEuropealto-gether.204Forexample,theLosAngelesTimesandtheChicagoTribunedisabledaccessforInternetusersintheEU.205NationalPublicRadiotookadifferentapproach:“Userscouldeitheragreetothenewterms,ordeclineandbetakentoaplain-textversionofthesite,lookingforalltheworldlikeithadlastbeenupdatedin1996.”206Chinesesmart-homemanufacturerYeelightdisabled Internet-connected lightbulbsintheEuropeanUnion.207Forthesefirms,eventhepotentialbenefitsof serving the huge Europeanmarket could not justify the costs ofcomplianceortherisksofnon-compliance.AndsurelymanysmallerorganizationsdisregardGDPRrequirementsbecausetheirexposuretoEuropeisminor.
Nonetheless,whentheGDPRwentintoeffectinMay2018,peopleacrosstheworld,includingAmericans,beginreceivingafusilladeofmessagesfromcompaniesupdatingtheirprivacypolicies.Somecom-panies have adopted the compliance infrastructure required in theGDPR—designatingdataprotectionofficers, running impactassess-ments,bakinginsomeformofprivacybydesign—throughouttheirinternationaloperations.JustasthescholarshipontheBrusselsEffectanticipates,thesecompanieshavefounditdesirabletomaintainauni-fied firm-wide compliance architecture and adhered to the more
203. Id.(illustratingnegotiationsbetweentheEUandexternalcountriestoallowpersonaldatatoflowfreelybetweeneconomies). 204. RebeccaSentance,GDPR:WhichWebsitesAreBlockingVisitorsfromtheEU?,ECONSULTANCY (May 31, 2018), https://econsultancy.com/gdpr-which-websites-are-blocking-visitors-from-the-eu-2[https://perma.cc/9A2Y-XEHA]. 205. AlexHern&MartinBelam,LATimesAmongUS-BasedNewsSitesBlockingEUUsers due to GDPR, GUARDIAN (May 25, 2018), https://www.theguardian.com/technology/2018/may/25/gdpr-us-based-news-websites-eu-internet-users-la-times[https://perma.cc/76J5-5G2C] (noting that U.S. papers such as theNew York DailyNews,theBaltimoreSun,OrlandoSentinel,andtheSanDiegoUnion-Tribunealsodisa-bledaccess). 206. AlexHern& JimWaterson, SitesBlockUsers,ShutdownActivitiesandFloodInboxes as GDPR Rules Loom, GUARDIAN (May 24, 2018), www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect[https://perma.cc/4FYJ-PL5S]. 207. Id.
2021] CATALYZINGPRIVACY 1767
stringentGDPRrequirements.Afewcompanieshavegoneevenfur-therbyadoptingaspectsoftheGDPRotherthanitscompliancerules;Microsoft, for example, announced that itwould “extend the rightsthatareattheheartofGDPRtoallofourconsumercustomersworld-wide.”208
ThroughboththeDirectiveandtheGDPR,EUauthoritiessuccess-fully exported their approach to data protection to many placesaroundtheglobe,both throughnational responses to theadequacymechanismandinstitutionaleffortstounifydatacomplianceopera-tions.ButtheinfluenceofEUprivacylawhasbeenmuchmorelimitedinotherrespects,startingwithitscapacitytocatalyzelegalchangeintheUnitedStates.
B. BUTSEETHEUNITEDSTATESWhile theGDPR’sadequacymechanismand itsdirecteffecton
globalcompaniesmayenticeotherjurisdictionsworldwidetoenactoramenddataprivacylaw,itisnotthecatalystforrecentlyproposedlaws in theUnitedStates. Indeed,asPart II shows, theCCPA isnotmodeledontheGDPR,thoughbothsharesimilaritiesfoundedinthelong-establishedFairInformationPracticePrinciples.Theforcesbe-hindboththeCCPAanditscounterpartsacrosstheUnitedStatesdonotseekanadequacyrulingfromtheEuropeanUnion.Nearlyaquar-tercenturyofEuropeandataprotectionlawdidnotprompttheUnitedStatestotakeupabroadlawofitsown.
WhyhastheUnitedStatesgoneitsownway?Wewillnotelaterthat the exceptional American approach to free expression, and itstensionwithsomeportionsoftheGDPRframework,arelikelyinhib-itingfactors.Butwebelievethatanearliermomentofnormentrepre-neurshipwasequallycritical.
TheEUprohibitiononcross-borderdatatransfersbecameeffec-tivein1998undertheDataProtectionDirective.FacedwiththenearcertaintythatU.S.lawwouldnotbefoundadequateforunrestricteddataflowfromtheEuropeanUnion,209theClintonadministrationset
208. JulieBrill,Microsoft’sCommitmenttoGDPR,PrivacyandPuttingCustomersinControlofTheirOwnData,MICROSOFTBLOG (May21,2018),https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data[https://perma.cc/2MG5-AJ49]. 209. AnadequacydeterminationwouldnothavebeenforthcomingfromtheEUwithoutdramaticlegalandregulatorychangesintheU.S.SeeOpinion1/99oftheWork-ingPartyontheProtectionofIndividualswithRegardtotheProcessingofPersonalData:ConcerningtheLevelofDataProtectionintheUnitedStatesandtheOngoingDiscussionsBetweentheEuropeanCommissionandtheUnitedStatesGovernment,at2,art.29(Jan.26,1999),https://ec.europa.eu/justice/article-29/documentation/opinion
1768 MINNESOTALAWREVIEW [105:1733
outtonegotiateanexceptionbecauseU.S.companieswantedtoavoidusingthemorecumbersomemechanismsfordatatransferavailableundertheEuropeanlaw.BolsteredbyitscloserelationshiptoEuropeaswellasAmerica’seconomicandothersoftpower,theClintonad-ministration worked out a bespoke exemption from the Europeanrules.AmericanandEuropeandiplomatsworkedforyearstonegoti-ateaseparatedatatradeagreementapplicableonlytotheirbilateralrelationship. In 2000, theClinton administration and theEuropeanCommission signed the “U.S.-EUSafeHarborAgreement,”whichal-lowedU.S.companiestocertifyannuallythattheyadheredtoanar-rowsetofgeneraldataprotectionprinciplesinordertotransferper-sonaldatafromtheEU.210
TheU.S.thusinoculateditselfagainstanycatalyzingeffectfromEUdataprotectionlaw,ofeitherthedefactoordejurevariety.TheEuropeanCommission(effectivelytheEU’sexecutivebranch)ratifiedtheSafeHarborasconsistentwithEUdataprotectionlaw.211Butina2015decision,theCourtofJusticeoftheEuropeanUnion,citingtherevelationsofEdwardSnowdenaboutthescopeofU.S.nationalsecu-ritysurveillance,struckdowntheSafeHarbor.212
Eventhen,theresponsewasnotfortheU.S.toconformitslawtotheEUadequacystandard,oreventoconcedethatAmericandatacon-trollerswould need to use one of the othermechanisms for cross-borderdatatransfers.Instead,thetwosidesreturnedtothenegotiat-ing table and reached a new compromise, known as the “EU-U.S.PrivacyShield.”213ThecarrotofadequacythatenticedcountriesfromArgentinatoThailandtochangetheirdataprivacylawsstillfailedto
-recommendation/files/1999/wp15_en.pdf [https://perma.cc/NR47-MKFU] (“[T]hecurrentpatchworkofnarrowly-focussedsectoral lawsandvoluntaryself-regulationcannotatpresentbereliedupontoprovideadequateprotectioninallcasesforper-sonaldatatransferredfromtheEuropeanUnion.”).ButseeChristopherWolf,DelusionsofAdequacy?ExaminingtheCaseforFindingtheUnitedStatesAdequateforCross-Bor-derEU-U.S.DataTransfers,43WASH.U.J.L.&POL’Y227(2014)(makinganadmittedlycontrarianargumentthatU.S.lawcouldbejudgedadequateundertheDataProtectionDirective). 210. SeeWelcometotheU.S.-EUSafeHarbor,EXPORT.GOV(Jan.12,2017),https://2016.export.gov/safeharbor/eu/eg_main_018365.asp[https://perma.cc/EKJ6-XFHY]. 211. SeeCommissionDecision2000/520,2000O.J.(L215)7. 212. CaseC-362/14,Schremsv.DataProt.Comm’r,ECLI:EU:C:2015:650(Oct.6,2015). 213. SeePrivacyShieldOverview, INT’LTRADEADMIN.,https://www.privacyshield.gov/Program-Overview[https://perma.cc/TA5G-KRVU].
2021] CATALYZINGPRIVACY 1769
moveU.S.privacylaw.214In2020,theEU’shighestcourtonceagaininvalidatedthespecialtransatlanticarrangementasstillinconsistentwithEUlaw.215ItremainstobeseenhowtheEUandU.S.willrespondthistime.ButthereislittleindicationthatAmericanjurisdictionshavebecome any more inclined to harmonize U.S. law with the GDPRmodel.
WenowturntoexaminetherecentextensivestateandfederallegislativeactivityintheUnitedStates.OurclosecomparisonoftheGDPRandtheCCPAinPartIandourexaminationbelowofvariousstateandfederalprivacybillsshowsthattheCCPA,nottheGDPR,hasplayedtheleadingroleinthelegislativeresponseacrosstheUnitedStates.ThevariousstatebillsareoftenmodeledonprovisionsoftheCCPA.FederalbillsinturnarethepoliticalresponsetostatelegislativeactivitypromptedbytheCCPA.
1. StateLawsSincetheadventoftheGDPRandtheCCPA,theUnitedStateshas
seen an unprecedented volume of legislative proposals that wouldregulatedataprivacyatthestatelevel.AccordingtotheNationalCon-ferenceof StateLegislatures, in2019alone, consumerprivacybillswere introduced or filed in at least twenty-five states and PuertoRico.216 Legislatures innearlyhalfof the states (twenty-onebyourcount)consideredorenacteddatasecuritybillsin2018and2019.217
214. Inarareexceptiontothisrule,aspartofthenegotiationsleadingtotheadop-tionofthePrivacyShield,theU.S.CongresspassedtheJudicialRedressActin2015,5U.S.C.§552a,tohelpassureEuropeansthattheywouldhavetheabilitytobringclaimsunderthePrivacyActof1974,5U.S.C.§552a,againstU.S.governmentalintrusions. 215. CaseC-311/18,DataProt.Comm’nv.FacebookIr.Ltd.,ECLI:EU:C:2019:1145(Dec.19,2019). 216. 2019ConsumerDataPrivacyLegislation,NAT’LCONF.ST.LEGISLATURES(Jan.3,2020),http://www.ncsl.org/research/telecommunications-and-information-technology/consumer-data-privacy/calif.aspx[https://perma.cc/6WNL-RX4P]. 217. See,e.g.,AlabamaDataBreachNotificationActof2018,ALA.CODE §8-38-1(2018);ActAmendingTitle44,Chapter11,ArizonaRevisedStatutes,byAddingArticle2RelatingtoConsumerHouseholdGoods,ARIZ.REV.STAT.ANN.§§44-1611to-1616(2019); California Consumer Privacy Act of 2018, CAL.CIV.CODE § 1789.175 (West2019);ActConcerningStrengtheningProtections forConsumerDataPrivacy,COLO.REV.STAT.ANN.§§6-1-713,6-1-716(West2019);S.240,101stGen.Assemb.,1stReg.Sess.(Ill.2019)(introducedasConsumerCreditReportingAgencyRegistrationandCybersecurityProgramAct);ActToAmendandReenactR.S.51:3073(2)and(4)(a)and3074,Relative to theDatabaseSecurityBreachNotificationLaw,LA.STAT.ANN.§§51:3073to:3074(2019)(requiringorganizationstodestroyinformationandex-pandsdefinitionofPII);S.786,439thGen.Assemb.(Md.2019);H.R.904,2019Gen.Assemb.,2019Sess.(N.C.2019);NEB.REV.STAT.ANN.§§87-801,87-806(West2019);S.176,54thLeg.,1stSess.(N.M.2019);S.5575,2019Leg.,2019–2020Reg.Sess.(N.Y.
1770 MINNESOTALAWREVIEW [105:1733
Dataprivacyanddatasecurityarerelatedbutnotidenticalissues,218although legislators frequently conflate them—evidenced by Colo-rado’s“dataprivacy”law,whichfocusesondatasecuritymatters.AtleasttenstatesconsideredprivacylawsaimedatInternetservicepro-viders(ISPs),presumablyinresponsetoCongress’s2017repealoftheFederal Communications Commission’s broadband privacy rules.219And legislators inmanystatesproposednarrowerprivacy laws,ontopicsfromstudentprivacytotheprotectionofbiometricorgeoloca-tioninformation.220
2019); SecurityBreachNotificationAct,OKLA.STAT.ANN. tit. 24, §§ 162–166 (West2008);ActRelatingtoActionsAfteraBreachofSecuritythatInvolvesPersonalInfor-mation,OR.REV.STAT.ANN.§§646A.602,.604,.606,.608,.610,.622(West2011);H.R.1181,2019–20Gen.Assemb.,2019Sess.(Pa.2019);InsuranceDataSecurityAct,S.C.CODEANN.§§38-99-10to-100(2019);ActToProvidefortheNotificationRelatedtoaBreachofCertainDataandToProvideaPenaltyTherefor,S.D.CODIFIEDLAWS§§22-40-19to-26(2019);ActToAmendTennesseeCodeAnnotated,Title47,RelativetoReleaseofPersonalInformation,TENN.CODEANN.§47-18-2107(West2019);ActRe-latingtothePrivacyofPersonalIdentifyingInformationandtheCreationoftheTexasPrivacyProtectionAdvisoryCouncil,H.R.4390,86thLeg.,Reg.Sess. (Tex.2019);S.156,2017–2018Gen.Assemb.,2018Sess.(Vt.2018);H.R.1071,66thLeg.,2019Reg.Sess.(Wash.2019);ActToAmendtheCodeofVirginiabyAddingaSectionNumbered58.1-341.2,RelatingtoNotificationofTaxReturnDataBreach,VA.CODEANN.§58.1-341.2 (2018).Virginia also introducedabill in2018 to amendand reenact section59.1-200relatedtotheVirginiaConsumerProtectionAct.Thebilldiedincommittee.H.D.1588,2018Gen.Assemb.,Reg.Sess.(Va.2018). 218. SeeDerekE.Bambauer,PrivacyVersusSecurity,103J.CRIM.L.&CRIMINOLOGY667,668–69(2013)(“Whilelegalscholarstendtoconflateprivacyandsecurity,theyaredistinctconcerns.”);WilliamMcGeveran,TheDutyofDataSecurity,103MINN.L.REV.1135,1141(2019)(“Datasecurityisjustoneelementofthebroaderconceptofdataprivacy;thelatteralsorelatestothecollection,use,anddisclosureorpersonaldatainadditiontoitssecurestorage.”). 219. BrianFung,TrumpHasSignedRepealof theFCCPrivacyRules.Here’sWhatHappens Next., WASH. POST (Apr. 4, 2017, 6:42 AM), https://www.washingtonpost.com/news/the-switch/wp/2017/04/04/trump-has-signed-repeal-of-the-fcc-privacy-rules-heres-what-happens-next [https://perma.cc/RK25-UD2A]; see H.R.230,30thLeg.,1stSess.(Ala.2017);H.R.232,30thLeg.,1stSess.(Ala.2017);H.R.277,30thLeg.,2dSess.(Ala.2018);S.160,30thLeg.,2dSess.(Ala.2018)(thesefourAlaskabillsdied);H.R.80,29thLeg.,2018Reg.Sess.(Haw.2018)(introducingataskforceonISPprivacy);S.243,2019Gen.Assemb.,Reg.Sess.(Ky.2019);S.275,129thLeg.,1stReg.Sess.(Me.2019);H.D.1655,2018Gen.Assemb.,Reg.Sess.(Md.2018);H.D.141,2020GenAssemb.,Reg.Sess.(Md.2020);H.R.382,191stGen.Ct.,Reg.Sess.(Mass.2019); H.R. 1030, 91st Leg., Reg. Sess. (Minn. 2019); S. 1553, 90th Leg., Reg. Sess.(Minn.2018);H.R.457,66thLeg.,2019Sess. (Mont.2019)(failed incommittee);S.2641,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.3711,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.1927,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.1527,218thLeg.,Reg.Sess.(N.J.2018);S.5245,242dLeg.,2019–2020Reg.Sess.(N.Y.2019);H.R.246,2019–20Gen.Assemb.,2019Reg.Sess.(Pa.2019). 220. See,e.g.,H.R.2354,87thGen.Assemb.,Reg.Sess. (Iowa2018);GeolocationPrivacyProtectionAct,H.R.2785,101stGen.Assemb.,1stReg.Sess.(Ill.2019);H.R.
2021] CATALYZINGPRIVACY 1771
Ourfocushereisontheunprecedentedflurryofcomprehensivedataprivacylegislation.Restrictingthefocustocomprehensivedataprivacylaws,wecountatleastseventeenstatesinadditiontoCalifor-niaandPuertoRicothatconsideredorenactedcomprehensivedataprivacylawsin2018and2019.221Fivestatesestablishedtaskforceswiththegoalofproposingdataprivacylegislation.222Includingtaskforces, there were in 2018 and 2019 at least nineteen states (andPuertoRico)consideringorenactingcomprehensivedataprivacyleg-islation.223InCalifornia,theCaliforniaPrivacyRightsAct(CPRA),en-actedviaballotinitiativeinNovember2020butwithmostprovisionsnotgoingintoeffectuntilJanuary2023,establishesthenewCaliforniaPrivacyProtectionAgency,aprivacy-specificregulatorinthatstate.224Inadditiontotheseindividualstateproposals,theUniformLawCom-mission(ULC)isdevelopingaproposeduniformlawthatwouldes-tablish“acomprehensivelegal frameworkforthetreatmentofdataprivacy,”guidedtoalargedegreebythescopeoftheCCPA.225TheULC
536-FN,2019Gen.Ct.,Reg.Sess.(N.H.2019)(addingbiometricinformationtothecon-sumerprotectionact);H.R.2866,80thLegis.Assemb.,2019Reg.Sess.(Or.2019)(add-inggeolocationinfo);H.R.352,111stGen.Assemb.,Reg.Sess.(Tenn.2019)(makingunauthorizeduse or distribution of personal health information a violation of con-sumerprotectionlaw);S.110,2019–2020Gen.Assemb.,2020Sess.(Vt.2020)(stu-dentprivacylaw);H.D.2535,2019Gen.Assemb.,Reg.Sess.(Va.2019)(requiringsitestoletminorsrequesttoremoveinformation). 221. SeeS.418,30thLeg.,Reg.Sess.(Haw.2019);H.R.3358,101stGen.Assemb.,Reg.Sess.(Ill.2019);H.R.465,2019Leg.,Reg.Sess.(La.2019);S.275,129thLeg.,1stReg.Sess.(Me.2019);H.D.901,2019Gen.Assemb.,Reg.Sess.(Md.2019);S.120,191stGen.Ct.,Reg.Sess.(Mass.2019);H.R.2917,91stLeg.,Reg.Sess.(Minn.2019);H.R.592,100thGen.Assemb., 1stReg. Sess. (Miss. 2019); S. 220,80thSess.,Reg. Sess. (Nev.2019,codifiedatChap.211);Gen.Assemb.4640,218thLeg.,Reg.Sess.(N.J.2018);Gen.Assemb.4902,218thLeg.,Reg.Sess.(N.J2019);S.176,54thLeg.,1stSess.(N.M.2019);Assemb.7736,2019–2020Leg.Sess.,Reg.Sess.(N.Y.2019);S.5642,2019–2020Leg.Sess.,Reg.Sess.(N.Y.2019);H.R.1049,2019–2020Gen.Assemb.,Reg.Sess.(Pa.2019);H.R.5930,2019Gen.Assemb.,Reg.Sess.(R.I.2019);H.R.4518,86thLeg.,Reg.Sess.(Tex.2019);H.R.764,2017–2018Gen.Assemb.,Reg.Sess.(Vt.2018);S.5376,66thLeg.,2019Reg.Sess.(Wash.2019). 222. S.1108,2019Gen.Assemb.,Jan.Sess.(Conn.2019);H.R.225,30thLeg.,Reg.Sess.(Haw.2019);H.R.249,2019Leg.,Reg.Sess.(La.2019);H.R.1485,66thLeg.As-semb.,Reg.Sess.(N.D.2019);H.R.4390,86thLeg.,Reg.Sess.(Tex.2019)(establishingtheTexasPrivacyProtectionAdvisoryCouncil). 223. NorthDakotaandConnecticutareeachcountedonceinouranalysis,asbothstatesproposedcomprehensivedataprivacylegislationandultimatelyinsteadestab-lishedataskforce. 224. SeedelaTorre&Brown,supranote169. 225. KatieRobinson,NewDraftingandStudyCommitteesToBeAppointed,UNIF.L.COMM’N (July 24, 2019, 4:37 PM), https://www.uniformlaws.org/committees/community-home/digestviewer/viewthread?MessageKey=bc3e157b-399e-4490-9c5c-608ec5caabcc&CommunityKey=d4b8f588-4c2f-4db1-90e9-48b1184ca39a&
1772 MINNESOTALAWREVIEW [105:1733
hasdraftedandpromotedhundredsofmodelstatutes,fromtheUni-formCommercialCodetotheUniformTradeSecretsAct.OncetheULCvotestopublishmodelbills,itisuptoindividualstatelegislaturestoadoptthem.226
Wefocushereonafewoftheseproposalstoidentifytheirintel-lectualoriginsineithertheCCPAortheGDPR.Wefindthat,despitepopularclaimstothecontrary,thecatalysisfordataprivacyproposalsinstatelegislaturesisemanatingnotfromBrussels,butfromCalifor-nia.
Take, forexample,Connecticut’sproposedcomprehensivedataprivacybill,SB1108.Theoriginalversionofthebill,introducedinJan-uary2019,effectivelycopiedtheCCPA,withminoredits.Thedefini-tionof“personalinformation”wasidentical;thedefinitionofacov-ered “business” was identical.227 Like the CCPA, the proposedConnecticutbillgranted individualsaccessrights,228aright todele-tion,229andarighttooptoutofthesaleofone’sdata.230LiketheCCPA,theproposedConnecticutbillprohibitedbusinessesfromdiscriminat-ingagainstconsumersforexercisingtheirrights.231TheproposedbillsocloselytrackedtheCCPA’srequirementsthatit,too,requiredatoll-freenumberforrequestingaccess,andaconspicuous“DoNotSellMyPersonalInformation”linkforoptingoutofsale.232Ultimately,how-ever,legislatorsreplacedthebillwithasubstituteactestablishingatask force concerning consumer privacy, signed into law on July 9,2019.233TheActinstructsthetaskforceto“examinewhatinformationbusinesses in this state should be required to disclose to
tab=digestviewer#bmbc3e157b-399e-4490-9c5c-608ec5caabcc [https://perma.cc/98JG-TQQ3]. 226. See FAQs, UNIF. L. COMM’N, https://www.uniformlaws.org/aboutulc/faq[https://perma.cc/8XGL-CALF].OneoftheauthorsofthisArticle,WilliamMcGeveran,previouslyservedas thereporter for thecommitteedrafting thismodel legislation;anotheroftheauthorsofthisArticle,MargotKaminski,servesasresearchdirectorfortheDevelopmentsinPrivacyLawCommittee. 227. Compare California Consumer Privacy Act of 2018, CAL. CIV. CODE§1798.140(c)(defining“business”),and id.§1798.140(o)(defining“personalinfor-mation”),with S. 1108§1(3),2019Gen.Assemb., Jan. Sess. (Conn.2019) (defining“business”),andid.§1(15)(defining“personalinformation”). 228. Conn.S.1108§§2,4,6. 229. Id.§3. 230. Id.§7. 231. Id.§8. 232. Id.§§9(1),10(1). 233. SeegenerallySubstituteforRaisedS.B.No.1108SessionYear2019,CONN.GEN.ASSEMB., https://www.cga.ct.gov/asp/cgabillstatus/cgabillstatus.asp?selBillType=Bill&which_year=2019&bill_num=Sb+1108[https://perma.cc/A6F7-NZF2].
2021] CATALYZINGPRIVACY 1773
consumers...[s]uchexaminationshallinclude,butnotbelimitedto,theCaliforniaConsumerPrivacyActof2018,asamended,toconsiderwhatprovisionscouldbeimplementedinthisstate.”234
Massachusetts’sproposeddataprivacybill,S.120,providesan-other clear example of thismimicry.235 Also introduced in January2019,S.120containslanguageidenticaltotheCalifornialawinmul-tipleplaces.LiketheCCPA,theproposedMassachusettsbillappliesto“businesses,” and like theCCPA, this includesbothbusinesseswithgrossrevenuesoveracertainthreshold(tenmilliondollarsinMassa-chusetts,twenty-fivemilliondollarsinCalifornia)andbusinessesthatderivefiftypercentormoreofannualrevenuefromthedisclosureofpersonalinformation.S.120’sexceptionforpubliclyavailableinfor-mation,too,almostperfectlyadoptsCCPAlanguage.236WhileS.120doesnotcontaintheCCPA’sexhaustive listofexamplesofpersonalinformation,itscoredefinitionofpersonalinformationdiffersbyjustoneword.237TheproposedMassachusettsbillwouldestablishnotice,access,anddeletionrequirementsthatlargelycorrespondtothoseintheCCPA.238LiketheCCPA,therightsarenotwaivable.239
Insomeplaces,theproposedMassachusettsbillisstrongerthantheCCPA.Itgivesconsumerstherighttooptoutofnotjustthesaleofpersonalinformation,butalsoofthird-partydisclosure.240Andunlikethe CCPA, it provides for a private right of action, with statutory
234. SubstituteS.1108§1(a),2019Gen.Assemb.(Conn.2019). 235. MarkD.Quist,ComprehensiveDataPrivacyLegislationIntroducedinMassa-chusetts–IncludesPrivateRightofActionWithoutaNeedToProveHarm,MONDAQ(Feb.15, 2019), http://www.mondaq.com/unitedstates/x/781198/Data+Protection+Privacy/Comprehensive+Data+Privacy+Legislation+Introduced+In+Massachusetts+Includes+Private+Right+Of+Action+Without+A+Need+To+Prove+Harm[https://perma.cc/CZ8S-QK2M]. 236. Compare California Consumer Privacy Act of 2018, CAL. CIV. CODE§1798.140(o)(2)(2018),withS.120§1(m)(1),191stGen.Ct.(Mass.2019). 237. CompareMass.S.120§1(m)(1)(defining“personal information”as“infor-mationthatidentifies,relatesto,describes,iscapableofbeingassociatedwith,orcouldreasonably be linked, directly or indirectly,with a particular consumeror the con-sumer’sdevice”(emphasisadded)),withCAL.CIV.CODE§1798.140(v)(1)(defining“per-sonalinformation”as“informationthatidentifies,relatesto,describes,isreasonablycapableofbeingassociatedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticularconsumerorhousehold”(emphasisadded)). 238. Mass.S.120§2(requiringdisclosureofcategoriesofpersonalinfo,businesspurpose,consumerrights,andmore);id.§3(establishingtherighttorequestspecificpiecesofpersonalinfo,namesofthirdpartiestowhomdisclosed,sources,andbusi-nesspurpose);id.§5(coveringtherighttodeleteinfocollectedfromtheconsumer);id.§6(includingtherighttooptoutofthird-partydisclosureinsteadofsale). 239. CompareCAL.CIV.CODE§1798.192,withMass.S.120§14. 240. Mass.S.120§6.
1774 MINNESOTALAWREVIEW [105:1733
damages of $750 per consumer per incident, plus attorney fees.241MirroringtheCCPA,itdirectsthestateattorneygeneraltowritereg-ulationsandempowersthatofficetoenforcethenewprivacyrules.242
Also,inJanuary2019,NorthDakotaintroduceddataprivacyleg-islation243with significant similarities to the CCPA. That legislationseemstohavebeeninspiredbyanewsreportaboutEuropeanprivacylawthatoneofthedrafterswatched.244Despitethisinspiration,whenthetimecametodraftabill,NorthDakotaalsolookedtoCaliforniaforsubstantive language.245 The bill defined a coveredbusiness nearlyword-for-wordidenticallytotheCCPA’sdefinition.246Thedefinitionof“personalinformation,”too,closelytrackedthatintheCCPA.247Itcreated a right of access similar to the CCPA’s.248 Unlike the CCPA,however,inafewprovisions,theNorthDakotabillemulatedamore
241. Id.§9. 242. Id.§§10–11. 243. H.R.1485,66thLeg.Assemb.(N.D.2019). 244. See SaraMerken,States FollowEU, California inPush forConsumerPrivacyLaws (1), BLOOMBERG L. (Feb. 6, 2019, 3:02 PM), https://news.bloomberglaw.com/privacy-and-data-security/states-follow-eu-california-in-push-for-consumer-privacy-laws-1 [https://perma.cc/8A8X-9MUW] (“North Dakota Rep. Jim Kasper (R) toldBloombergLawthathedecidedtointroducelegislationafterwatchinga‘60Minutes’programaboutthenewrightstheEU’sGeneralDataProtectionRegulationprovidestoEUcitizens.”). 245. Id.(notingthatsomestateshave“largelyfollow[ed]theleadofCalifornia”indraftingconsumerprivacylaws). 246. CompareN.D.H.R.1485,§51-37-01(“[A][c]overedentity ...a.Hasannualgrossrevenuesinexcessoftwenty-fivemilliondollars;b.Annuallybuys,receives,sells,orsharespersonal informationofat least fifty thousandconsumers,households,ordevices;orc.Derivesatleastfiftypercentofitsannualrevenuesfromsellingpersonalinformation.”), with California Consumer Privacy Act of 2018, CAL. CIV. CODE§1798.140(c)(West2018)(definingbusinessas“[a]soleproprietorship,partnership,limitedliabilitycompany,corporation,association,orotherlegalentitythat...(A)Hasannualgrossrevenuesinexcessoftwenty-fivemilliondollars...(B)Aloneorincom-bination, annually buys, receives for the business’s commercial purposes, sells, orsharesforcommercialpurposes,aloneorincombination,thepersonalinformationof50,000ormoreconsumers,households,ordevices.(C)Derives50percentormoreofitsannualrevenuesfromsellingconsumers’personalinformation.”). 247. Compare N.D. H.R. 1485 § 51-37-01 (“‘Personal information’ means infor-mationthatidentifies,describes,orcouldreasonablybelinkedwithaparticularindi-vidual.Thetermdoesnotincludepubliclyavailableinformationlawfullymadeavaila-ble to the general public from federal, state, or local government records.”),withCaliforniaConsumerPrivacyActof2018,CAL.CIV.CODE§1798.140(o)(1)(West2018)(“‘Personalinformation’meansinformationthatidentifies,relatesto,describes,isrea-sonablycapableofbeingassociatedwith,orcouldreasonablybe linked,directlyorindirectly,withaparticularconsumerorhousehold.”). 248. N.D.H.R.1485§51-37-03(providingthatupon“requestfromanindividual,acoveredentityshalldisclose”thecontentofpersonaldatathatitpossesses).
2021] CATALYZINGPRIVACY 1775
Europeanapproach;forexample,itwouldhaveprohibiteddisclosureofpersonalinformationwithoutexpresswrittenconsent(moreofanopt-inthananopt-out)anditwouldhavecreatedaprivaterightofaction.249Ontheotherhand,otherdeparturesfromtheCCPAtookitfurther fromtheGDPR,because it lackedanoticerequirementorarighttodeletion.Ultimately,thebillwasreplacedbyaproposalforalegislativestudyofdataprivacylaws.250
Thesethreestatesarejustasamplingofthisdynamic.Wefindproposalsinatleastsevenotherstatesthatcouldsimilarlybecharac-terizedasCCPAclonestoalargedegree.251BillsinMississippi,Penn-sylvania,andRhodeIsland,likethoseinConnecticutandMassachu-setts,copiedportionsoftheCCPAwholesale.252OneproposedTexasbilllargelytrackedtheCCPAaswell.253Texasultimatelyenactedadif-ferentbillintolaw,theTexasPrivacyProtectionAct;whileinitiallyittoowasabroaddataprotectionlaw,itwasultimatelyamendedtocre-ateacounciltoreportbackonproposedstatutorychanges.254InIlli-nois, theproposedDataTransparencyandPrivacyActwouldapplytheCCPAdefinitionof“businesses”andwouldgrantconsumersbothnotice and access rights and a right to opt out of sale, although it
249. Id.§51-37-02(“Prohibitionagainstdisclosureofpersonalinformationexceptuponwrittenconsent.”);id.§51-37-05(“Ifanindividual’spersonalinformationispur-chased,received,sold,orsharedbyacoveredentityinviolationofthischapter,theindividualmaybringacivilactioninacourtofthisstate....”). 250. N.D. H.R. 1485; see also N.D. LEGIS. COUNCIL, DISCLOSURE OF CONSUMERS’PERSONALDATA—BACKGROUNDMEMORANDUM (2019),https://www.legis.nd.gov/files/resource/committee-memorandum/21.9058.01000.pdf[https://perma.cc/7U2L-7BLV](noting that “HouseBillNo.1485wasamended toprovide foramandatoryLegislativeManagementstudyonprotections,enforcements,andremediesregardingthedisclosureof consumers’personaldata, andbothchamberspassed thebill asamandatorystudy”). 251. SeeRachelR.Marmor,MaryamCasbarro,Monder“Mike”Khoury&NancyLi-bin,“CopycatCCPA”Bills Introduced inStatesAcrossCountry,DAVISWRIGHTTREMAINLLP(Feb. 8, 2019), https://www.dwt.com/blogs/privacy—security-law-blog/2019/02/copycat-ccpa-bills-introduced-in-states-across-cou[https://perma.cc/E6NB-XAFU](“Legislatorsinninestateshaveintroduceddraftbillsthatwouldimposebroadobligationsonbusinessestoprovideconsumerswithtransparencyandcontrolofper-sonaldata.”). 252. H.R.1253,2019Leg.(Miss.2019);H.R.1049,2019Gen.Assemb.(Pa.2019);H.R.5930,2019Gen.Assemb.(R.I.2019). 253. H.R.4518,86thLeg.(Tex.2019).Bycontrast,H.R.4390,86thLeg.(Tex.2019)takesamoreblendedCCPA-GDPRapproach. 254. Tex.H.R.4390;seeEmilyBruemmer,DavisWrightTremaineLLP,StateandFederalPrivacyLegislationStalls,JDSUPRA(June28,2019),https://www.jdsupra.com/legalnews/state-and-federal-privacy-legislation-63216 [https://perma.cc/D2GZ-5P9H](notingthatHouseBill4390createdanadvisorycounciltostudydataprivacylawsinTexasandotherjurisdictions).
1776 MINNESOTALAWREVIEW [105:1733
carvedout theuseofdata foradvertisingandotherexemptions.255Maryland’sbillandHawaii’soriginalbill (laterreplacedwithataskforce) offered a set of rights for data subjects similar to the CCPA,thoughtheydifferinsomesignificantrespects.256
Nevadaisoneoftheonlystatestonotjustconsiderbutactuallyenactnewdataprivacylawinthisperiod.Thenewlaw,expandingonpreviously existingprotections,went intoeffect in2019.257Nevadalawhadalreadyrequiredwebsitesandonlineservicesthatcollectcer-tainpersonal information toprovidenotice to consumers.258WhilenotdirectlyimportinglanguagefromtheCCPA,thenewNevadalawechoes the conceptual core of the CCPA by prohibiting companiesfromsellingconsumerinformationonreceiptofa“verifiedrequest”fromtheconsumertooptout.259Thatsaid,thenewNevadalawprovesconsiderablylessambitiousinscopethantheCCPA:itcoversanar-rowerdefinitionofpersonal information, andanarrower subsetofbusinesses, and requires less of them (no access requests, nodele-tion).260Italsodefines“sale”lessbroadlythandoestheCCPA.261Butitsfocusonanopt-outforrestrictingsaleofpersonaldataisdistinctlyCalifornian,andnotEuropean.262
Insummary:aconsiderablenumberofstatesaremimickingthepreciselanguageoftheCCPA,whileothersareadoptingitscorecon-sumer-oriented framework. No state has proposed adopting Euro-pean-style comprehensive data protection law.We found very fewstate proposals that even focused onGDPR-like compliance obliga-tions in addition to individual consumer rights, includingWashing-ton’srecentlyfailedPrivacyAct263(discussedfurtherbelow)andoneofthetwobillsproposedinTexas.264OneofNewYork’sproposalsre-flectsathirdcompetingconceptofdataprivacy,whichweintroduceanddiscussinthenextSection.265Butourcloseanalysisclearlyshows
255. H.R.3358,101stGen.Assemb.(Ill.2019). 256. S.418,30thLeg.,Reg.Sess.(Haw.2019);S.613,2019Gen.Assemb.,Reg.Sess.(Md.2019);seealsoMarmoretal.,supranote251(describingthedifferencesbetweenthestates’draftlaws). 257. S.220,80thSess.(Nev.2019). 258. NEV.REV.STAT.§603A.340(2019). 259. Nev.S.220,§2.2(codifiedatNEV.REV.STAT.§603A.345). 260. Nev.S.220. 261. Id.§1.6.1. 262. Id.§2.2. 263. WashingtonPrivacyAct,S.5376,66thLeg.,Reg.Sess.(Wash.2019). 264. H.R.4390,86thLeg.(Tex.2019). 265. S.5642,2019–2020Leg.Sess,Reg.Sess.(N.Y.2019);seeIssieLapowsky,NewYork’s Privacy Bill Is Even Bolder Than California’s, WIRED (June 4, 2019),
2021] CATALYZINGPRIVACY 1777
thatCalifornia,notEurope,iscatalyzingcomprehensivedataprivacylegislationinstatesaroundthecountry.
2. FederalLawsWhilestatebillsaretypicallymodeledontheCCPA,manypro-
posedfederalprivacybillsmaynotlookmuchliketheCCPAatall.Yet,weargue,theyareclearlydraftedinresponsetoit.Therewerebyourcountatleasttenfederaldataprivacyproposalsintroducedin2018and 2019.266 New federal bills continue to be introduced all thetime.267WecompareseveraloftheseproposedfederallawstoshowhowtheydifferfromboththeGDPRandtheCCPA—andnotehowathirdmodel has also emerged.We close this Section by explainingwhy,nonetheless,theCCPAcanbeunderstoodastheprimarycatalystoffederaldataprivacyproposals.
We compare below the following proposed legislation to theCCPA and GDPR: Senator Ron Wyden’s Consumer Data ProtectionAct,268 SenatorMarco Rubio’s American Data Dissemination Act,269andSenatorBrianSchatz’sDataCareAct.270Weconcludethatthesub-stantiveprovisionsofseveralofthebillsdrawfromolderprivacylawsorfromacademicproposals,nottheGDPRortheCCPA.Atleastamong
https://www.wired.com/story/new-york-privacy-act-bolder[https://perma.cc/HMH4-EEGM](describingtheNewYorkPrivacyAct). 266. Seesupranote6(listingcomprehensiveprivacybillscurrentlybeingconsid-eredinCongress).SeegenerallyCameronF.Kerry,BreakingDownProposalsforPrivacyLegislation:HowDoTheyRegulate?,BROOKINGS(Mar.8,2019),https://www.brookings.edu/research/breaking-down-proposals-for-privacy-legislation-how-do-they-regulate[https://perma.cc/2XML-YBRU](discussinghowdifferentdataprivacypro-posalsmayinteractwithexistingregulatoryframework);TimPeterson,CirclingClosertoaFederalPrivacyLaw,CongressHas Introduced7PrivacyBillsThisYear,DIGIDAY(June 25, 2019), https://digiday.com/marketing/cheatsheet-know-7-privacy-bills-congress-introduced-year[https://perma.cc/GC3V-ERD6](describingdifferentfed-eraldataprivacyproposals). 267. See,e.g.,ZackWhittaker,ANewSenateBillWouldCreateaU.S.DataProtectionAgency,TECHCRUNCH(Feb.13,2020,4:00AM),https://techcrunch.com/2020/02/13/gilliband-law-data-agency[https://perma.cc/9568-6NNH](discussinganewbillpro-posedbySenatorKirstenGillibrandcalledtheDataProtectionAct);GeoffreyA.Fowler,NobodyReadsPrivacyPolicies.ThisSenatorWantsLawmakersToStopPretendingWeDo, WASH. POST (June 18, 2018, 7:00 AM), https://www.washingtonpost.com/technology/2020/06/18/data-privacy-law-sherrod-brown [https://perma.cc/87D2-7LMW](discussinganewbillproposedbySenatorSherrodBrowncalled theDataAccountabilityandTransparencyAct). 268. S.SIL18B29,115thCong.(2018). 269. S.142,115thCong.(2019). 270. S.3744,115thCong.(2018).
1778 MINNESOTALAWREVIEW [105:1733
thebillsanalyzedhere,onlySenatorWyden’sbillshowsdirectsignsofinfluencefromboththeCCPAandGDPR.
TheproposedConsumerDataPrivacyAct(CDPA),271introducedbySenatorWydeninNovember2018,incorporateslanguageandcon-ceptsfromboththeCCPAandGDPR,yetdiffersfromboth.Forexam-ple, liketheCCPA,theCDPA’sdefinitionofpersonalinformationfo-cusesonwhether information isnot just individually identifiedbut“reasonably linkable” to an individual.272 Like the CCPA, the CDPAdoesnotcoverbusinessesbelowacertainsize,aslongastheymeetotherrestrictions.273TheCDPA,however,wouldincorporateanum-berofaspectsoftheGDPR:itwouldrequirereportinginsomecircum-stances;274 createaccess rights,275 includingwithrespect tocompa-niesthatlackadirectrelationshipwithconsumers;276createarightofcorrection;277 and require impact assessments for automated deci-sion-making.278UnlikeeithertheGDPRorCCPA,however,theCDPAwouldbuildenforcementaroundarobustconsumerrighttooptoutof data sharing with third parties.279 The CDPA directs the FTC topromulgate regulations, and houses enforcement with the FTC, towhich it allocates considerable additional resources.280 It does notpreemptstateregulation.
TheproposedDataCareAct(DCA)introducedinDecember2018by Senator Schatz with fourteen cosponsors, differs fundamentally
271. S.SIL18B29,115thCong.(2018). 272. Compareid.§2.12(defining“personalinformation”as“anyinformation,re-gardlessofhowtheinformationiscollected,inferred,orobtainedthatisreasonablylinkabletoaspecificconsumerorconsumerdevice”),withCaliforniaConsumerPri-vacyActof2018,CAL.CIV.CODE§1798.140(o)(1)(West2018)(defining“personalin-formation”as“informationthatidentifies,relatesto,describes,isreasonablycapableofbeingassociatedwith,orcouldreasonablybelinked,directlyorindirectly,withaparticularconsumerorhousehold”). 273. CompareS.SIL18B29,115thCong.§2.5(B)(i)(2018)(excludingcompanieswithlessthanfiftymilliondollarsinaverageannualgrossreceiptsandrequiringthattheynotcollectinformationonoveronemillionpeopleanddevicesandarenotdatabrokers),withCAL.CIV.CODE§1798.140(1)(A)(2018)(excludingcompanieswithlessthantwenty-fivemilliondollarsinannualgrossrevenues). 274. S.SIL18B29,115thCong.§5(2018). 275. Id.§7(b)(1)(D). 276. Id.§7(b)(1)(D)(iii);seeGDPR,supranote7,art.14(“Informationtobepro-videdwherepersonaldatahavenotbeenobtainedfromthedatasubject”). 277. S.SIL18B29§7(b)(1)(F). 278. Id.§7(b)(1)(G). 279. Id.§7(b)(1)(D)(iii). 280. Seegenerallyid.
2021] CATALYZINGPRIVACY 1779
fromboth theCCPAandGDPR.281TheDCAwould imposedutiesofcare, loyalty,andconfidentialityononlineserviceproviders.282TheDCAfocusesondutiesowedbycompanieswithadirectrelationshiptoconsumers,notondatabrokersorotherthirdparties.283Thus,theDCA advances a consumer protection rather than data protectionmodel of privacy and does not impose any of the transparency re-quirementsthatarecentraltoboththeCaliforniaandEUregimes.TheDCAembodies an emerging strain of thought about privacy amongU.S.scholarswhoadvocateredefiningprivacyasamatterof“trust”or“fiduciary-likeduty”onthepartoflarge-scaledatacollectors.284The“informationfiduciary”modelofdataprivacyhasnotbeenlimitedtoSenatorSchatz’s federalproposal; the recentNewYorkPrivacyActwasmodeledontheconcept.285Thisshowsthepossibilityofathirdpotentialcatalystonthefield—theconceptofan“informationfiduci-ary,”stemmingfromanumberofacademicproposals—andindicatesperhapsanupcomingbattleofthenormentrepreneurs,discussedfur-therbelow.
281. DataCareActof2018(DCA),S.3744,115thCong.(2018).TheDCAwouldputenforcementinthehandsoftheFTC,alreadyresponsibleforenforcingaspectsofU.S.dataprivacyunder itsconsumerprotectionauthority. Id.§4(a).TheActwouldnotpreemptstateprivacylaws,althoughstateattorneysgeneralwouldbepreventedfrombringingenforcementactionsduringanFTCenforcementaction.Id.§5. 282. Id.§3. 283. Id. 284. See ARI EZRA WALDMAN, PRIVACY AS TRUST: INFORMATION PRIVACY FOR ANINFORMATIONAGE(2018)(advocatingforadataprivacymodelbaseduponacontextoftrust);Balkin,supranote137,at1186(discussing“theconceptofaninformationfidu-ciary”);LindseyBarrett,ConfidinginConMen:U.S.PrivacyLaw,theGDPR,andInfor-mationFiduciaries,42SEATTLEL.REV.1057,1087–106(2019)(arguingthatfiduciarydutiesshouldbeappliedtodatacollectors);NeilRichards&WoodrowHartzog,Pri-vacy’s Trust Gap: A Review, 126 YALE L.J. 1180, 1219–23 (2017) (reviewing FINNBRUNTON&HELENNISSENBAUM,OBFUSCATION:AUSER’SGUIDEFORPRIVACYANDPROTEST(2015),anddiscussinghowtopromotetrustinadigitalworldandholddatacollectorsresponsible);NeilRichards&WoodrowHartzog,TakingTrustSeriouslyinPrivacyLaw,19STAN.TECH.L.REV.431,434(2016)(“Ifwewantasustainabledigitalsociety,weneedstrong,trustedinformationrelationships[betweenconsumersanddatacollec-tors].”);TimWu,AnAmericanAlternativetoEurope’sPrivacyLaw,N.Y.TIMES(May30,2018),https://www.nytimes.com/2018/05/30/opinion/europe-america-privacy-gdpr.html[https://perma.cc/49ZK-87WG](“[T]heUnitedStatesmayneedto...relyonjudgesandstatelawtoestablishthatthelegalconceptof‘fiduciaryduty’canapplytotechnologycompanies.”).Foracritique,seeLinaM.Khan&DavidE.Pozen,ASkep-ticalViewofInformationFiduciaries,133HARV.L.REV.497(2019),whichidentifiesis-sueswiththetheoryofinformationfiduciaries. 285. S.5642,2019–2020Leg.Sess,Reg.Sess.(N.Y.2019);seeBruemmeretal.,su-pranote254(“[T]heNewYorkPrivacyAct includedtheconceptofa ‘datafiduci-ary’....”);Lapowsky,supranote265(“[T]heNewYorkbillwould ...requirebusi-nessestoactasso-called‘datafiduciaries’....”).
1780 MINNESOTALAWREVIEW [105:1733
The proposed American Data Dissemination Act (ADD), intro-ducedbySenatorRubioinJanuary2019,directstheFTCtoproposeprivacyrules “substantiallysimilar, to theextentpracticable, to therequirementsapplicabletoagencies”underthe1974PrivacyAct.286Unlike thePrivacyAct,287whichappliesonly to the federalgovern-ment,theseruleswouldapplytoprivatesectoractorsthatcollectcer-taintypesofpersonalinformation.288TheADDresemblestheGDPRandCCPAonlytotheextentthatthosetworegimes,likethe1974Pri-vacyAct,buildonFairInformationPracticePrinciples.289ItdirectstheFTCtoadoptregulationsthatrestrictdisclosuresofrecords;290createanaccessright;291andcreateacorrectionrightofsorts,oratleastameanstoamendanddisputeinaccuraterecordsbasedonprocesses-tablishedundertheFairCreditReportingAct.292Thus,theADDdrawsonneithertheCCPAnortheGDPRdirectly,butinsteadusesexistingfederalprivacylawasitsmodel.TheADDwouldpreemptstatepri-vacylaws.293
WhilethethreefederalbillsdonotmimictheCCPAtotheextentstatelawsdo,theCCPAlaidthegroundworkforfederallegislationintwokeyways.First,becauseU.S.corporationswithnationalreachwilllikelyfindthemselveshavingtocomplywiththeCCPA(andpossiblyalsotheGDPR),afederalrulepresentslessofaregulatoryburdenforU.S.corporationsthanitwouldhaveintheabsenceoftheCCPA.Sec-ond,manyhopetolimitthepotentialregulatoryburdenofmultiple,varyingstatelawsbyenactingafederallawthatpreemptsstatelaws.Giventheflurryofactivityinstatehousesacrossthecountry,afederallawseems tomanybusinesses like the “leastworst”option. In thissense,thefederalresponsemaywellbeabacklashagainsttheCCPAratherthananembraceofit.
286. American Data Dissemination Act of 2019, S. 142, 115th Cong. § 4(a)(2)(2019). 287. PrivacyActof1974,5U.S.C.§552a. 288. S.142,115thCong.§2(a)(5)(2019)(defining“coveredproviders”). 289. FairInformationPracticePrinciples,INT’LASS’NPRIV.PROS.,https://iapp.org/resources/article/fair-information-practices/#:~:text=(1)%20The%20Collection%20Limitation%20Principle,2)%20The%20Data%20Quality%20Principle[https://perma.cc/EY8C-92GD](describingtheeightprinciples). 290. AmericanDataDisseminationActof2019,S.142,115thCong.§4(b)(1)(B)(2019). 291. Id.§4(b)(1)(C). 292. Id.§4(b)(1)(D)–(E). 293. Id.§6.
2021] CATALYZINGPRIVACY 1781
C. CALIFORNIAASU.S.PRIVACYCATALYSTTheaboveanalysis—inPart II comparing theCCPAandGDPR,
andinthisPartaboveanalyzingindetailanumberofrecentstateandfederalproposals—leadsustoanewunderstandingofwhatishap-peningintheracetoinfluenceU.S.dataprivacylaw.Thetruestoryismorecomplex,andmoreinteresting,thantheconventionalnarrativeofalong-armed,unilateralBrussels.California,notEurope,hasbeencatalyzingprivacyproposalsacrosstheUnitedStates.
In thisSection,weoffer thisalternativestory.WebeginwithadiscussionofhowourdeparturefromtheGDPR-centricnarrativeismore than justashift in location fromBrussels toSacramento.ThestoryofCaliforniaastheU.S.dataprivacycatalyst involvesnot juststategovernmentactorsbutalsotightlynetworkednormentrepre-neurs,actingagainstbackdropforcesofwhatwecall“dataglobaliza-tion.”ThespreadoftheCCPAtootherstates,weposit,reflectsanum-berofoverlappingdynamics,andtheinfluenceoftheGDPRisonlyoneofthem.ThisversionofthestorymaybemessierthanapureBrusselsEffect,butitismoreaccurateandleadstoseveralinsightsaboutthenearfutureofU.S.dataprivacylaw.
ThetheoriesofregulatorycatalysisthatwediscussedinPartIareessentiallyrealistorrationalchoicetheoriesoflawmaking.Thatis,theBrusselsEffectlargelyconceivesofStates(andstates)asunitaryac-tors,usingpowertoachievecomplianceonaninternationalstageorbalancingstickswithcarrots todrivebothgovernmentandprivateentitiestowardsrationallychoosingaregulatorygoal.
The story of theCCPA,when examined in greater detail, is farmorecomplex.ItisnotthestoryofCaliforniaasaunifiedstateactorbutofacollectionof individualnormentrepreneursthatharnessedthestatelegislativeprocesstoproducethelaw.Inthissense, it isalegalprocessstorymadeupnotjustofgovernmentsbutofindividu-als,issuenetworks,andinterpretativecommunities,onethatreflectsHaroldKoh’scharacterizationofverticallegalprocessinstyleifnotintransnationalnature.294
IftheoriginstoryoftheCCPAteachesanything,itisthatindivid-ualsandnetworksofindividualsplaysignificantrolesintheprocessofregulatorycatalysis.Before2018,California, likeeveryotherU.S.
294. SeegenerallyKoh,supranote192,at1406(explainingcompliancewithinter-nationallawnormsinpartthrough“theverticalprocesswherebytransnationalactorsinteractinvariousfora,generateandinterpretinternationalnorms,andthenseektointernalizethosenormsdomestically”);HaroldHongjuKoh,TransnationalLegalPro-cess,75NEB.L.REV.181(1996)(providingabroadoverviewoftransnationallegalpro-cessanditssignificanceininternationallegalscholarship).
1782 MINNESOTALAWREVIEW [105:1733
stateandthefederalgovernment,hadnocomprehensivedataprivacylaw.RealestatedeveloperAlastairMactaggartwantedtoenactsuchlaw inCalifornia.295Mactaggartandhis friendRickArney,whohadworkedintheCalifornialegislature,knewtheycoulduseCalifornia’sreferendumprocesstoavoidbeingtangledupbylobbyingintheleg-islature.296MactaggartbefriendedMaryStoneRoss,whohadworkedfor theCIA and theHouse IntelligenceCommittee.297 They collabo-ratedondraftingtheballotinitiativethroughagrouptheynamedCal-ifornians for Consumer Privacy, the political committee that thenpushed the bill (although Ross and Mactaggart later had a fallingout).298 Mactaggart looked up privacy experts, and contacted UCBerkeleyProfessorChris JayHoofnagle,whoputhim in touchwithformer FTC Chief Technologist Ashkan Soltani.299 Mactaggart thenhiredSoltanitohelprevisetheproposedballotinitiative,thebonesofwhichbecametheCCPA.300Then,asSoltanihasputit,“Mactaggart...offered SiliconValley a take-it-or-leave-it privacy policy—the samekindthatSiliconValleyusuallyofferedeveryoneelse.”301
ByusingtheCaliforniaballotinitiativeprocess,Mactaggartandhisalliesforcedthestatelegislature’shand.302TheCalifornialegisla-ture,fearingthepracticaldifficultiesofaballotinitiativethatwouldbecomenearlyunchangeablelawwithimmediateeffect,303scrambled
295. SeeNicholasConfessore,TheUnlikelyActivistsWhoTookOnSiliconValley—andWon,N.Y.TIMESMAG.(Aug.14,2018),https://www.nytimes.com/2018/08/14/magazine/facebook-google-privacy-data.html[https://perma.cc/PG7Y-A9FM]. 296. Id. 297. KashmirHill,HowaWomanDisappearsfromtheHistoryBooks,JEZEBEL(Aug.20, 2018), https://jezebel.com/how-a-woman-disappears-from-the-history-books-1828393645[https://perma.cc/J7C9-2CHP]. 298. Seeid.(noting“personalityconflicts”betweenMactaggartandRoss). 299. Confessore,supranote295. 300. Id. 301. Id. 302. Id.Theinitiativegatheredsome629,000signatures.Id. 303. Amendinganinitiativeapprovedbythevoters“wouldrequirea70percentvoteofeachhouseandsignaturebythegovernor,”andanyamendmentwouldhavetobe“consistentwith,andfurthertheintentof,theact.”EdwardR.McNicholas,ColleenTheresaBrown,AmyLally,MichaelMallow&AshNagdev,California’sGDPR?SweepingCaliforniaPrivacyBallotInitiativeCouldBringSeaChangetoU.S.PrivacyRegulationandEnforcement, SIDLEY AUSTIN LLP (June 26, 2018), https://datamatters.sidley.com/californias-gdpr-sweeping-california-privacy-ballot-initiative-could-bring-sea-change-to-u-s-privacy-regulation-and-enforcement[https://perma.cc/KZ9G-RNH2];KristenJ. Mathews & Courtney M. Bowman, The California Consumer Privacy Act of 2018,PROSKAUER ROSE LLP (July 13, 2018), https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018[https://
2021] CATALYZINGPRIVACY 1783
todraftabill thatwouldpersuadetheinitiative’ssponsorstowith-drawit.304StateAssemblymemberEdChauandStateSenatorRobertHertzberg, both fromdistricts neighboring LosAngeles, introducedthebill.305TheenactmentoftheCCPAdoesnotrepresenttheactionofalegislaturethatindependentlyrecognizedasocialproblemitcouldhelpaddressoraresponsespurredbycompaniesadvocatingforleg-islationunderthepressuresoftheGDPR.Instead,itwasthelegisla-ture’s reaction to leverage exerted by highlymotivated, connected,and—atleastinMactaggart’scase—wealthyindividuals.306
Ratherthancausingaracetothebottom,thebackdropofdataglobalizationappearstohavebothinfluencedandempoweredthesenormentrepreneurs.First,newsstoriesabouttheeffectsofdataglob-alizationenabledMactaggarttoframetheimportanceoftheinitiative,ashe repeatedlypointed to the storyof theBritish consulting firmCambridgeAnalyticausingU.S.persons’datatoallegedlymanipulatevotersinthe2016election.307InthepreambletotheCCPA,theCali-fornia legislatureeventuallyechoedthismotivation.308Second,data
perma.cc/8A87-JZJW](“[I]tcanbeverydifficulttoamend[California]ballotinitiativesoncetheyarevotedintolaw.”). 304. SeeConfessore,supranote295(“[Mactaggart]...toldCalifornialawmakersthathewoulddrophiscampaigniftheycouldpassareasonableprivacybillbyJune28,thelegalpointofnoreturnforformallywithdrawinghis initiativefromthebal-lot.”);Assemb.375,2018Leg.§2(g)(Cal.2018)(enacted)(“InMarch2018,itcametolightthattensofmillionsofpeoplehadtheirpersonaldatamisusedbyadataminingfirmcalledCambridgeAnalytica.”). 305. SeeAssemb.375,2018Leg.§2(g)(Cal.2018)(enacted)(enactingtheCalifor-niaPrivacyActof2018). 306. Tosomeextent, aspectsof theGDPRreflect thisdynamic, too.SeeCaseC–362/14,Schremsv.DataProt.Comm’r,ECLI:EU:C:2015:650(Oct.6,2015)(invalidat-ingtheEUSafeHarborarrangementinfavorofprivacyadvocateSchrems). 307. CambridgeAnalyticaLLC,DocketNo.9383,2019WL6724446(FTCNov.25,2019);seeCaseyNewton,HowaWileyCalifornianBeatGoogleandFacebook’sInfluenceOperation, VERGE (Aug. 15, 2018), https://www.theverge.com/2018/8/15/17691004/california-data-privacy-law-alastair-mactaggart-regulation [https://perma.cc/9CZY-WDKG](“Mactaggartbenefitedfromincreasedskepticismabouttechcompaniesbroadly,buthealsogotanunexpectedgiftthisspring:theCambridgeAnalyticadataprivacyscandal.”).ForanargumentthattheactualimpactoftheCambridgeAnalyticamisuseofinformationonthe2016U.S.electionwas“likelyexaggerated,”seeYOCHAIBENKLER, ROBERT FARIS & HAL ROBERTS, NETWORK PROPAGANDA: MANIPULATION,DISINFORMATION,ANDRADICALIZATIONINAMERICANPOLITICS277(2018). 308. Assemb.375,2018Leg.§2(g)(Cal.2018)(“InMarch2018,itcametolightthattensofmillionsofpeoplehadtheirpersonaldatamisusedbyadataminingfirmcalledCambridgeAnalytica.A series of congressional hearingshighlighted that ourpersonalinformationmaybevulnerabletomisusewhensharedontheInternet.Asaresult, ourdesire forprivacy controls and transparency indatapractices isheight-ened.”).
1784 MINNESOTALAWREVIEW [105:1733
globalizationmayhaveloweredsomeofthebiggerhurdlestoprivacylawmakinginCalifornia(andpossiblyCongress)byimposingGDPRcompliancecostsonthelargeSiliconValleyenterprises,almostallofwhichhaveasubstantialEuropeanpresence.FacedwithsignificantprivacycompliancecostsfromtheGDPR,themarginalcostofastateprivacystatutetotheirbusinessmodelwasnowmuchlower.Third,dataglobalizationenabledtheGDPRitselftotouchU.S.citizensintheformofbothupdatedprivacypoliciesandnewsstoriesaboutprotec-tiveEuropeanprivacy law.309Thisaffectedbothpublicopinionandeliteresponses,whethercausingU.S.citizenstowonderwhyEurope-ansshouldgetprivacyprotectionsthatwedonot,orinspiringlaw-makers like theNorthDakota legislator to takeactiononaprivacybill.310
What happened next—the spread of the CCPA—was intendedandpredictedbyitsoriginators,whohypothesizedthat,likeCaliforniaemissionsstandards,abaselinedataprivacylawwouldspread.311Weofferfourexplanations,beyondtheusualdynamicsoftheCaliforniaEffect,astowhythisishappening.
First,evenpriortotheCCPA,Californiaestablisheditselfnation-allyasanexpertjurisdictionondataprivacylaw,givenbothpreviouspioneeringlegislationandthepresenceofSiliconValleywithinitsbor-ders.Californiahasbeenaforerunnerinlawsgoverningonlinedataprivacyanddatasecurityforoverfifteenyears.TheCaliforniaOnlinePrivacyProtectionAct(CalOPPA)wasenactedin2003andwentintoeffect in 2004.312 It was the first U.S. law “to require commercial
309. See, e.g.,AdamSatariano,GDPR, aNewPrivacy Law,MakesEuropeWorld’sLeadingTechWatchdog,N.Y.TIMES(May25,2018),https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.html(“[T]heEuropeanUnion ... enacts theworld’stoughestrulestoprotectpeople’sonlinedata.”). 310. See,e.g.,BrookeAuxer,LeeRainie,MonicaAnderson,AndrewPerrin,MadhuKumar&EricaTurner,AmericansandPrivacy:Concerned,ConfusedandFeelingLackofControloverTheirPersonalInformation,PEWRSCH.CTR.(Nov.15,2019),https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information[https://perma.cc/QN3J-EX93](“[A]majorityofAmericansreportbeingconcernedaboutthewaytheirdataisbeingusedbycompanies....”). 311. Confessore,supranote295(notinghowMactaggartcomparesprivacylegis-lationtoauto-emissionlegislation). 312. CAL.BUS.&PROF.CODE§§22575–22579(West2014).
2021] CATALYZINGPRIVACY 1785
websitesandonlineservicestopostaprivacypolicy.”313Intheinter-veningyears,privacypolicieshavebecomeubiquitousacrosstheIn-ternet.314
Also,in2003,Californiaenactedadatabreachnotificationlaw:legalrulesrequiringcompaniesthathavesufferedaqualifyingdatasecurity breach to notify users whose information may have beencompromised.315 Prior to California’s intervention, few companiesvoluntarilydisclosedsecuritybreachesof theircustomers’personalinformation, fearing the public relations disaster of such a revela-tion.316 At first, some companies limited their compliancewith thenewdatabreachnotificationlawtothebordersofCalifornia.In2004,thedatabrokerChoicePointsufferedahugedatabreach.317Initially,it reported that breach to Californians only, as the state’s law re-quired.318However,observersquicklynotedhowodditwouldbeifadatabreachatanAtlanta-basednationwideoperationaffectedonlyCalifornians.Facedwithintensecriticismforfailingtoinformcustom-ersoutsideCalifornia,ChoicePointvoluntarilyissuedanationwideno-tice to allAmericanswhose informationhadbeen compromised.319
313. CaliforniaOnlinePrivacyProtectionAct(CalOPPA),CONSUMERFED’NCAL.EDUC.FOUND.(July29,2015),https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3[https://perma.cc/QL8G-499H]. 314. See,e.g.,supranote208andaccompanyingtext. 315. CAL.CIV.CODE§1798.82(West2003)(providingdisclosurerequirementsforanypersonorbusinessinCaliforniawhoownsorlicensescomputerizeddata,includ-ingpersonalinformation,whenthereisasecuritybreachofthesystem). 316. SAMUELSONL.,TECH.&PUB.POL’YCLINIC,UNIV.CAL.-BERKELEYSCH.L.,SECURITYBREACHNOTIFICATIONLAWS:VIEWS FROMCHIEFSECURITYOFFICERS 15 (2007), https://www.law.berkeley.edu/files/cso_study.pdf[https://perma.cc/5BG7-8VDN](conduct-ing interviews with businesses and noting that “all the organizations interviewednotedconcerns thatapublicnotificationofabreachwoulddamage theirorganiza-tions’reputationandthetrustbehindtheirname”). 317. TomZeller Jr.,BreachPointsUpFlaws inPrivacyLaws,N.Y.TIMES (Feb.24,2005), https://www.nytimes.com/2005/02/24/business/breach-points-up-flaws-in-privacy-laws.html[https://perma.cc/G6MH-GWJW](notingthatthedatabreachal-lowedconartiststoaccess“personaldataofnearly145,000people”). 318. Seeid.(“ChoicePointinformedonly35,000Californiansthattheirinformationmight have been compromised in [breach] because California is currently the onlystatethatrequirescompaniestomakesuchdisclosures.”). 319. ChoicePointexplaineditsdelayinnotifyingnon-Californiansasfollows:“ThecompanysaiditfirstnotifiedconsumersinCaliforniabecausethatwaswheremostofthevictimslived,andthenpreparedmorenoticeswheninvestigatorssuggestedthatresidentsinnearlyeverystatewereaffected.”Id.Mostanalystsdiscreditthisexplana-tion.See,e.g.,RonaldI.Raether,Jr.,ThereHasBeenaDataSecurityBreach:ButIsNoticeRequired?,A.B.A.(Aug.31,2011),http://apps.americanbar.org/buslaw/blt/content/2011/08/article-raether.shtml [https://perma.cc/E57W-NQLT] (“ChoicePoint de-cided initially to notify only California consumers. The backlash was swift and
1786 MINNESOTALAWREVIEW [105:1733
Thisnotificationalsoresulted inanenforcementactionbytheFTC.ChoicePoint,aproviderofcreditreportingservices,hadviolatedthefederalFairCreditReportingActbyallowingaccesstosome163,000consumerreportstopersonswhowerenotdulyauthorizedtoreceiveaccess.320Sofar,thisstoryresonateswithouraccountoftheBrusselsEffect:alargebusinessfounditunwisetocompartmentalizeitscom-plianceeffortsbasedon the lawofparticular jurisdictionsandwasforcedtoprovideahigherlevelofprotectionacrossitsoperations.
By2005,theCaliforniabreachnotificationlawhadunleasheda“wave”ofadditionalreportedsecuritybreachesinthestate.321Thesenotifications inCalifornia alerted consumersnationally of breachesthatmighthaveaffectedthembutremainedunreportedundertheirownstates’laws.Veryswiftly,inatextbookdejureCaliforniaEffect,dozensofotherstatesadoptedtheirownnotificationlaws.322Today,allfiftystateshaveenacteddatasecuritybreachnotificationlaws.323ThelawsthatfollowedCalifornia’snotonlycopiedbutalsobothex-panded324 and contracted325 California’s model. And in 2018, the
immediate.ChoicePointquicklymodifieditsdecisionandnotifiedallaffectedconsum-ersregardlessoftheirstateofresidency.”). 320. Natalie Kim,Three’s a Crowd: Towards Contextual Integrity in Third-PartyDataSharing,28HARV.J.L.&TECH.325,330(2014);seePaulM.Schwartz&EdwardJ.Janger,NotificationofDataSecurityBreaches,105MICH.L.REV.913,923(2007)(de-scribingChoicePoint’ssettlementwiththeFTC).TheFTC-ChoicePointsettlementalsoauthorizedtheFTCtomonitorcomplianceby“[p]osingasconsumersandsuppliers”ofChoicePoint.SeeStipulatedFinalJudgement&Orderat19,UnitedStatesv.Choice-Point Inc., No. 1:06-cv-0198 (N.D. Ga. Jan. 26, 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069stip.pdf [https://perma.cc/P9N9-3T9U]. 321. SatishM.Kini&JamesT.Shreve,NoticeRequirements:CommonThemesandDifferences intheRegulatoryandLegislativeResponsestoDataSecurityBreaches,10N.C.BANKINGINST.87,87(2006). 322. SeeSAMUELSONL.,TECH.&PUB.POL’YCLINIC,supranote316,at3(“Atleast36stateshaveenactedlegislationrequiringorganizationsthatpossesssensitivepersonalinformationtowarnindividualsofsecuritybreaches.Californialedthewayinthecre-ationoftheselaws,drivenbyconcernsaboutidentitytheftandlaxinformationsecu-rity.InfollowingCalifornia’slead,otherstateshaveexpandedupontherequirementsoftheCaliforniastatuteby,forexample,requiringthatorganizationsreportbreachestoastateregulatoryagency.”). 323. Security Breach Notification Laws, NAT’L CONF. ST. LEGISLATURES (July 17,2020),http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx[https://perma.cc/3ZXZ-WA2C]. 324. See SAMUELSONL.,TECH.&PUB.POL’YCLINIC, supra note 316, at 9 (“[M]anystateshaveexpandedthedefinitiontoincludevariousothersformsofpersonalinfor-mation....”). 325. Id.at44(“[M]anystateshavealsonarrowedCalifornia’snotificationtriggerbyexemptingnotificationtoconsumersonlyif,uponareasonableinvestigation,theorganization reasonably determines that harm is not likely to result to individuals
2021] CATALYZINGPRIVACY 1787
GDPRintroducedsecuritybreachnotificationintoEuropeanlaw,ex-plicitlyborrowingfromCalifornia’sinnovation.326
ThishistoryoffollowingCalifornialawlaysthegroundworkforstatestoimitatetheCCPA.AndCaliforniamaybeseenasanexpertjurisdictionondigitaldatapolicyforotherreasons.Ifastatelegisla-tureisgoingtocopyanotherstateandwantstostrikeabalancebe-tweenindividualrightsandbusinessneeds,Californialawrepresentsanappealinglypre-packagedcompromisefromthestatethathousesbothagenerallypro-consumerelectorateandSiliconValleyindustry.
Second,webelievestatesmaybecopyingCaliforniabecausetheypresumethattheCCPAwillcreateaBrusselsEffectofdefactocompli-ance,originatinginCalifornia.Thisisprobablypartofwhatcausedthecopycatdatabreachnotificationstatutes.Lawmakersinotherstatesshouldanticipatethatcompaniesarelesslikelytoopposeabill if ittracks the contours of a California law that those businessesmustobey already. Even though the CCPA protects only California resi-dents,companiesmayfinditdifficulttopartitionthatdataormaycal-culatethecostis lowenoughtoextendtheircomplianceinfrastruc-turetoconsumersinotherstates.ThismakesthosecompanieswithexposuretotheCCPA,butnottotheGDPR,lesslikelytofightalocallawthatmimicstheCCPA.
Third,comparedtotheGDPR,theCCPAisabetterlegalmemeforU.S.legislators.327TheGDPRcontains99articlesand173recitals,anditharnessesanexistingcomplexregulatorysystemagainsttheback-drop of European court decisions and constitutional doctrine. TheGDPRislong,complicated,andforeign.328TheCCPA’srelativebrevityandsimplicity,however,likelymakeitmoreappealingtostatelegis-latures.Astatecouldonly “copy” theGDPRaftercondensing itandtransposing it into an American legal setting. A state can copy theCCPAsimplybycuttingandpasting.
Fourth,whilenotdirectlycatalyzingU.S.privacylaw,theGDPRcontinuestoplayanimportantrole.ForthemostparttheGDPRhasnothada(dejure)“CaliforniaEffect”ontheU.S.federalgovernmentorU.S.states,butithashada(defacto)“BrusselsEffect”oncompanies
whoseinformationiscompromisedbythebreach.Vermontrequiresthat,ifanorgan-izationmakessuchadetermination,theorganizationmustprovidenoticeandanex-planationtotheAttorneyGeneralortotheapplicabledepartmentofbanking,insur-ance,securitiesandhealthcareadministration.”). 326. SeeGDPR,supranote7,art.33(“Notificationofapersonaldatabreachtothesupervisoryauthority.”). 327. WethankChristinaMulliganforthisinsightfulcharacterization. 328. Seesupranote73andaccompanyingtext.
1788 MINNESOTALAWREVIEW [105:1733
operatinginU.S.jurisdictions.ThismaylowertheresistanceofglobalcompaniestobothstateandU.S.dataprivacylaw.WhilemanyofthecompaniesmostaffectedbytheGDPRwerealreadyshoulderingreg-ulatorycostsunderthepriorDataProtectionDirective,theGDPRhasheavierobligations,moreexplicitextraterritorialreach,andmorese-verepenalties,allofwhichhavedramaticallyincreasedcorporatein-vestmentinGDPRcomplianceoverthelevelsundertheDirective.
AclearexampleofthisdynamicistheproposedWashingtonPri-vacyAct,whichhastwicecomerelativelyclosetopassageonlytofaillate intheprocess.329ThisbillhadmoresimilaritieswiththeGDPRthanotherstatelegislation.330ItusedGDPRterminologysuchas“con-troller”and“processor.”331Itwouldhaveestablished“GDPRlite”re-quirementsfornotice,access,correction,deletion,andrestrictionofprocessingrequirements,andwouldhaveimportedaspectsoftheEUconceptoflawfulprocessing.332Unlikeotherproposedstatelaws,theWashingtonbillincludedprivacyriskassessments,anotherideabor-rowedfromtheGDPR.333ItevendrewontheGDPR’slimitationsonautomateddecision-making.334
The key to understanding why theWashington proposal bor-rowedsomanyelementsoftheGDPRmaybeoneofthestate’slargestcompanies:Microsoft.335Microsofthasdeclaredthatitcomplieswith
329. S.5376,66thLeg.,Reg.Sess.(Wash.2019). 330. Id. 331. Seegenerallyid.;GDPR,supranote7,art.33(usingtheterms“controller”and“processor”). 332. Wash.S.5376§7(requiringcontrollerstoprovidesconsumersaprivacyno-ticethatincludes:thecategoriesofpersonaldatacollected,purposesforwhichthatdataisused,rightsthatconsumersmayexercise,categoriesofpersonaldatasharedwiththirdparties,andwhetheritsellspersonaldatatodatabrokers). 333. Compareid.§8(4)(“Thecontrollermustmaketheriskassessmentavailabletotheattorneygeneraluponrequest.Riskassessmentsareconfidentialandexemptfrompublicinspectionandcopying.”),withGDPR,supranote7,art.35¶7(“Datapro-tectionimpactassessment.”). 334. Washington Privacy Act, H.R. 5376, 66th Leg., Reg. Sess. §§ 6(7), (14)(1)(Wash.2019)(“Aconsumermustnotbesubjecttoadecisionbasedsolelyonprofilingwhichproduceslegaleffectsconcerningsuchconsumerorsimilarlysignificantlyaf-fectstheconsumer...Controllersusingfacialrecognitionforprofilingmustemploymeaningful human review prior to making final decisions based on such profilingwheresuchfinaldecisionsproducelegaleffectsconcerningconsumersorsimilarlysig-nificanteffectsconcerningconsumers.”). 335. Microsoft Corporation (MSFT), YAHOO FIN. (Jan. 17, 2021), https://finance.yahoo.com/quote/MSFT/[https://perma.cc/K68U-3STV](showingMicrosoft’smar-ketcapitalizationasofJanuary17,2021,as$1.608trillion).
2021] CATALYZINGPRIVACY 1789
theGDPRworldwide.336Withover451,000employeesinthestate,thecompanyhasasignificantvoice inWashington.337Thecompanyac-tivelypromotedadoptionoftheWashingtonstatute;MicrosoftPresi-dentBradSmithdescribeditas“build[ing]onthebestaspectsofap-proaches elsewhere.”338 In introducing the bill, Washington ChiefPrivacyOfficerAlexAlbentellinglyexplainedthat“companiesthatal-ready complywithEurope’sGeneralDataProtectionRegulation ...shouldn’thaveahardtimecomplyingwiththeproposedlawinWash-ington.”339
TheBrusselsEffectonMicrosoftmaythusbedrivingittopushforstateprivacy legislationthatmorecloselymapsonto theGDPRandthereforedoesnotraiseregulatorycostsforMicrosoft—butmayraiseregulatorycostsfornon-GDPR-compliantlocalcompetitors.Mi-crosoftalsogainsbyassuringusersthattheirinformationiswell-pro-tected,withlegalsanctionsforfailures.
After sailing through the state senate by a vote of 46-1,340 theWashingtonbillfounderedamidcontroversyin2019.Afterportionsof the original legislation were stripped out, the state ACLU and
336. JulieBrill,Microsoft’sCommitmenttoGDPR,PrivacyandPuttingCustomersinControl of Their Own Data, MICROSOFT ON ISSUES (May 21, 2018), https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data [https://perma.cc/P5D2-TZZ8](“That’swhytodayweareannouncingthatwewillextendtherightsthatareattheheartofGDPRtoallofourconsumercustomersworldwide.KnownasDataSubjectRights,theyincludetherighttoknowwhatdatawecollectaboutyou,tocorrectthatdata,todeleteitandeventotakeitsomewhereelse.”). 337. MonicaNickelsburg,AmazonSurpassesMicrosoftinNumberofSeattleRegionEmployeesAmidBigGrowthPlansAcrossUS,GEEKWIRE(Sept.9,2019),https://www.geekwire.com/2019/amazon-surpasses-microsoft-number-seattle-region-employees-amid-big-growth-plans-across-us[https://perma.cc/6RZT-AG7L]. 338. BradSmith,NextGenerationWashington:OurPrioritiesfor2019,MICROSOFTON ISSUES (Feb. 11, 2019), https://blogs.microsoft.com/on-the-issues/2019/02/11/next-generation-washington-our-priorities-for-2019[https://perma.cc/M3MR-VZEM]; Wendy Davis,Microsoft Endorses Washington State Proposed Privacy Bill,MEDIAPOST: DIGIT. NEWS DAILY (Feb. 11, 2019), https://www.mediapost.com/publications/article/331814/microsoft-endorses-washington-state-proposed-priva.html[https://perma.cc/H36D-C7HJ]. 339. MonicaNickelsburg,WashingtonStateConsidersNewPrivacyLawToRegulateDataCollectionandFacialRecognitionTech,GEEKWIRE(Jan.22,2019),https://www.geekwire.com/2019/washington-state-considers-new-privacy-law-regulate-data-collection-facial-recognition-tech [https://perma.cc/JRL5-6ZJZ] (paraphrasing Al-ben’sremarks). 340. SenatePassesCarlyle’sWashingtonPrivacyAct,WASH.SENATEDEMOCRATS(Feb.14, 2020), https://senatedemocrats.wa.gov/carlyle/2020/02/14/senate-passes-carlyles-washington-privacy-act[https://perma.cc/TY6U-57MX].
1790 MINNESOTALAWREVIEW [105:1733
consumer advocacy organizations opposed the bill as too weak.341Criticsobjectedthatthebill’sdeparturefromelementsoftheGDPR,especiallyinitsenforcementmechanisms,wouldmakeitineffective;theyalsocomplainedthatindustrylobbyistshadtoomuchinfluenceoveralegislativeprocesstheyconsideredopaque.342Afterworkingtomendfenceswithprivacyadvocatesandexpandindustrysupport,thebill’ssponsorsreintroduceditin2020,withmostofthesamecorefea-tures,butagainfellshortattheendofthelegislativesession.343Mi-crosoft’schiefprivacyofficer,formerFTCcommissionerJulieBrill,344has signaled that the companywill continue to support legislationmodeledatleastlooselyontheGDPR,declaring,“Webelieveprivacyisafundamentalhumanright.”345
This story of theWashington Privacy Act displays the GDPR’sBrusselsEffectinaction.Butagain,italsounderscoresthepowerofindividualorcorporatenormentrepreneurs.AglobalcompanythatalreadycomplieswiththeGDPRhasgoodreasontowanttoimposecosts on its competitorswhile publicly promoting stronger privacyrightsforitsusersandthusenhancingtheirtrustinthatcompany.Inaddition, Brill, a former FTC commissionerwhowaswell regardedamongprivacyadvocates,appearstobedrivingtheagendaandbring-ingincompliancenormsfromaU.S.governmentagency.
341. CoalitionLetterinOppositiontoSB5378,ACLUWASH.(Apr.16,2019),https://www.aclu-wa.org/docs/coalition-letter-opposition-sb-5376[https://perma.cc/5UVT-8T23];WashingtonStatePrivacyBillFailsToAdvance;ConsumerReportsSaysWeak Bill Did Not ProvideMeaningful Protections, CONSUMERREPS.ADVOC. (Apr. 18,2019),https://advocacy.consumerreports.org/press_release/washington-state-privacy-bill-fails-to-advance-consumer-reports-says-weak-bill-did-not-provide-meaningful-protections[https://perma.cc/V6WS-AMH8];seealsoLucasRopek,WhyDid Washington State’s Privacy Legislation Collapse?, GOV. TECH. (Apr. 19, 2019),https://www.govtech.com/policy/Why-Did-Washington-States-Privacy-Legislation-Collapse.html[https://perma.cc/L6RK-C67U]. 342. Ropek,supranote255. 343. LucasRopek,WashingtonPrivacyLawOnceAgainFailsToMaterialize,GOV.TECH. (Mar. 13, 2020), https://www.govtech.com/policy/Washington-Privacy-Law-Once-Again-Fails-to-Materialize.html[https://perma.cc/JC9N-UC2G]. 344. Former Commissioners, FED.TRADECOMM’N, https://www.ftc.gov/about-ftc/biographies/former-commissioners[https://perma.cc/5F66-ZGDJ]. 345. SeeJulieBrill,TheNewWashingtonPrivacyActRaisestheBarforPrivacyintheUnitedStates,MICROSOFTON ISSUES (Jan.24,2020),https://blogs.microsoft.com/on-the-issues/2020/01/24/washington-privacy-act-protection[https://perma.cc/NA9L-VMAU]; JulieBrill,OurSupport forMeaningfulPrivacyProtectionThrough theWashingtonPrivacyAct,MICROSOFTONISSUES(Apr.29,2019),https://blogs.microsoft.com/on-the-issues/2019/04/29/our-support-for-meaningful-privacy-protection-through-the-washington-privacy-act[https://perma.cc/3TWA-GHYD].
2021] CATALYZINGPRIVACY 1791
Finally, theGDPRmaybeplayingan important framingrole inpolicydiscussions,acting torhetoricallynormalizeandgroundcur-rentconversationsarounddataprivacy.ThepublicityaccompanyingtheadventoftheGDPRmayhavestokedAmericanpublicinterestindataprivacy.TheGDPRmaybe leadingU.S. citizens—including theNorthDakotalegislatormentionedabove346—towonderwhyEUper-sonsgetstrongerprivacyrightsthanAmericans,andtoquestionthelongstandingnarrative that imposingdigital privacy regulationwillbreaktheInternetorotherwisekillinnovation.347
SomemaydoubtthesincerityofCaliforniaasaprivacyregulator.Dataprotectionrules,criticswillobserve,encumbersomeofitslead-ingcorporations.Theymayassumethatthesecorporationswillhob-bleanyrealregulatoryenforcementbythestate.ButCalifornia’secon-omyis farbiggerthanSiliconValleyalone.Ofcourse,diffusevoicesfarepoorlyagainstactorswithconcentratedinterests,asMancurOl-sonobserved.348ButMaryStoneRoss,AlastairMacTaggart,andoth-ersdemonstrated thatCalifornia’s initiativeprocesscouldbe lever-agedtotapintoawidelyshareddesiretoprotectprivacythatcouldovercome even concentrated industry opposition. Indeed, MacTag-gartandhisorganization led thesuccessfulcampaigntopassCCPArevisionsbyballotmeasure.349Thistime,however,MaryStoneRossopposed the ballotmeasure, arguing that “the initiativewould roll
346. Seesupranote244andaccompanyingtext. 347. ForadescriptionoftheroleofprivacylawintheriseofU.S.Internetcompa-nies,seeAnupamChander,HowLawMadeSiliconValley,63EMORYL.J.639,642(2014),whichstatesthat“legal innovations inthe1990sthatreduced liabilityconcerns forInternetintermediaries,coupledwithlowprivacyprotections,createdalegalecosys-temthatprovedfertileforthenewenterprisesofwhatcametobeknownasWeb2.0.” 348. MANCUROLSON,THELOGICOFCOLLECTIVEACTION:PUBLICGOODSANDTHETHEORYOFGROUPS2(1965)(“[U]nlessthenumberofindividualsinagroupisquitesmall,orunlessthereiscoercionorsomeotherspecialdevicetomakeindividualsactintheircommoninterest,rational,self-interestedindividualswillnotacttoachievetheircom-monorgroupinterests.”). 349. SeeAllisonGrande,What’satStakeasCalif.PrivacyLawRevampGoestoVot-ers,LAW360(Oct.23,2020,9:12PM),https://www.law360.com/articles/1313938/what-s-at-stake-as-calif-privacy-law-revamp-goes-to-voters [https://perma.cc/RBL8-JNAK]; Sidney Fussell,One ClearMessage from Voters This Election?More Privacy,WIRED (Nov. 4, 2020, 8:26 PM), https://www.wired.com/story/one-clear-message-voters-election-more-privacy[https://perma.cc/7N4A-RE3E].
ForthefulltextoftheCaliforniaPrivacyRightsandEnforcementActof2020,seeTheCaliforniaPrivacyRightsActof2020,CAL.DEP’TJUST.(Nov.4,2020),https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf[https://perma.cc/CWP9-C85F].
1792 MINNESOTALAWREVIEW [105:1733
backtheCCPA’sprotectionsandweakencoredefinitionsofthelaw,whilemakingthebiggestcompaniesevenmorepowerful.”350
VogelarguesthattheCaliforniaEffectrequiresthat“nonstateac-torsinrichandpowerfulpoliticaljurisdictionspreferstrongerregu-latorystandards.”351Content-based industriesbased inLosAngeleshavelongcomplainedthatSiliconValleyenterprisesareinsufficientlyattentive to intellectual property claims. The CCPA’s principal au-thors352bothrepresentdistrictsborderingLosAngeles.353ManySili-conValleyenterprisesthemselvessupportdataprivacylaw,thoughsomesuggestthatthesupportisastrategicefforttoundermineCali-fornia’sprivacylawwithaweaker,preemptivefederallaw.354ThereisareasonforresponsibleSiliconValleyenterprisestoembracepri-vacylaw.SiliconValleyenterprisesdependonusers’confidencethatrevealingmoreandmoreofthemselvestotheirelectronicassistantswillnotcreateprivacyrisks.Companiesthatviolatethattrustunder-minetrustforothercompaniesaswell.355Ultimately,whetherCalifor-niansorthoseoutsidethestatetrustthestate’sprivacyregulatorswilldependontheirperformance.356
There aremanymore individual norm entrepreneurs atworkhere in the spread of the CCPA to other states, and the federal re-sponsetoit,thanwehavethusfarallowed.Asmentionedabove,theUniformLawCommission’snewprojecttodraftmodelstatelegisla-tionrepresentsoneofthemostformalsuchnetworks:commissionersfromeverystateconsciouslyseektoreplicatesuccessfulinnovationsacross state boundaries in a uniform way. Individual federal
350. Grande,supranote349. 351. VOGEL,supranote45,at268. 352. Assemblymember Ed Chau and Senator Robert Hertzberg introduced theCCPA.IssieLapowsky,CaliforniaUnanimouslyPassesHistoricPrivacyBill,WIRED(June28, 2018, 5:57 PM), https://www.wired.com/story/california-unanimously-passes-historic-privacy-bill[https://perma.cc/LPW2-CW6B]. 353. Chau represents the 49th Assembly District and Hertzberg represents the18thSenateDistrict.EDCHAU,https://a49.asmdc.org[https://perma.cc/NBG3-GUY9];SENATOR ROBERT HERTZBERG, https://sd18.senate.ca.gov [https://perma.cc/Q4SK-9DYQ]. 354. RussellBrandom,TimCookWantsaFederalPrivacyLaw—butSoDoFacebookandGoogle,VERGE(Oct.24,2018,4:12PM),https://www.theverge.com/2018/10/24/18018686/tim-cook-apple-privacy-law-facebook-google-gdpr[https://perma.cc/QDP5-3NH5]. 355. SeeAriEzraWaldman,PrivacyasTrust:SharingPersonalInformationinaNet-workedWorld,69U.MIA.L.REV.559,598(2015);seealsoBalkin,supranote137;Rich-ards&Hartzog,supranote284,at435. 356. Cf. Ann E. Carlson, Regulatory Capacity and State Environmental Leader-ship:California’sClimatePolicy,24FORDHAMENV’TL.REV.63,65–66(2012)(describingsuccessofCalifornia’senvironmentalpolicyagency).
2021] CATALYZINGPRIVACY 1793
representativesarecatalystsforchange.SenatorWyden,forexample,hasbeenaprivacyadvocateforyearsandmaybetakingadvantageofcurrentdynamicstopushforchangestofederallaw.357CivilsocietygroupssuchastheCenterforDemocracyandTechnologyhavepro-posed discussion legislation in hopes of influencing the federal de-bate.358TheNorthDakotalegislatorwhowatchedaGDPRdocumen-tary,too,canbecharacterizedasanormentrepreneur.DavidHoffmanatIntelCorporation,characterizedasalongtime“industryleaderonprivacy,” developed a draft federal proposal that Intel released forcomments.359Thesestorieslikelyrepresentthetipofaverylargeice-bergofindividualsandknowledgenetworksworkingtoharnessex-istingforcestopropagatenewlaw.
This suggests the early growth of what we call “catalysis net-works.”PaulSchwartzhasnotedtheexistenceof“harmonizationnet-works”(atermcoinedbyAnne-MarieSlaughter)inprivacylaw—net-works of “regulators in different countries [who]work together toharmonize or otherwise adjust different kinds of domestic law.”360WhatweareseeinghereisnotsolelyattemptsbyvariousactorstoharmonizeU.S.andEUlawontheground(althoughitiscertainlyintheinterestofglobalcompaniestominimizedisparities).Wepredictthatweareseeingtheemergenceofbothindividualsandnetworkstaking advantage of themoment to drive both broader geographiccoverageandperhapsnewformsoflaw.
Inoneversionofthisstory,theCCPAbecomesnotjustacatalystbutafloorofprotectionnationwide.Therearecertainlyplentyofrea-sonstobelievethismightbethecase.Thatsaid,weturnnowtosev-eralpotentiallimitsonCaliforniancatalysis.
D. CONSTRAINTSONCALIFORNIANCATALYSISThereareat leastthreepossibleconstraintsonthenationwide
spreadofCCPA-likeprivacy law.First, thecomplexrelationshipbe-tweenstateandfederalsovereigntyintheU.S.constitutionalorderin-teractssubstantiallywiththeabilityofstatelawsliketheCCPAtoop-erateor spreadnationally.Both thedormant commerce clauseand
357. SeeSaraMorrison,TheYearWeGaveUponPrivacy,VOX(Dec.23,2020,8:00AM),https://www.vox.com/recode/22189727/2020-pandemic-ruined-digital-privacy;Kerry,supranote266. 358. CDT’s Privacy Legislation, CTR. FOR DEMOCRACY & TECH., https://cdt.org/campaign/federal-privacy-legislation[https://perma.cc/4AZG-K8EF]. 359. Kerry,supranote266. 360. PaulM.Schwartz,TheEU-U.S.PrivacyCollision:ATurntoInstitutionsandPro-cedures,126HARV.L.REV.1966,1967(2013).
1794 MINNESOTALAWREVIEW [105:1733
potentialfederalpreemptionofstatelawcouldlimitthereachofstatelawandthecatalyticeffectoftheCCPA.361Second,whileitisbeyondthescopeofthisArticletoaddresstheseargumentsatlength,recentFirstAmendmentdoctrinemaycreateproblemsfortheCCPAandsim-ilarlaws.362Finally,wenotethepossibilitythatnewmodels,notablyincluding“trust”or“fiduciary”concepts,maytakerootandout-raceboththeGDPRandtheCCPAtobecomethedominantcatalystfornewprivacylaw.
1. TheDormantCommerceClauseBecause Internet regulation inevitablyspillsover jurisdictional
lines,thedormantcommerceclauseplaysanimportantroleindisci-plining any individual state’s Internet regulation. As the SupremeCourt has explained, “By prohibiting States from discriminatingagainstorimposingexcessiveburdensoninterstatecommercewith-outcongressionalapproval,[thedormantcommerceclause]strikesatone of the chief evils that led to the adoption of the Constitution,namely, state tariffs and other laws that burdened interstate com-merce.”363
Thedormantcommerceclauseimposestwoseparateconditionsonregulatoryspillovers:(1)theregulationatissuemustnotdiscrim-inateagainstinterstatecommerce,364and(2)itmustnotimposeex-cessiveburdenson interstatecommerce.365TheSupremeCourthasofferedageneralprinciple:“Where[a]statuteregulateseven-hand-edlytoeffectuatealegitimatelocalpublicinterest,anditseffectsoninterstatecommerceareonlyincidental,itwillbeupheldunlesstheburdenimposedonsuchcommerceisclearlyexcessiveinrelationtotheputativelocalbenefits.”366
361. Oneof theauthorsof thisArticlehasspoken toattorneyswhoarealreadyplanningtochallengetheCCPAunderthedormantcommerceclause. 362. ForanaccountofthewaysthattheFirstAmendmenthaslimitedU.S.privacylaw,seeChander&Lê,supranote137,at516–22. 363. ComptrolleroftheTreasuryv.Wynne,135S.Ct.1787,1794(2015). 364. Dep’tofRevenuev.Davis,553U.S.328,338(2008)(“Underthe...protocolfordormantCommerceClauseanalysis,weaskwhethera challenged lawdiscrimi-natesagainstinterstatecommerce.”). 365. Id.(“Adiscriminatorylawisvirtuallyperseinvalid,andwillsurviveonlyifitadvancesalegitimatelocalpurposethatcannotbeadequatelyservedbyreasonablenondiscriminatoryalternatives.”(citationsomitted)(internalquotationmarksomit-ted)). 366. Pikev.BruceChurch,Inc.,397U.S.137,142(1970).Afindingthatastatuteisdiscriminatorycould“beovercomebyashowingthattheStatehasnoothermeanstoadvancea legitimate localpurpose.”UnitedHaulersAss’nv.Oneida-HerkimerSolid
2021] CATALYZINGPRIVACY 1795
Early cases challenging state Internet regulation on commerceclausegroundsmetwithsomesuccess.Amongthefirstwasa1997decisioninAmericanLibraryAss’nv.Pataki,overturningaNewYorkstatute that prohibited the transmission of obscene content tomi-nors.367 Into the early twenty-first century, a number of courts fol-lowedtheleadofPatakiwhenevaluatingsimilarstatutes.368However,courts inothercontextshavedeparted fromPataki’sapproach,up-holding, for example, state anti-spam statutes against commerceclause challenges.369 A California appeals court “reject[ed] Pataki’sholdingthatanyStateregulationofInternetuseviolatesthedormantcommerceclause.”370
A federaldistrict court case fromCalifornia seemsparticularlyrelevant.ThatcaseconsideredadormantcommerceclausechallengetoanearlierCaliforniaprivacylaw.In2014,twoCaliforniansfiledaclassactionagainstOmniHotels,allegingaviolationoftheCaliforniaInvasionofPrivacyAct,a1967statutethatmakesitillegaltorecordaconversationwithoutconsentofbothparties.OmniHotelshadsetupitscallcenterinNebraskaandcompliedfullywithNebraskalaw.Ne-braskaoffered“anemployerfriendlylawthatexemptsbusinessfromstatewiretapstatutesandgivesemployerstherighttointercept,dis-closeandusee-mailsintheordinarycourseofbusiness.”371Omniar-guedthatpracticallyspeaking,tocomplywithCalifornialaw,itwouldhavetonotifyallcallerstoitscustomerserviceabouttherecording,notjustCalifornians,andthatthisconstitutedaperseviolationofthecommerceclause.372
WasteMgmt.Auth.,550U.S.330,338(2007)(citingMainev.Taylor,477U.S.131,138(1986)). 367. Am.Librs.Ass’nv.Pataki,969F.Supp.160,169(S.D.N.Y.1997)(“[T]heInter-netisoneofthoseareasofcommercethatmustbemarkedoffasanationalpreservetoprotectusers from inconsistent legislation that, taken to itsmostextreme, couldparalyzedevelopmentoftheInternetaltogether.”).Foracritiqueofthisdecision,seeJackL.Goldsmith&AlanO.Sykes,TheInternetandtheDormantCommerceClause,110YALEL.J.785,786–87(2001). 368. SeeACLUv. Johnson,194F.3d1149,1161 (10thCir.1999);PSINet, Inc. v.Chapman,362F.3d227(4thCir.2004);Am.BooksellersFound.v.Dean,342F.3d96,104(2dCir.2003);Se.BooksellersAss’nv.McMaster,282F.Supp.2d389,396(D.S.C.2003); Cyberspace Commc’ns, Inc. v. Engler, 142 F. Supp. 2d 827, 831 (E.D. Mich.2001). 369. Washingtonv.Heckel,24P.3d404,413(Wash.2001);Fergusonv.Friend-finders,Inc.,115Cal.Rptr.2d258,268–69(Ct.App.2002). 370. Ferguson,115Cal.Rptr.2dat265. 371. Adesv.OmniHotelsMgmt.Corp.,46F.Supp.3d999,1009–10(C.D.Cal.2014)(citationomitted). 372. Id.at1012(“Omniassertsthatbecausetheportabilityofmobilephonenum-bersmakesitunfeasibletodistinguishbetweenCalifornianandnon-Californiancalls,
1796 MINNESOTALAWREVIEW [105:1733
The court decided that the California lawdid not discriminateagainstout-of-stateprovidersandwentontoconsiderwhetherthestatuteundulyburdenedinterstatecommerce.373Itconcluded,“Over-all,theCourtfindsthattheinterestsofCaliforniaintheprivacyofitsconsumerswouldbeaffectedmorebytheapplicationofNebraskalawthanNebraska’spro-businessinterestswouldbeaffectedbytheap-plicationofCalifornialaw.”374 IfOmnihadprevailed,thenNebraskawouldhave,wittinglyornot,createdtheidealconditionsforaprivacyracetothebottom:locateyourcallcenterinNebraskaandignorepri-vacylawsintheotherjurisdictionswhereyourcallersreside.Thedis-trictcourt’srulingavoidedthatresult.
TheCCPAdoesnotappeartofaciallydiscriminateagainstinter-state commerce.375 The statute iswrittenbroadly to coverall busi-nessesthatdealwiththeprivateinformationofCaliforniaresidents,regardlessofwheretheyarelocated.AslongastheCaliforniaattorneygeneraldoesnotenforcethelawagainstforeigncompaniesinadis-criminatoryfashion,theCCPAwouldlikelysurviveatleastthisprongofthedoctrine.
Themorerealisticpotentialbasis forachallengewouldbe thecontentionthattheCCPAposesan“excessiveburden”on interstatecommerce.While it ispossiblethatenforcementoftheCCPAwouldoccur inamannerthat leadstosuchanexcessiveburden,a federalcourtmaywellconcludethattheimportantinterestsatstakejustifiedthe CCPA’s reasonable interventions across state lines.While busi-nesseswillcomplainofheightenedcompliancecosts(asOmnicom-plainedoftheCaliforniarecordinglaw),California’sinterestsinpro-tectingitsresidents’privacymaywelljustifythoseadditionalcosts(asthecourtconcludedintheOmnilitigation).376However,uncertaintymayyetdeterotherstatesfromfollowingtheCCPA’slead,atleastun-tilanycommerceclausechallengeisresolved.
compliancewith§632.7wouldforceOmnitowarnallcallers,eventhosefromsingle-consentstates,thattheycouldberecorded.”). 373. Id. 374. Id. 375. AstheSupremeCourthasexplainedthisaspectofdormantcommerceclausedoctrine,“‘discrimination’simplymeansdifferentialtreatmentofin-stateandout-of-stateeconomicintereststhatbenefitstheformerandburdensthelatter.”UnitedHaul-ersAss’nv.Oneida-HerkimerSolidWasteMgmt.Auth.,550U.S.330,338–39(2007)(quotingOr.WasteSys.v.Dep’tofEnv’tQuality,511U.S.93,99(1994)). 376. OmniHotelsMgmt.Corp.,46F.Supp.3dat1015.
2021] CATALYZINGPRIVACY 1797
2. PreemptionTheCCPA could face another federalism-based challenge to its
catalyticeffectonotherstates,comingnotfromthecourtsbutfromCongress.Statelawsmaybepreemptedwhencompliancewithbothstateandfederalmandatesisimpossible,andthustheintroductionofacomprehensivefederalprivacylawcouldleadtopreemptionofpartoralloftheCCPA.377Inmanydomains,Congresshasadoptedfederalstatutesthatexplicitlypreemptstatelawinthesamearea,thusestab-lishinguniformnationalstandardsonatopic.378AnewfederalstatutewithanexpresspreemptionclausewouldunraveltheCCPAandanypotentialimitatorsatthestatelevel.Thesuddensupportofmanyin-dustrygroupsforfederalprivacylawislikelymotivatedbythedesireforjustthisoutcome.379
WhoshouldregulateprivacyintheUnitedStates?Shouldstatesregulate privacy, should the federal government, or should both?There are thoughtful arguments for federal preemption of stricterstateregulation,butweconcludethat,onbalance,thefederalgovern-mentshouldestablishanationalminimum,notanationalmaximum,for data privacy. This is what William Buzbee has called “floorpreemption,”allowingaone-wayratchetforstandards—upwards—acrosstheUnitedStates.380Infact,preemptionmaybetheissuethatkillsproposedfederaldataprivacylaw,aspowerfulCaliforniansandDemocrats line up against the industry and Republicans. HouseSpeakerNancyPelosihasvowednottosupportanyfederalprivacylaw that provides fewer protections than the CCPA or indeed thatpreemptsstatelawatall.381However,industrywillbelessinterestedinanyfederallawifitwouldnotsupersedetheCCPA.
377. SeeFla.Lime&AvocadoGrowers,Inc.v.Paul,373U.S.132,142–43(1963). 378. See,e.g.,17U.S.C.§301(federalpreemptionprovisionoftheCopyrightActof1976);21U.S.C. §343-1 (preemptingstate lawconcerning food labeling);29U.S.C.§1144 (federal preemption provision of ERISA). See generally S. Candice Hoke,PreemptionPathologiesandCivicRepublicanValues,71B.U.L.REV.685,700(1991). 379. Writingofthisdynamicinothercontexts,RoderickHillsJr.explainsthisap-parentcontradiction:“[F]ederalregulationfrequentlyresultsfromlobbyingeffortsbyindustryintereststhatopposeregulation.Theapparentparadoxofthisstatementdis-solveswhenonetakesintoaccountindustry’sdesireforuniformityofregulation.”Ro-derickM.Hills,Jr.,AgainstPreemption:HowFederalismCanImprovetheNationalLeg-islativeProcess,82N.Y.U.L.REV.1,20(2007). 380. WeborrowherethefederalregulationframeworksetoutbyWilliamBuzbee.WilliamBuzbee,AsymmetricalRegulation:Risk,Preemption,andtheFloor/CeilingDis-tinction,82N.Y.U.L.REV.1547,1549(2007). 381. Darius Tahir, Pelosi Puts Privacy Marker Down, POLITICO (Apr. 15, 2019,10:00 AM), https://www.politico.com/newsletters/morning-ehealth/2019/04/15/pelosi-puts-privacy-marker-down-424986[https://perma.cc/GJ39-7J9J](“‘We
1798 MINNESOTALAWREVIEW [105:1733
Therearevirtuesofasinglenationalstandard.382Anationalpri-vacylawwouldestablishuniformityacrosstheregion—ratherthanpromisinghigherorlowerprotectionsdependingonwhereapersonisorwheretheirdataisprocessedorheld.383Itwouldfacilitatedataflowsacrossstateborderswithoutrequiringlegalreviewofthelawsofmultiplejurisdictions.Itwouldavoidthepossibilityofinconsistentmandatessuchasinconsistentnoticerequirements.Compliancecostslikelywouldgodownwithonlyonelegalstandard.
Buta federalpreemptionceiling raises substantial concerns. Itrisksestablishingaminimallevelofprivacy—onelowerthanthatastatesuchasCaliforniacouldhavedemanded.Second,itmayreduceexistingenforcementcapacityandexpertisebysideliningstateattor-neysgeneralwhocurrentlyengageinsignificantenforcementofdataprivacyanddatasecuritylaw.384Stateshavealonghistoryofregulat-ingprivacy,muchofitdevelopedthroughthecommonlaw.385AsPe-terSwirehasdocumented,existingfederalprivacylegislationgener-allyservesasaregulatoryfloor,notaceiling,includingsector-specificpreemptionprovisionsadoptedsincethemid-1990s.386ThisreflectswhatBuzbeeobserves,that“[i]nmostareasfocusedonregulationofrisks...suchasdiscriminationandeffortstoenhancepublicwelfarethroughregulationofenvironmental,occupational,andproductrisks,theprotective‘onewayratchet’offloorpreemption...hasbeenthe
cannot accept anything—for example, the Republicans would want preemption ofstatelaw.Well,that’sjustnotgoingtohappen,’[Pelosi]said.‘WeinCaliforniaarenotgoingtosay,“YoupassalawthatweakenswhatwedidinCalifornia.”Thatwon’thap-pen.’”). 382. SeeSchwartz,supranote76,at423–27;PatriciaL.Bellia,FederalizationinIn-formationPrivacyLaw,118YALEL.J.868,890–99(2009). 383. Bellia,supranote382,at897. 384. Citron,supranote87,at798–99(observingimportantroleofstatesinprivacyprotection).Toavoidthisproblem,anyfederalpreemptioncouldexpresslyretainanenforcement role for state attorneys general. See Peter Swire, US Federal PrivacyPreemptionPart2:ExaminingPreemptionProposals,IAPP(Jan.10,2019),https://iapp.org/news/a/us-federal-privacy-preemption-part-2-examining-preemption-proposals[https://perma.cc/KQS5-KUV4]. 385. SeeWilliamL.Prosser,Privacy,48CALIF.L.REV.383,386–87(1960). 386. PeterSwire,USFederalPrivacyPreemptionPart1:HistoryofFederalPreemp-tion of Stricter State Laws, IAPP (Jan. 9, 2019), https://iapp.org/news/a/us-federal-privacy-preemption-part-1-history-of-federal-preemption-of-stricter-state-laws[https://perma.cc/R3WR-KF8C].BothHIPAAandGINAserveasfloorsforstateregu-lation,notceilings.See45C.F.R.§§160.203–.205(2019)(HIPAA);GeneticInformationNondiscriminationAct of 2008,Pub. L.No. 110-233, §2(5), 122Stat. 881, 882–83.WhiletheFairCreditReportingActpreemptssomecausesofaction,itpermitsstatestoregulateidentitytheft.SeeFairCreditReportingAct,15U.S.C.§1681t(a).
2021] CATALYZINGPRIVACY 1799
legislative and regulatory norm.”387 Most importantly, a federalpreemptionceilingriskslosingtheregulatoryinnovationthatcontin-uedstatelegislationintheareamightsupply.388
Newfederalprivacylawcouldprovideanationwidefloor,per-mittingstatestointerveneonlytotheextentthattheyraiseprivacystandardsfurther.Thisallowsforstateinnovationsandexperimenta-tion.WritingofanearliernarrowCalifornialawthatpermitsminorstodeletecertaininformationtheyuploadedtoInternetsites,HeatherGerken and James Dawson argue that “[i]f the experiment provesworkable,California’s‘eraser’lawmayserveasamodelforfuturereg-ulation;iftheexperimentfails,policy-makerswillbeallthewiser.”389Ofcourse,anationalfloorsacrificestheuniformityofasinglenationalstandard, increasingcompliancecosts.But if any stateoffersa too-strictprivacyrule—onethatistoodifficulttocomplywithgivenitsbusinessmodel—acorporationmightsimplyrefusetoprovideittherelevantproductorservice.
Yet an additional option, raised previously by Paul Schwartz,mightbeaCleanAirActmodelfordataprivacy:Congresscoulddes-ignateCaliforniaasakindofsuperregulator,grantingittheexclusiveright todeviateupwards from the federalprivacystandard.390ThiswouldallowCaliforniaalonetheopportunitytoinnovateintheareaand permit other states to choose either California’s or the federalgovernment’srules. Itwouldlowerregulatorycompliancecostsbutpreservesomeroomforupwardregulation.However,itwouldforegothepossibilityofexperimentationinotherstates,whichmightregu-latedifferently,moreclearly,ormorestringently thanCalifornia.391Forexample,thisapproachcoulddestroytheprospectofanew“trust”model emerging from legislation such as the bill proposed in NewYork.392
Regulatinginthefaceofsubstantialuncertaintywillrequiready-namicapproach.Becauseofthepaceofchangeindatagatheringandprocessing, informationprivacy is a study in surprising turns.Datacanbeusedinunexpectedways;itsbenefitsanddrawbacksareyetto
387. Buzbee,supranote380,at1552. 388. SeeSchwartz,supranote76,at917(describingstatesas“laboratoriesforin-novationsininformationprivacylaw”). 389. HeatherK.Gerken&JamesT.Dawson,LivingUnderSomeoneElse’sLaw,36DEMOCRACYJ.42,47(2015). 390. Schwartz,supranote76,at935(referencingAnnCarlson’sscholarship). 391. SeeVT.STAT.ANN.tit.9,§2453(2017);201MASS.CODEREGS.17(2009);OR.REV.STAT.§§646A.600–.628(2007). 392. Seesupranote217andaccompanyingtext.
1800 MINNESOTALAWREVIEW [105:1733
befullydiscovered.Thelasthandfulofyearshavebroughtustrackingpixels,facialrecognition,deepfakes,robotdogs,andevenomnipres-entsatellites.393Ifafederalbillossifiestherules,wemaynotbeabletogeneratetheregulationsneededforyetmoresurprisingturns.Ofcourse, the federalgovernment iscapableofmoreagileversionsofgovernance such as collaborative governanceor responsive regula-tion,includingthrougharegulatoryagencyliketheFTC.394
Ifafederallawpreemptsstateinformationprivacylaw,theCCPAmightbelosttohistory,amerefootnoteinthecenturiesofevolutionofprivacylaw.Yetwebelieveitwouldstillhaveservedacriticalrole:promptinganomnibusfederalprivacylawforthefirsttimesincethedawnoftheInternetage.AsGerkenandDawsonobserve,“Bycreatingaspillover,asingleinnovativestatecanputanitemonthenationalagendaevenifnearlyeveryoneelse—Congress,interestgroups,andotherstates—wouldpreferthattheissuegoaway.”395Thiswouldbeasignificantandlong-lastingCaliforniaEffect,indeed.
3. TheFirstAmendmentAnotherpotentialconstraintontheenactmentofstateandfed-
erallaws,andindeedthesurvivaloftheCCPA,istheFirstAmendment.DiscussedaboveinthecontextofthedifferingregulatorysettingsoftheEuropeanUnionandUnitedStates,theFirstAmendmentpoten-tiallyposesconstraintsondraftersofU.S.privacylaw.Whilein-depthcoverage of these constraints—and their limitations—is outside ofthisArticle’sscope,weoutlineafewbasicconceptshere.
393. ClareGarvie,AlvaroBedoya&JonathanFrankle,ThePerpetualLine-Up:Un-regulated Police Face Recognition in America, GEO.L.CTR. ONPRIV.&TECH. (Oct. 18,2016), https://www.perpetuallineup.org [https://perma.cc/RB45-VME5]; Ry Crist,Yes,theRobotDogAteYourPrivacy,CNET(June28,2019,8:21AM),https://www.cnet.com/news/yes-the-robot-dog-ate-your-privacy[https://perma.cc/ZZT8-W3CK];ChristopherBeam,Soon,SatellitesWillBeAbleToWatchYouEverywhereAlltheTime,TECH.REV.(June26,2019,8:21AM),https://www.technologyreview.com/s/613748/satellites-threaten-privacy[https://perma.cc/2BAY-PCNT]. 394. CharlesSabelandhiscoauthorsargueforthevirtueofa“rolling-ruleregime”where“regulatorsusereportsonproposalsandoutcomestoperiodicallyreformulateminimumperformancestandards,desirable targets, andpaths formoving from theformertothelatter.”CharlesSabel,ArchonFung&BradleyKarkkainen,BeyondBack-yardEnvironmentalism,24BOS.REV.4,4(1999).Forotheragilegovernancemodels,seeDennisD.Hirsch,GoingDutch?CollaborativeDutchPrivacyRegulationandtheLes-sonsItHoldsforU.S.PrivacyLaw,2013MICH.ST.L.REV.83,151–60;McGeveran,supranote20,at979–85;andLaurenE.Willis,Performance-BasedConsumerLaw,83U.CHI.L.REV.1309,1330–35(2015). 395. Gerken&Dawson,supranote389,at46.
2021] CATALYZINGPRIVACY 1801
TheFirstAmendmentprotectsfreedomofspeech.Italsoprotectsexpressiveactivity(speechmixedwithaction)andpenumbralactivitynecessaryforspeechtotakeplace(suchastheplacementofnewspa-perkioskstodistributenewspapersorthepurchaseofpenandpa-per).396AseriesofFirstAmendmentcasesonpublicrecordsestab-lished significant limitations on laws restricting the distribution oflawfullyobtained information.397Morerecently, theSupremeCourtappliedtheFirstAmendmenttofindunconstitutionalaVermontlawregulatingthesaleofprescriptiondruguserdata.398Andin2018,theSupremeCourtfoundunconstitutionalaseriesofdisclosurerequire-mentsaimedatprotectingpatientsfrompro-lifeorganizationsposingasabortionprovidersinadecisionthatcouldhaveconsequencesforotherdisclosure-basedconsumerprotectionregimes.399
Recently,theexpansivecoverageandprotectionofFirstAmend-ment doctrine has led some to decry its potential deregulatory ef-fects.400Ontheotherhand,privacyscholarshavenotedthattheFirstAmendmentalsoprovidesarguments foreffectiveprivacy law,asalackofprivacycanchillfreeexpression.401Commentatorsdisagreeon
396. SeeMargotE.Kaminski,PrivacyandtheRightToRecord,97B.U.L.REV.167,189(2017). 397. CoxBroad.Corp.v.Cohn,420U.S.469,493–95(1975);seealsoVolokh,supranote137,at1116–17. 398. Sorrellv.IMSHealth,Inc.,564U.S.552(2011);seeChander,supranote137(arguingthatSorrelldemonstrates“theseriousnessofFirstAmendmentconstraintsonprivacyregulationsoninformationintermediaries”).CasessuchasFloridaStarv.B.J.F.,491U.S.524(1989),CoxBroadcastingCorp.,420U.S.469,andSmithv.DailyMailPublishing,443U.S.97(1979),canbereadtostandfortheprinciplethatonceinfor-mationislegallydistributed,governmentcannotrestrictitsuseabsentstateinterestofthehighestorder.However,anumberofscholarsarguethatprivacylawscanpassFirstAmendmentmuster.Balkin,supranote137,at1189.ButseeVolokh,supranote137,at1051. 399. SeeAmyHowe,OpinionAnalysis:DividedCourtRulesforAnti-AbortionPreg-nancyCenters inChallengetoCaliforniaLaw,SCOTUSBLOG(June26,2018,4:02PM),https://www.scotusblog.com/2018/06/opinion-analysis-divided-court-rules-for-anti-abortion-pregnancy-centers-in-challenge-to-california-law[https://perma.cc/Q7WJ-VFZB]. 400. See Shanor, supra note 185, at 133;MARY ANNE FRANKS, THE CULT OF THECONSTITUTION105(2019). 401. See,e.g.,MarcJonathanBlitz,ConstitutionalSafeguardsforSilentExperimentsinLiving:Libraries,theRightToRead,andaFirstAmendmentTheoryforanUnaccom-paniedRightToReceiveInformation,74UMKCL.REV.799,800(2006);JulieE.Cohen,ARightToReadAnonymously:ACloserLookat“CopyrightManagement”inCyberspace,28CONN.L.REV.981,1003–19(1996);NeilM.Richards,IntellectualPrivacy,87TEX.L.REV.387,393–94(2008);MargotE.Kaminski&ShaneWitnov,TheConformingEffect:FirstAmendmentImplicationsofSurveillance,BeyondChillingSpeech,49U.RICH.L.REV.465, 467 (2015); Skinner-Thompson, supra note 185; Anupam Chander, Youthful
1802 MINNESOTALAWREVIEW [105:1733
howmuchofdataprivacylawmightsurviveFirstAmendmentchal-lenges.402Throughcourtchallengesorthroughitsexpandingculturalpenumbra,theFirstAmendmentmaychillthespreadoftheCCPA.
CONCLUSIONWhatdoesallofthismeanforourprivacy?Theendresultofthe
racebetweentheGDPRandtheCCPAmaywellbeahybridofboth.Thede factoprivacy lawgoverningglobal corporationsmaybe thestrictest aspectsofbothCalifornia andEuropean law—a figurative,butnotliteral,highestcommondenominator.403ThankstoaBrusselsEffect, some largeglobalenterpriseswouldadhere toGDPRnorms.ButthankstoaCaliforniaEffectinoneofthevariousformswehavedescribed,thatstatewouldhaveoutsizedinfluenceonthesubstanceofU.S.privacylaw—asAlastairMactaggarthasboasted,“Under[theCCPA],theattorneygeneralofCaliforniawillbecomethechiefprivacyofficeroftheUnitedStatesofAmerica.”404Manycorporationswillfindthemselves comporting with both regimes simultaneously, ratherthanconfiguring their servicesorofferingsby jurisdiction.Call thishybridthe“CDPR”—theCCPA+theGDPR.
Butthisdefactorealityonlygoessofar.Thoseoutsideeitherju-risdictionwillnotbeabletoassertthoserightsdirectlywitheitherregulatorsorcourts.Bothregimesgrantindividualrightsonlytotheirown residents. For example, themuch-embattled facial recognitioncompanyClearviewprovidesonlyCaliforniansandEuropeanUnionresidentstheopportunitytooptout.405
WepredictthatwithintheUnitedStates,theCCPAwillyetcon-tinue to drive both businesses and legislatures. The CCPA, both defactoanddejure,willlikelycallthetuneforthemarchofanewAmer-icandataprivacyspreadingtootherjurisdictions.California,notBrus-sels,hasemergedasthesuperregulatorofU.S.privacylaw.
IndiscretioninanInternetAge,inTHEOFFENSIVEINTERNET124,134(SaulLevmore&MarthaNussbaumeds.,2010). 402. Forasamplingofthisextensivedebate,seeJaneBambauer,IsDataSpeech?,66STAN.L.REV.57,60–61(2014);Richards,supranote137,at1521–22;andVolokh,supranote137,at1050–51. 403. Amoremathematicalanalogymightbetwocurvesmappingoutvariousis-suesonthexaxiswithybeingthelevelofstrictnessforeachissue,resultinginathirdoperationalcurveconsistingofthehighestpeaksbetweenthetwocurves. 404. Confessore,supranote295. 405. Privacy Request Forms,CLEARVIEW.AI, https://clearview.ai/privacy/requests[https://perma.cc/BU9L-8MG7] (including a separate reference to the UK necessi-tatedbyBrexit).
Top Related