California Lawmakers vs. the Dormant Commerce Clause
With little activity from Congress about online privacy, California is taking matters into its own hands. Governor Jerry Brown recently signed a law that would require an “eraser button” for online information about teens. Another law adds log-in information to the scope of California’s Data Breach notification requirement. A third law requires websites to disclose how they respond to Do Not Track signals from browsers. Even more momentously, California’s Attorney General gave initial go-ahead for a 2014 ballot measure, the Personal Privacy Protection Act (PPPA) that would impose European-style restrictions on the sharing of personally identifying information online. But these measures are unlikely to stand up in court because, among other practical and legal problems, their requirements violate the dormant commerce clause.
The Commerce Clause is the authority for most of what the Federal government does, authorizing regulation of interstate and foreign commerce — things like the internet. The “dormant commerce clause” is the logical flipside: the mere fact that Congress has not chosen to regulate an aspect of interstate commerce does not mean the states can do so. States can issue regulations to protect their own citizens, but if those regulations impact commerce outside their borders, someone will probably sue — and a court will have to weigh that burden against the state’s interest in protecting its own citizens.
California’s History of Privacy Regulation
California has long been out in front on privacy regulation. In 2002, California became the first state to enact a breach notification law — and nearly all other states have followed suit: If a company suffers a certain kind of data breach, it must notify users. But these requirements work on a state-by-state basis: A company has to follow California’s rules only when notifying users who are California residents. Because the law defined “personal information” narrowly (name plus social security or driver’s license number, or financial account numbers), it is generally possible for a company to determine which users are actually California residents. So the burden on interstate commerce is minimal.
This year, California enacted Senate Bill 255, commonly referred to as its involuntary porn prohibition. The law criminalizes publication of any image containing an “intimate body part . . . of another identifiable person” that is taken “under circumstances where the parties agree or understand that the image shall remain private.” This law also would probably survive a dormant commerce clause challenge. The burden that the involuntary porn law imposes on interstate commerce is negligible or nonexistent because businesses do not have a legitimate commercial interest in publishing those images.
But California may be pushing these precedents too far. Courts will likely uphold only those online commerce regulations that are easy for website administrators to either limit to California users or satisfy without expending much time or money.
Dormant Commerce Clause and State Internet Regulations
In determining whether a law violates the dormant commerce clause, courts will balance the law’s burden on interstate commerce, including costs imposed on out-of-state businesses and consumers, against the “weight and nature” of the state’s interest in enforcing the law’s requirements.
To understand how courts go about this analysis, consider two relevant dormant commerce clause cases. In Southern Pacific Co. v. Arizona ex rel. Sullivan, the Supreme Court invalidated an Arizona railroad safety statute that limited the number of cars on a train. Because it was economically infeasible to shorten trains entering Arizona and reassemble them after exiting, Arizona’s statute effectively governed rail commerce in all states on that rail line. The Supreme Court reasoned that the statute’s burden on interstate commerce outweighed Arizona’s safety interest in shorter trains because the statute required railroads to make costly changes to their train length practices in other states. The statute was, therefore, unconstitutional under the dormant commerce clause.
More recently, several courts have relied on Southern Pacific Co. to strike down state internet regulations that effectively governed online commerce in all states. In a widely-cited decision, American Libraries Association v. Pataki, a federal district court invalidated a New York law criminalizing online distribution of obscene content to minors. That court reasoned that for many out-of-state websites, compliance with New York’s law would not be “technologically or economically feasible” due to the inability to ascertain a user’s age and location. Concluding that New York’s health and safety rationale could not justify subjecting out of state websites to economically infeasible demands, the court held New York’s law unconstitutional.
California’s New Internet Privacy Laws
California’s new breach disclosure expansion, online eraser law, DNT requirements, and PPPA all would require many website administrators dramatically to alter their business practices in ways that are not “technologically or economically feasible,” much like the unconstitutional New York and Arizona statutes.
The original breach notification law has avoided a dormant commerce clause challenge because companies that collect enough personal information to trigger its requirements generally know which users are California residents and thus need to receive the notification required by California law. Such in-state regulations do not count towards a law’s out-of-state burden.
By contrast, the amendment just signed by Governor Brown compels companies to publicly disclose breaches even when the compromised data is much more generic, including log-in information. Because log-in information, by itself, provides no indication of a user’s state of residence, the law forces websites either to post embarrassing breach notifications prominently to their own pages, or to collect more information in order to distinguish between California or non-California users.
As Eric Goldman explains, the DNT requirements also impose heavy burdens by forcing websites to monitor changes in browser DNT signal conventions so the websites can detail how they respond to such signals. Meanwhile, the law gives browser developers broad latitude to define the conventions, making the continuing task of websites more complicated. The DNT requirements thus create costly time obligations for website administrators.
California’s PPPA imposes still more onerous burdens on out-of-state businesses by creating a state constitutional presumption that any personal information collected online is confidential and that data subjects suffer injury whenever information tied to them is shared without their consent. Even though websites regularly exchange web traffic statistics to facilitate advert relevance, refine marketing strategies, and improve consumer service other ways, the PPPA would create nationwide liability for these actions. A website could escape liability only by obtaining each user’s consent every time the website wished to exchange the user’s data with another organization1.
Though it is difficult to be sure without an explicit challenge, the fact that OPPA remains viable law indicates that courts might allow some burdens on online commerce so long as those burdens are minimal and readily implemented. However, as Southern Pacific Co. and Pataki demonstrate, there is a point at which a law’s out-of-state effects will become unconstitutionally burdensome on interstate commerce, even if the affected industry could theoretically survive while shouldering that burden.
The nationwide harms caused by California’s new wave of legislation seem much closer to those caused by the unconstitutional statutes in Southern Pacific Co and Pataki than to the minimal inconveniences of OPPA. All of California’s new regulations impose new expenses that have the potential to cause websites and applications to close up shop due to inability to afford compliance costs—many online businesses operate on narrow profit margins that are extraordinarily sensitive to additional overhead.
Moreover, California’s new regulations compel the remaining websites to forgo certain practices—for example, the permissionless data-sharing that would be prohibited under the PPPA—or to affirmatively engage in others. OPPA, on the other hand, allows websites to continue operating as they always have so long as disclosures are available somewhere on the site—a critical distinction when one’s business depends on the practices in question.
Because California’s new legislation shares many of the same harms with the unconstitutional statutes in Southern Pacific Co. and Pataki, courts could well rule that they are similarly unconstitutional. Laws that would hamstring or shutter out-of-state businesses in pursuit of in-state policy preferences simply cannot survive the cost-benefit analysis required by our Constitution.