Federalism seems like it should be a fairly straightforward concept: states set public policy that affects their state alone, while the federal government handles policy choices that transcend state borders.
Most states, generally speaking, are able to grasp this concept. Most states except for California, that is. The Golden State’s recent passage of the California Consumer Privacy Act (CCPA) is the latest in a series of moves by California legislators seeking to effectively dictate national policy. That’s a problem for more than just constitutional scholars — it risks businesses and individuals being forced to navigate overlapping and often conflicting laws that creates compliance burdens and harms economic growth.
The CCPA is possibly California’s most significant breach of the federalist structure to date. Modeled after the European Union’s General Data Protection Regulation (GDPR), the CCPA imposes burdensome regulations on what businesses can do with the data they collect from consumers online.
The problem is that most businesses with online operations are generally active beyond the borders of California as well. And the threshold for needing to comply with the CCPA — buying, receiving, sharing, or selling the data of at least 50,000 Californians, or .18 percent of the state’s adult population — is low enough that it would not be restricted to the large corporate entities with the resources to navigate confusing regulatory regimes. The Wall Street Journal estimates that 500,000 businesses nationwide meet that threshold, including “hundreds of thousands” of small- to medium-size businesses, many of which are located elsewhere in the country.
That kind of regulatory burden would weigh heavily on businesses. The California attorney general estimated that the CCPA would impose a staggering $55 billion in upfront costs on companies attempting to comply with the law, as well as an additional $16.5 billion in costs over the coming decade. And that’s only for the ones based in California!
This should come as no surprise to anyone who saw the fallout from the European Union’s GDPR law. Businesses, including many outside the EU, spent billions complying with it. Small- to medium-sized businesses were not exempt, with 74 percent spending over $100,000 on GDPR compliance. Unfortunately for these companies, the differences between GDPR and CCPA are significant enough that a business that is GDPR-compliant is not necessarily CCPA-compliant — as a result, many that just spent hundreds of thousands of dollars complying with the EU’s GDPR rule may have to do it all over again to comply with California’s CCPA.
Even if these enormous costs were worth it (hint: they’re not), California’s state government has no business whatsoever making that decision for the rest of the country. If Americans desire data privacy regulation, it should be Congress that enacts it.
California’s repeated disregard for the federalist structure of the Constitution poses a serious problem. It’s past time that either Congress or the courts remind the state that its authority should end at border’s edge.
Andrew Wilford (@PolicyWilford) is a policy analyst with the National Taxpayers Union Foundation, a nonprofit dedicated to fiscal policy analysis and education at all levels of government.
The views and opinions expressed in this commentary are those of the author and do not reflect the official position of The Daily Caller.