II. State and local data privacy regulation may violate the Dormant Commerce Clause

The internet knows no borders, and society is better for it. A patchwork of state privacy laws could put up barriers to the conduct of commerce and, in the process, the free flow of digital information as firms attempt to insulate themselves from exposure to particular regulatory regimes. Even if such laws initially appear consistent with one another, they will still likely fail the constitutional test of the Dormant Commerce Clause.

The Dormant Commerce Clause is a doctrine that the U.S. Supreme Court inferred from Article I of the Constitution, holding that state and local laws may not unduly burden commerce between the states, and thereby preventing states from regulating beyond their borders. The extent of this prohibition is a subject of constant debate, but, as articulated in the Court’s existing precedent, it encompasses both intentional impacts and incidental cross-jurisdictional impacts, provided the burden on commerce is clearly excessive compared to the claimed local benefits.18

A typical Dormant Commerce Clause analysis in the context of data transmission involves two steps:

Does the law in question explicitly discriminate against out-of-state actors? For example, does a consumer privacy law treat data obtained or processed by in-state companies differently than that from out-of-state companies? Such behavior would result in the law being per se invalid under the Dormant Commerce Clause. Even if a law does not facially preference in-state companies, it may still have a discriminatory impact on out-of-state parties. Do the in-state benefits of the law outweigh the burden on the out-of-state parties? This balancing test prevents a single state from imposing excessive costs beyond its borders while still recognizing that incidental impacts may occur in some cases.

Regulation of the internet is inherently cross-jurisdictional. The 2015 Open Internet Order, promulgated by the Federal Communications Commission, for example, declared that the internet is inherently an interstate service.19 Such reasoning is straight-forward: data transmissions do not obey borders and a single online action can involve multiple states even if it involves only a single individual. On this basis, state laws purporting to regulate the internet should — as a matter of course — trigger Dormant Commerce Clause scrutiny.

Precedent concerning state laws intended to regulate the transmission of information online resulted in courts finding that such regulations violate the Dormant Commerce Clause due to their extraterritorial impact and inability to distinguish between intrastate and interstate activities online. For example, in the 1959 case Bibb v. Navajo Freight Lines, the Supreme Court struck down an Illinois law that required the use of a particular type of mudguard on freight trucks driven through the state.20 The Court found that a law which would require truckers to stop and change their guards at a state’s border was an unconstitutional burden on interstate commerce even if facially nondiscriminatory against out-of-state transporters.21

When it comes to the internet, the extraterritorial nature of interactions makes such analysis and concerns even more relevant. If it is an unconstitutionally large burden to demand truckers to change mudguards at a state’s border, levying requirements on online activities to be similarly tailored, given the quantity of content and number of interactions, must be met with extreme scrutiny. Thus, understandably, lower courts have previously recognized this in the online context.

For example, in American Library Association v. Pataki, the federal district court for the Southern District of New York found a New York state law that prevented the dissemination of certain material to minors violated the Dormant Commerce Clause, noting that such regulation of online content could subject those who operate entirely outside the state to state law.22 The court also noted that the internet was an area for federal action in which inconsistent state regulation risked walling off the potential benefits of innovation.23 That decision is no outlier. Throughout the early 2000s, three different federal circuit courts and two additional federal district courts similarly ruled that state online dissemination laws unduly affected interstate commerce and were unconstitutional.24 The impact of comprehensive data privacy regulations at a state and local level is even larger than the dissemination laws and the potential benefits of such laws are even more difficult to determine. And, even with advances in technology, these concerns and impacts still exist.

State data privacy laws akin to the CCPA in scope would similarly disrupt cross-border data exchanges, particularly commercial exchanges, when enacted by populous states. Consider that a business becomes subject to the heavy compliance requirements of the CCPA merely by having a single California resident amongst its users once it exceeds the law’s minimum threshold requirement(s) — even if the firm does not conduct business in California.25 Such burdens will not be felt only by technology companies but also by a wide array of industries both online and offline that often utilize personal data. On that basis, courts will have to balance the extent of the burden faced by plaintiffs with the benefit to the state associated with the requirement.

Even if all 50 states independently established the same standards, those subject to such laws might still struggle with different standards of enforcement, creating uncertainty for offering similar products across state borders.26 Thus, as AEI’s Daniel Lyons has argued regarding potential state level Net Neutrality laws:

[E]ven if the court construes these restrictions to apply only to contracts with in-state consumers, such regulations can disrupt the orderly flow of interstate traffic. Permissible network management practices would differ from state to state, depending on whether and how each state chose to regulate. Even if all states adopted facially identical statutes, fragmentation is likely to occur over time as fifty different sovereigns may reasonably disagree on enforcement.27

More likely, even slight differences in state level privacy laws will create Dormant Commerce Clause-triggering undue burdens as out-of-state companies confront the choice to either comply with the most stringent state laws or create individual and less efficient products for each state or local regulation.28