Arizona Rightly Pushes Back on California's Privacy Aggression
Over the past few years, no state has been more aggressive in pushing constitutional limits on its authority than California, most recently with its attempt to make national law on internet privacy. This effort is just a small part of a growing trend of states attempting to tax and regulate outside their borders.
Thus, it’s a relief when at least one state pushes back on California’s aggression, arguing that the Golden State’s regulatory power should end where its borders do. That’s the case with Arizona House Concurrent Resolution 2013, a bill in the state House of Representatives that would make it the Arizona government’s position that internet privacy regulation is the purview of Congress, not individual states.
Arizona’s legislature doesn’t bring this up idly. California’s landmark consumer privacy legislation, the California Consumer Privacy Act (CCPA), went into effect less than two months ago and threatens to impose crippling compliance burdens on businesses all across the country.
The CCPA set data privacy standards for businesses that transact in 50,000 or more Californians’ data, even if the business lacks any physical presence within the state. Given that this represents just 0.18 percent of the state’s adult population, this standard was always likely to ensnare a significant number of out-of-state businesses.
After all, most businesses collect consumer data as a matter of course, even if they are not selling this data. Restaurants collect email addresses for reservations, auto insurers collect your age and driving history to calculate your premium, and retailers that offer rewards programs keep track of your purchase history. It would be very easy for businesses that use consumer data for mundane purposes to find themselves caught up in the CCPA’s net.
And California was well aware that it would be creating a substantial compliance burden for many businesses that it had little right to regulate. Firms with less than 20 employees were estimated by the state to incur $50,000 in initial compliance costs, with double that amount for businesses with between 20 and 100 employees. All in all, the state estimated $55 billion in total up-front compliance costs alone — and that’s only for California-based companies, with billions more in costs likely for those out of state.
Failing to comply can be very costly for businesses, whether based in San Francisco or New York City. Unintentional violations of the CCPA are fined at $2,500 per instance — a number that balloons very quickly when multiplied by the 50,000 consumer threshold.
Given this, it’s understandable that Arizona is upset that California is effectively attempting to dictate national policy on this issue. California legislators and government bureaucrats were elected by Californians, not Arizonans, after all.
On top of this, other states following California’s lead could create an impossible web of overlapping and conflicting state laws. The CCPA alone is burdensome enough, but were 49 states to follow suit with their own variants, the burden on interstate commerce would be near paralyzing.
Therefore, Arizona is right to assert that regulation of things like internet privacy should be the prerogative of the federal government. States rightly hold power to dictate their own affairs but if they attempt to regulate for the entire country, it’s Congress’s job to step in and protect the national economy from a downward spiral of state aggression.