电子邮件 网上办公

选择语言
邀兵请将  
您现在所在位置: 德衡商法网  >   业务领域  >   海外业务中心

梅良:《加利福尼亚消费者隐私保护法》的影响与挑战

发布日期:2021-06-30
梅  良

北京德和衡律师事务所高级联席合伙人

北京德和衡(华盛顿)律师事务所主任







论文简介:2020年1月1日,《 加利福尼亚消费者隐私保护法》(CCPA) 生效。该法是美国第一部综合性的消费者隐私保护法,是美国个人隐私保护的重大立法进步。该法的生效对于从事与加利福尼亚消费者个人信息有关的企业,包括中国企业的经营模式和合规风险将产生深远的影响。同时,由于该法立法程序进展过快,导致了诸如定义模糊、自身矛盾、执法力度不够、管辖过宽的问题,受到包括是否违反美国联邦宪法和法律的质疑,也因为对违法行为的处置不如欧盟的GDPR严厉,而被批评为“无牙之虎”。本文将通过对CCPA的深入介绍和批评,希望对业界相关人士在进行与CCPA有关的业务活动时有所帮助。




The Impacts and Challenges of California Consumer Privacy Act


图片


On January 1, 2020, the California Consumer Privacy Act (the “CCPA”) became effective. As the result of the implementation of the CCPA, significant changes about how to manage the businesses and sell consumer information would definitely happen. At the same time, the CCPA would face challenges from the perspectives of federal constitutional and procedural law. 





Introduction


I. A Brief Summary of the CCPA 


The CCPA is one of the most significant data privacy laws enacted in the United States. Under the CCPA, California consumers can pursue class actions and seek statutory damages for data breaches. The California Attorney General can bring costly enforcement actions against the violation of the CCPA. The threshold of the applicability of the CCPA is relatively lower than similar laws in other jurisdictions, and it applies to many businesses that operate globally across a wide range of industries. 


A. Entities Covered by the CCPA


The CCPA applies to three types of entities, namely "Businesses," "Service Providers" & "Not-Third-Parties," and "Third Parties." It does not apply to not-for-profit businesses and service providers. With respect to "Businesses" and "Service Providers," CCPA only applies to legal entities. However, "Third Parties" include natural persons. 


B. The protected "Personal Information."


The CCPA defines “Personal Information” as “any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household.”  The scope of the protected information is pretty broad, includes but not limited to the identifiers such as names addresses, I.P. or email address, geolocation data, biometric information, internet activities, audiovisual thermal or similar information, professional or employment information, education information, and any information that could be used to identify the consumers. 


The protected personal information does not include publicly available information, de-identified or aggregated information, and information not maintained by a business in a way that could reasonably be capable of identifying a consumer or household. 


Also, the CCPA has no jurisdiction over the information regulated by federal law, such as the HIPAA, GLBA, or FCRA. The text of the CCPA says that it does not regulate commercial conduct involving California residents that takes place wholly outside of California. 


C. Protection awarded by the CCPA


Under the CCPA, California residents have the following rights regarding their protected personal information: the right to know, the right to deletion, the right to opt-out of sale, and non-discrimination. 


Accordingly, CCPA requires the regulated entities and individuals to provide notices to consumers regarding their rights and the use of their data, update data privacy policies, provide consumers with access to their data, allow consumers to “opt-out” of the sale of their data, delete consumer data on request, and not to discriminate against customers for exercising their rights. 


D. The Consequences of non-compliance of the CCPA


Upon the notice by the California Attorney General, regulated businesses have 30 days to cure the violation. The Attorney General can sue a business for uncured violation and obtain injunctive relief or statutory damages. Consumers may sue businesses for data breaches and seek injunctive relief, actual damages, or statutory damages. A class action is possible under the CCPA.


II. The Major Challenges Against CCPA


As the first and most important state privacy protection law in the United States, it is a great victory for the advocators of the protection of the consumer’s personal information. However, given the uncertainty involving the CCPA, the rush of the implementation of the law, the ambiguities in the statutory languages, and the broadness of the regulating scope, the CCPA may face challenges from multiple perspectives. In this paper, we will discuss the issues of the jurisdiction, the CCPA’s interference with interstate commerce, and the consequences of the ambiguities of the languages of the CCPA.  





DISCUSSIONS


I. Lack of Personal Jurisdiction 


Under the CCPA, California residents can sue any out-state business before a California court if the business falls within the CCPA's definition of "Business." 


The CCPA regulates two groups of businesses. The first regulated businesses are defined by Cal. Civ. Code §§ 1798 c (1). According to that section, "business" is any legal entity that operates for profit, does business in California, processes personal information, and meets at least one of the CCPA's "three thresholds":


a.Makes more than $25 million of gross revenue annually


b.annually buys, sells, receives or shares for commercial purposes over 50,000 consumers’ (including devices and households) personal information of, or


c.makes 50 percent or more of its annual revenues from the sale of consumers' personal information.1


Further, CCPA also regulates businesses even if they do not do businesses in California. According to Cal. Civ. Code §§ 1798 c (1), any entity who has controlling relationship or shares the common branding with a business met the above mentioned requirement is also within the scope of CCPA’ jurisdiction.2


CCPA’s regulation over wholly out-state business will invite constitutional challenges against the CCPA. Particularly, when a California consumer sue an out-state business that resides in a state other than California with no business presence in California, California courts may lack personal jurisdiction over that business under the CCPA.


A. California court have jurisdiction over nonresidents so long as he has minimal contacts with the state


Under California Civil Procedural Law, a California court has jurisdiction over nonresidents on any basis that is consistent with the United States or California Constitutions. 


According to the U.S. Constitution, a court may exercise personal jurisdiction over a nonresident individual if he has minimum contacts with the California that the exercise of the jurisdiction will not offend the “traditional notions of fair play and substantial justice.” 3


Accordingly, in order to establish personal jurisdiction over a CCPA regulated business, there must be minimum contacts between the defendant business and the State of California. 


To establish minimum contacts, courts generally applied the following test: 


(a) The nonresident defendant must do some act or consummate some transaction by which he uses the privilege and protection of that jurisdiction purposefully. 


(b) If the defendant’s act is systematic and continuous, the state has general jurisdiction over any claim against the defendant. Otherwise, the claim must be arising out of or resulting from the defendant's act which creates the contact with the state; and 


(c) exercise of jurisdiction must be reasonable.4


If the out-state business continuously and systematically operates business activities in California, it is easy to establish the minimum contacts with the forum of California could be. However, when a plaintiff sues an out-state business that does not do any business in California but only controls or is controlled by a California business, it would be much tougher to find jurisdiction over that defendant.


 Particularly, the issue would be whether the controlling relationship between a California businesses and out-state businesses is sufficient to prove minimum contact between the out-state business and the state of California? 


B. Merely controlled by or controlling a California business could not establish minimum contact.


In order to satisfy the first prong of the minimum contact test, the out-state business must do some act or carry out some transaction with the forum.5 Further, the out-state business must purposefully avail itself of the protection and privilege of the California laws.  If the contact is continuous and systematic, California courts have general jurisdiction over the out-state business. Otherwise, California courts may only have specific jurisdiction, which means the cause of action must arise from the defendant's specific action or transaction. If the out-state business does not do any business in California, it is extremely difficult, if not impossible, to establish that it has done any act or consummated any transaction with the forum of California. 


It is well settled that a nonresident defendant may have minimum contacts with the forum state if he 1) has direct contact with the state; 2) has a contract with a resident of the state;6 3) has placed his product into the stream of commerce such that it reaches the forum state;7 4) seeks to serve residents of the forum state;8 5) has satisfied the Calder effects test;9 or 6) has a non-passive website viewed within the forum state. 


According to the CCPA’s definition, “Control” or “Controlled” means the 


•more than 50% of the outstanding shares,


•more than 50% voting right over the election of majority of the directors, or


•controlling influence over the management of a company.10


Obviously, the controlling or controlled out-state business under CCPA does not satisfy any requirement needed to prove minimum contacts. Only the controlling relationship between a out-state business and a Californian business does not mean the out-state business purposefully avails the protection and privilege of the law of California. Controlling relationship merely means the out-state business is the shareholder of a California business. Buy holding the shares of a business organized in California, the out-state business need not pay tax to California. Further, California government has no regulating power over the out-state shareholders.  Most importantly, the out-state business enjoys no protection or privilege by being a shareholder of a California business. 


In sum, although the California court may certainly have jurisdiction over that CCPA regulated businesses that do business in California and satisfy the CCPA threshold, the California court may lack personal jurisdiction over those who have no actual business activities in California. 


II. The Violation of the Dormant Commerce Clause


According to the Article I of the United States Constitution, the United States Congress has the power to regulate international commerce, interstate commerce, and the commerce with the Indian tribes.11 From this authorization power, Courts have inferred a restriction on State power as the Dormant Commerce Clause (hereinafter referred to as “DCC”). The DCC prohibits states from discriminating against the out-state interest or unduly burdening interstate commerce. 


Under the DCC, it is unconstitutional if state laws discriminate in-state and out-state competing interest in a way that benefits the in-state interests and burdens the latter, interfere with purely extraterritorial activities, or unduly burden interstate commerce. 12


It may be relatively safe to say that CCPA does not facially discriminate in-state and out-state businesses. It could also be relatively difficult to criticize the CCPA for imposing inconsistent regulations. However, the real issue is, does CCPA unduly burden interstate commerce by regulating purely extraterritorial activities? Courts apply the “Pike Balancing Test” to determine whether a state law violates the Dormant Commerce Clause.


In Pike v. Bruce Church, Inc, the Supreme Court of the United States holds that a state law may not be found unduly burdening interstate commerce if it regulates even-handedly to achieve a legitimate state government interest and its effects on interstate commerce are only incidental 13. However, the state law is unconstitutionally void if the burden it imposes burden on interstate commerce is clearly excessive in comparison with the putative local benefits.14


A. CCPA may violate the Extraterritoriality Principle.


In applying the Pike Test to determine the constitutionality of a state statute, the extraterritoriality principle is a pre-requisite prong for the "Pike Balancing Test."


1. The Extraterritoriality Principle 


The extraterritoriality prong of the DCC jurisprudence prohibits laws from exercising practical control of commerce occurring entirely outside the boundaries of the state. 15 That said, if state law applies to conduct that takes place wholly outside of such state, the state law is per se invalid. 


The Supreme Court has held state laws were unconstitutional for regulating purely out-state activities in the following cases: Baldwin v. G.A.F. Seeling Inc, Brown-Forman v. N.Y. State Liq. Auth., and Healy v. Beer Institute, Inc.


In Healy v. Beer Inst., Inc., beer suppliers are required by a Connecticut law to present that they did not charge Connecticut wholesalers higher prices than wholesalers in other states. The Supreme Court held that the Connecticut law is unconstitutional because it has practical effect on regulating the scope of price of other states. According to the ruling, any state law that regulate commerce occurring wholly outside the boundaries of a State exceeds the constitutional limits of the State’s authority.16


In Brown-Forman Distillers Corp. v. New York State Liquor Authority, the Supreme Court holds a New York law that regulating the price of liquor produced in other states unconstitutional. Although the New York’s interest in assuring its residents’ enjoying the lowest possible price could be legitimate, New York did not have the authority to regulate the price system of other states.17


The Extraterritoriality Principle stated by those Supreme Court ruling is at point to void the CCPA for its violation of the DCC. 


2. The CCPA is unconstitutional because it regulates purely extraterritorial business. 


Given that the Supreme Court never struck down a state law purely based on the extraterritoriality theory, some scholars stated that the theory was dead. But, in some areas, the theory does survive: (1) in cases regarding prices between states; (2) in cases where the state’s statute attempts to control activities taking place in another state; and (3) in cases regarding the regulation of the Internet.18


Because California has every right to protect California residents’ privacy, CCPA certainly has a legitimate state interest. However, CCPA’s overreaching to out-state business and commercial activities impermissible projects California sovereignty onto other states. 


Firstly, the CCPA regulates purely out-state persons. CCPA regulates businesses even if they do not do businesses in California. According to Cal. Civ. Code §§ 1798 c (1), any entity who has controlling relationship or shares the common branding with a business met the above-mentioned requirement is also within the scope of CCPA’ jurisdiction. According to that definition, any business, whether it is located or organized in Hawaii or Alaska, if it controls or is controlled by a California business, it is mandated to comply with the CCPA’s regulation. 


Secondly, through CCPA’s overbroad definition of "personal information," "service providers," "third parties," and "sale," it comprehensively regulates business's collection of personal information on their website. Obviously, the storing and spreading of information through internet could not limited within the scope of California. 


Finally, due to the nature of the subject matter of the CCPA, the personal information, most of the regulated activities occur through the Internet. The activities do not occur in any states but virtually occurs everywhere.  It is impossible for the CCPA to apply solely to the intrastate business. 


As discussed above, by implementing the CCPA, California could regulate the subject matter, the channel, and the person involved in interstate commerce even if the regulated activities occurred purely outside of California. That is a facial violation of the Extraterritoriality Theory of the Dormant Commerce Clause. 


B. CCPA may fail the Pike Balancing Test. 


1. The Pike Balancing Test


The Court apply strict scrutiny review over expressly discriminatory state law. A state should prove that the purpose of the law is non-protectionist and there are no alternative means to achieve the legitimate public interest which is less discriminatory legitimate state interest. 19 Otherwise, if a law does not facially discriminate against out-of-state interests but only affects interstate commerce incidentally, the "Pike balancing test” applies. 


In Pike v. Bruce Church, Inc, an Arizona statute required the producers of Arizona-grown cantaloupes display their state of origin on each package. The plaintiff was an Arizona grower of high-quality cantaloupes. Instead of packing its products in Arizona, it transported them to nearby California facilities and packed the products without labeled as grown in Arizona. Arizona prohibited the plaintiff from doing so and ordered that the cantaloupes should be packed in Arizona. This would substantially raise defendant’s packing cost.20


The Supreme Court held that Arizona law negatively interfered with interstate commerce.  The Arizona law is unconstitutional under the Dormant Commerce Clause. Justice Stewart wrote for the Court that when state law regulates even-handedly for the purpose of a legitimate state government interest with only incidental interference with interstate commerce, it will be constitutional unless it imposes excessive burden imposed on such commerce regarding the putative local benefits. If there is any legitimate local purpose, then the question becomes whether the interference’s negative effect is proportionate with the legitimate purpose. Courts will look at the nature of the local interest and the less restrictive alternative method. 21


Applying this test to the Arizona statute, the Court found the Arizona law imposed excessive burden on interstate commerce. The local interest is not sufficient to justify the adverse effect on the interstate commerce. 


The "Pike Balancing Test" may be used to determine whether the state law is unduly burdensome. Under the Pike Balancing Test, the following factors should be looked into: (a) whether the state law serves a legitimate local purpose, and (b) what is the burden placed by the state law on interstate commerce in light of the local benefit derived by nature.


In applying the Pike test, we assume that CCPA does not facially discriminate out-state business and serves the legitimate purpose of protecting the Californian’s privacy. However, CCPA will be unconstitutional if the burden it imposes on interstate commerce is "`clearly excessive in relation to the putative local benefits.'"22


2. The CCPA’s legitimate local purpose


According to the California Attorney General’s website, the CCPA serves the state interest by giving consumers more control over the personal information collected by businesses. The CCPA also provides guidance on how to implement the law. This law protects the following privacy rights for California consumers:


•The right to know what personal information collected by businesses and how the businesses use and share the information;


•The right to delete personal inform the collected information;


•The opt-out right of the sale of their personal information; and


•The right to not be discriminated by businesses for exercising their CCPA rights.


Businesses should give consumers certain notices to explain their privacy practices.23


Generally speaking, CCPA is supposed to promote the protection of Californian’s personal information and other privacy rights from being abused and improperly disclosed. It is safe to say that CCPA does serve a legitimate interest of the State of California. 


3. The Burden Placed by CCPA on Interstate Commerce


Although the CCPA does not discriminate against businesses out of California and serve legitimate public interest of California, it imposes economic and non-economic cost on interstate commerce. According to CCPA's regulating scope, any business that has a business relationship with California residents who meets the financial or another threshold of CCPA will be subjected to the jurisdiction of CCPA. Accordingly, CCPA applies to absent businesses even they just have tenuous nexus with the State of California. The economic interest of those out-of-state will be significantly impacted by CCPA. The cost incurred to the out-of-state business and the impact on interstate commerce includes but not limited to the following:


a.  In order to meet the requirement imposed by the CCPA, businesses, either in-state or out-of-state, would have to establish their compliance system. Lawyers' fees, salaries, office equipment, training cost, and other consequential costs would be unavoidable. Although we could not estimate the exact amount of compliance cost per company needs to pay, it is safe to say that the price could not be very low. More importantly, those costs would not have been incurred but for the implementation of the CCPA.


According to a conservative estimation, at least 500,000 US non-Californian companies will be affected by the CCPA.24 They will have to make their decision about whether to spend the money to comply with the CCPA or to avoid the California market.


b.  To make the things worse, businesses would have to spend money to comply with multiple, inconsistent privacy-protecting laws. Before the implementation of CCPA, GDPR of the E.U. has been the most important privacy rule that affect any business whose operation involves collecting, using, or disclosing personal information. After the CCPA, several states in the U.S., including Virginia, also enacted their own privacy protection laws. One could reasonably foresee that more and more of the states in the U.S. would follow the step of California and Virginia. 


Generally speaking, the framework of the privacy protection laws of different jurisdictions are similar. But the devil is in the detail. None of any two-state laws and the GDPR are exactly identical. For example, The CCPA defines personal information as any information that can be used to identify, describe, or be reasonably linked with a consumer or household. However, under the GDPR, personal data refers to any information that directly or indirectly identifies someone. Further, the CCPA allows organizations to process data if they provide a clear opt-out option for consumers personal information from being sold or shared. On the contrary, under the GDPR, entities can process the data only when at least one of the six legal grounds is satisfied: Consent, Contract, Legal obligation, Vital interests, and Public task. 25


The differences between different regulation regimes are subtle, unapparent, and confusing. Compliance with one regulation regime does not necessarily means the compliance with the regulations of another jurisdiction. For a business that has involved in the data-related operation, given the nature of the industry, it is impossible to limit its daily operation within one jurisdiction. Actually, everything becomes interstate or even international when it is online. Thus, businesses will probably need to establish several different but similar compliance systems to keep their operation legal.


c. CCPA also imposes penalties against any business in violation of the state law. Although the consequences of the non-compliance of CCPA are not as harsh as that of the GDPR, a significant burden would be followed after the violation of CCPA. 


Firstly, the California Attorney General could sue the business for any un-cured violation The AG can seek statutory damages of up to $2,500 per violation. If the violation is intentional, the upper limit of the statutory damages is $7,500 per violation. 


Secondly, consumers may sue businesses for data breaches. A consumer may seek the greater of actual damages or statutory damages between $100 and $7500 per consumer per incident.  Also, a class action is possible under the CCPA. 26


4. Did the CCPA unduly burden interstate commerce?


In order to determine whether state law imposes a significant burden on interstate commerce and the burden outweighs the local state interest, Court often looks at whether there is an alternative way that could achieve the same local legitimate interest but put less burden on the interstate commerce. In the case that the less burdensome is reasonably practical, the state law is unconstitutional for its failure of the Pike test. 


a. Limited Local Interest


Although Californian residents can bring a private action against any business that allegedly violated the CCPA, the remedies awarded are very limited in comparison with the GDPR. Consumers will recover anywhere from $100 -$750 or actual damages per consumer per incident. The California General can invoke a civil fine of up to $7,500 for each willful violation. Although these penalties could significantly impact small or medium-size business, they mean very little to the tech giants. Due to the lack of the teeth of the CCPA, the local interest in this state law is very limited. 


b. Practical Alternative Methods


In order to reduce the impact imposed by CCPA on out-state businesses, California legislator could reconcile the law with GDPR and its sister states' similar legislatures. If there is a unified consumer privacy law, a business could save compliance costs by establishing one general compliance system. Lots of money would be wasted just for the similar but different compliance requirements imposed by different jurisdictions. 


In conclusion, CCPA may be unconstitutional for unduly burdening the interstate commerce. 


III. Too Vague to be Constitutional


In Connally v. General Construction Co., the Supreme Court holds that the terms of a stature which impose penalties should be explicit to inform the regulated person about what is wrong or right to do. If the statute is so vague that a reasonably intelligent person could only get the meaning of the law by guess, the law violates the due process under the Constitution.27


According to the constitutional rule of the void for vagueness doctrine, the due process of law requires that state laws should be written in a way that they state the punishable conduct explicitly and definitely. The doctrine serves two purposes: providing the regulated person with fair notice of what is punishable and preventing arbitrary enforcement and prosecution. 


State law could be challenged as too vague to be constitutional at least for two reasons: the law does not specifically state the required or prohibited practices, or the law does not state the procedures in sufficient details.  


A. The Vague Definitions of CCPA


CCPA is broadly criticized for its vagueness and ambiguity. Given the fact that the law is passed in a rush, the mess is not surprising. The vagueness of the terms of CCPA lies in the but not limited to the following definition:


1. Personal Information


Among the numerous vaguely defined terms of the CCPA, the most concerned one was the definition of the subject matter the CCPA: Personal Information. CCPA defines "Personal Information" as the "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." 


The problem is any information, if combined with other information, could be useful to identify a particular consumer or household.  For example, studies found that if you know a person’s birthdate, zip code, and gender, you have an 87% chance of finding that person’s identity. 28 Thus, almost all the information falls within the scope of the CCPA. Accordingly, the definition leads to the result that any information qualifies as "personal information" under the CCPA. The overbroad definition of “personal information” actually does not define anything.


2. Business or Third Party


CCPA imposes different obligations on "businesses" and "third parties." It is critical for a covered entity to make certain whether it is qualified as a "business" or a "third party.” 


According to the text of CCPA, “business” means any legal entity that operates for profit, does business in California, and meets at least one of the CCPA's "three thresholds.". On the other hand, “third party” means a person who is not a CCPA defined “business”, a “service provider to the business”, or a “contractor.” 


According to the definition, a “third party” almost means nobody on earth. An entity could not be a third party and a business at the same time. The definitions of “third party” and “business” seem to be mutually exclusive. But that is not the case. That would be too easy to circumvent the CCPA and leads to absurd results. Actually, lots of CCPA's provisions suggest that a business could be a "third party" at the same time. 


For example, if Acme Company intends to avoid the obligation imposed on a business, which is heavier than that on a "third party," it will simply establish a shell organization, Bad Company, as the entity that directly collects information from the consumers. Acme could always act as the "third party" company by receiving the personal information collected by Bad Company.


3. Service Provider


CCPA defines a "service provider" as an entity that processes information on behalf of a business. The problem lies in what activity qualifies as "processing" information. CCPA does not waste any words to explain that issue. 


Further, if an entity is classified as a "service provider," is it required to comply with the CCPA's requirements? Although CCPA defines that business must impose some requirement on the service provider, it is silent on whether a service provider is required to comply with the same or similar obligation imposed on a "business" by the CCPA. 


B. CCPA is void for vagueness.


In the case of vagueness, state law may be void on constitutional grounds. Courts have decided that vague law will deprive citizens of their right in violating due process. 


1.  the "Void for Vagueness" doctrine is applicable to CCPA


One may argue that the Vagueness doctrine only applies to criminal law. In Connally v. General Construction, the Supreme Court’s ruling seems to limit the Vagueness Doctrine within the state laws that impose criminal penalties on citizens. Because CCPA does not impose any criminal penalty, some argues that the Vagueness Doctrine does not apply to the CCPA. 


However, In F.C.C. v. Fox Television Stations, Inc, the Government imposed civil penalties on the plaintiff. The Court ruled that the because the F.C.C. did not define the words "obscene," "vulgar," "profane," and "indecent" accurately, it was unconstitutionally vague to enforce the restrictions against "obscene," "vulgar," "profane," or "indecent" acts for the reason that any person may find different things as obscene, vulgar, profane, or indecent. 29 By the ruling of F.C.C., the Supreme Court held void-for-vagueness doctrine is applicable to cases that involve civil penalties. 


Also, in Gentile v. State Bar of Nevada, 501 U.S. 1030, 1048–51 (1991), the Supreme Court holds that attorney disciplinary rule was unconstitutionally vague as applied; in Arnett v. Kennedy, 416 U.S. 134, 159-64 (1974), the Court holds that employment protection standard not impermissibly vague in regulating the speech of federal employee. None of those laws at issue is criminal law. 


Thereof, we can safely conclude that the Void for Vagueness doctrine does not only apply to criminal law but also applies to quasi-criminal laws. The doctrine will apply to those laws that impose civil penalties. However, the doctrine does not apply to the laws that govern rights and obligations between private parties but only applies to laws that govern rights and obligations with the government. 30


Here, CCPA provides statutory damages against the incompliance of the law.  The Attorney General of California can impose a civil penalty on any person who violates the CCPA. These fines could be more than hundreds of millions of dollars in some cases and will apply to any violation of the CCPA.


Thus, the Void for Vagueness is applicable to CCPA because it imposes civil penalties and potentially limits the constitutional rights of citizens. 


2. A state law may be challenged for its vagueness in at least two ways:


a. The state law does not explicitly illustrate what practices are allowed or prohibited.31.


b. the state law does not specifically detail the procedure of the enforcement of the law. 32 


Here, as discussed above, CCPA vaguely defines the regulated party of the law. It is hard to be certain about whether an entity should be classified as a "business", "a third party", or a "service provider", one must guess whether the CCPA has imposed obligation and liability on him or her.


Further, because the CCPA does not clearly define the purposely protected subject matter of the law, the "Personal Information", regulated entities would be at a total loss about what is the right thing to do according to the law. 


In conclusion, the CCPA may be unconstitutionally void for its vagueness. 





CONCLUSION


In sum, given the issues discussed above, it is doubtful whether CCPA is competent to achieve the goal of the protection of California residents' personal information as the Californian legislators intend to. A nationwide general privacy law with more sophisticated legislature techniques may be the ultimate solution to the problems. 




或许您还想看

姚约茜、梅良、文露:FCPA监管 | 海外合规——中国企业国际化的必经之路

Matt、栾姗、梅良:中国企业如何撤离美国

梅良:美国承认外国判决书法律制度初探



作者简介

梅  良

北京德和衡律师事务所高级联席合伙人、北京德和衡(华盛顿)律师事务所主任

梅良律师毕业于加州大学伯克利法学院,是中国和美国加利福尼亚州执业律师,中国注册会计师(非执业)。

梅良律师在国内执业期间,为包括中行、农行、工行、建行、交行、招商、平安及东方资产等四大管理公司在内的金融机构提供日常非诉讼咨询服务并代理诉讼案件数百起,诉讼标的达数十亿元,为各金融机构的不良资产清收和法律合规工作做出了贡献。

梅良律师在美国执业期间,除了为中资机构提供包括海外资产调查、美国进出口管制、美国海外资产管制、反垄断法、海外反腐败法等各类涉美合规咨询法律服务外,还代理了中国企业在美国加利福尼亚州、新泽西州、华盛顿州及联邦法院和联邦政府部门的各类诉讼案件,涉及301调查、337调查、知识产权纠纷、国际贸易。

邮箱:meiliang@deheng.com



质控人简介

向振鹏

法学博士

北京德和衡(深圳)律师事务所律师

xiangzhenpeng@deheng.com


本文仅代表作者观点,如需转载、节选,请在后台留言

海外业务中心

  • 栾姗

    总监

    跨境权益保护部,北美,域外争议解决

    更多 》

  • 刘克江

    联席总监

    跨境权益保护部

    更多 》

  • 刘华

    联席执行总监

    投资并购,企业重组与破产,股权

    更多 》

  • 梅良

    副总监

    国际贸易

    更多 》

  • 邱榆霞

    副总监

    跨境投资并购

    更多 》

  • 张毅

    副总监

    跨境投资并购,公司并购,境外IPO

    更多 》

  • 蔡步青

    副总监

    涉台投资并购与争议解决,一带一路投资并购与争议解决专业委员,跨境能源投资与基础设施建设专业委员

    更多 》

  • 张雨彦妍

    副总监

    金融

    更多 》

  • 唐志峰

    执行总监

    一带一路投资并购与争议解决专业委员,跨境投资与争议解决,境外资本市场

    更多 》

  • 苏琳琳

    联席管理总监

    股权投资,公司并购

    更多 》

网站简介    |     法律声明    |     联系链接    |     本站产品    |     联系方式    |     自助服务

Copyright@2016    版权所有    德衡商法网    免费服务监督热线:    800-8600-880    

鲁公网安备 37020202000804号     山东德衡律师事务所ICP备案号:鲁ICP备05011736号    网站统计