It has always been a “happy incident” of our federal system that a “courageous State” may “try novel social and economic experiments without risk to the rest of the country.” See New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J. dissenting). In relation to data protection laws, however, this has led to an unintended and potentially unworkable level of complexity on the national level. This complexity first arose in relation to data breach notification statutes, which began in California in 2002 and soon spread to all 50 states, albeit with wide variations in terminology and scope.

In relation to data privacy, California is again leading the way with the California Consumer Privacy Act (CCPA), passed in 2018 and effective as of Jan. 1, 2020. Long gone are the days, however, where experimentation in the arena of data protection is “without risk to the rest of the country.” Indeed, as the world’s fifth largest economy and nexus for much of the world’s commercial online activity, California has global weight when it comes to regulating how organizations process personal data. This weight was underscored recently with the release of proposed regulations under CCPA, which remain under comment until Dec. 6, 2019.