论文简介：2020年1月1日，《 加利福尼亚消费者隐私保护法》（CCPA） 生效。该法是美国第一部综合性的消费者隐私保护法，是美国个人隐私保护的重大立法进步。该法的生效对于从事与加利福尼亚消费者个人信息有关的企业，包括中国企业的经营模式和合规风险将产生深远的影响。同时，由于该法立法程序进展过快，导致了诸如定义模糊、自身矛盾、执法力度不够、管辖过宽的问题，受到包括是否违反美国联邦宪法和法律的质疑，也因为对违法行为的处置不如欧盟的GDPR严厉，而被批评为“无牙之虎”。本文将通过对CCPA的深入介绍和批评，希望对业界相关人士在进行与CCPA有关的业务活动时有所帮助。
The Impacts and Challenges of California Consumer Privacy Act
On January 1, 2020, the California Consumer Privacy Act (the “CCPA”) became effective. As the result of the implementation of the CCPA, significant changes about how to manage the businesses and sell consumer information would definitely happen. At the same time, the CCPA would face challenges from the perspectives of federal constitutional and procedural law.
I. A Brief Summary of the CCPA
The CCPA is one of the most significant data privacy laws enacted in the United States. Under the CCPA, California consumers can pursue class actions and seek statutory damages for data breaches. The California Attorney General can bring costly enforcement actions against the violation of the CCPA. The threshold of the applicability of the CCPA is relatively lower than similar laws in other jurisdictions, and it applies to many businesses that operate globally across a wide range of industries.
A. Entities Covered by the CCPA
The CCPA applies to three types of entities, namely "Businesses," "Service Providers" & "Not-Third-Parties," and "Third Parties." It does not apply to not-for-profit businesses and service providers. With respect to "Businesses" and "Service Providers," CCPA only applies to legal entities. However, "Third Parties" include natural persons.
B. The protected "Personal Information."
The CCPA defines “Personal Information” as “any information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household.” The scope of the protected information is pretty broad, includes but not limited to the identifiers such as names addresses, I.P. or email address, geolocation data, biometric information, internet activities, audiovisual thermal or similar information, professional or employment information, education information, and any information that could be used to identify the consumers.
The protected personal information does not include publicly available information, de-identified or aggregated information, and information not maintained by a business in a way that could reasonably be capable of identifying a consumer or household.
Also, the CCPA has no jurisdiction over the information regulated by federal law, such as the HIPAA, GLBA, or FCRA. The text of the CCPA says that it does not regulate commercial conduct involving California residents that takes place wholly outside of California.
C. Protection awarded by the CCPA
Under the CCPA, California residents have the following rights regarding their protected personal information: the right to know, the right to deletion, the right to opt-out of sale, and non-discrimination.
Accordingly, CCPA requires the regulated entities and individuals to provide notices to consumers regarding their rights and the use of their data, update data privacy policies, provide consumers with access to their data, allow consumers to “opt-out” of the sale of their data, delete consumer data on request, and not to discriminate against customers for exercising their rights.
D. The Consequences of non-compliance of the CCPA
Upon the notice by the California Attorney General, regulated businesses have 30 days to cure the violation. The Attorney General can sue a business for uncured violation and obtain injunctive relief or statutory damages. Consumers may sue businesses for data breaches and seek injunctive relief, actual damages, or statutory damages. A class action is possible under the CCPA.
II. The Major Challenges Against CCPA
As the first and most important state privacy protection law in the United States, it is a great victory for the advocators of the protection of the consumer’s personal information. However, given the uncertainty involving the CCPA, the rush of the implementation of the law, the ambiguities in the statutory languages, and the broadness of the regulating scope, the CCPA may face challenges from multiple perspectives. In this paper, we will discuss the issues of the jurisdiction, the CCPA’s interference with interstate commerce, and the consequences of the ambiguities of the languages of the CCPA.
I. Lack of Personal Jurisdiction
Under the CCPA, California residents can sue any out-state business before a California court if the business falls within the CCPA's definition of "Business."
The CCPA regulates two groups of businesses. The first regulated businesses are defined by Cal. Civ. Code §§ 1798 c (1). According to that section, "business" is any legal entity that operates for profit, does business in California, processes personal information, and meets at least one of the CCPA's "three thresholds":
a.Makes more than $25 million of gross revenue annually
b.annually buys, sells, receives or shares for commercial purposes over 50,000 consumers’ (including devices and households) personal information of, or
c.makes 50 percent or more of its annual revenues from the sale of consumers' personal information.1
Further, CCPA also regulates businesses even if they do not do businesses in California. According to Cal. Civ. Code §§ 1798 c (1), any entity who has controlling relationship or shares the common branding with a business met the above mentioned requirement is also within the scope of CCPA’ jurisdiction.2
CCPA’s regulation over wholly out-state business will invite constitutional challenges against the CCPA. Particularly, when a California consumer sue an out-state business that resides in a state other than California with no business presence in California, California courts may lack personal jurisdiction over that business under the CCPA.
A. California court have jurisdiction over nonresidents so long as he has minimal contacts with the state
Under California Civil Procedural Law, a California court has jurisdiction over nonresidents on any basis that is consistent with the United States or California Constitutions.
According to the U.S. Constitution, a court may exercise personal jurisdiction over a nonresident individual if he has minimum contacts with the California that the exercise of the jurisdiction will not offend the “traditional notions of fair play and substantial justice.” 3
Accordingly, in order to establish personal jurisdiction over a CCPA regulated business, there must be minimum contacts between the defendant business and the State of California.
To establish minimum contacts, courts generally applied the following test:
(a) The nonresident defendant must do some act or consummate some transaction by which he uses the privilege and protection of that jurisdiction purposefully.
(b) If the defendant’s act is systematic and continuous, the state has general jurisdiction over any claim against the defendant. Otherwise, the claim must be arising out of or resulting from the defendant's act which creates the contact with the state; and
(c) exercise of jurisdiction must be reasonable.4
If the out-state business continuously and systematically operates business activities in California, it is easy to establish the minimum contacts with the forum of California could be. However, when a plaintiff sues an out-state business that does not do any business in California but only controls or is controlled by a California business, it would be much tougher to find jurisdiction over that defendant.
Particularly, the issue would be whether the controlling relationship between a California businesses and out-state businesses is sufficient to prove minimum contact between the out-state business and the state of California?
B. Merely controlled by or controlling a California business could not establish minimum contact.
In order to satisfy the first prong of the minimum contact test, the out-state business must do some act or carry out some transaction with the forum.5 Further, the out-state business must purposefully avail itself of the protection and privilege of the California laws. If the contact is continuous and systematic, California courts have general jurisdiction over the out-state business. Otherwise, California courts may only have specific jurisdiction, which means the cause of action must arise from the defendant's specific action or transaction. If the out-state business does not do any business in California, it is extremely difficult, if not impossible, to establish that it has done any act or consummated any transaction with the forum of California.
It is well settled that a nonresident defendant may have minimum contacts with the forum state if he 1) has direct contact with the state; 2) has a contract with a resident of the state;6 3) has placed his product into the stream of commerce such that it reaches the forum state;7 4) seeks to serve residents of the forum state;8 5) has satisfied the Calder effects test;9 or 6) has a non-passive website viewed within the forum state.
According to the CCPA’s definition, “Control” or “Controlled” means the
•more than 50% of the outstanding shares，
•more than 50% voting right over the election of majority of the directors, or
•controlling influence over the management of a company.10
Obviously, the controlling or controlled out-state business under CCPA does not satisfy any requirement needed to prove minimum contacts. Only the controlling relationship between a out-state business and a Californian business does not mean the out-state business purposefully avails the protection and privilege of the law of California. Controlling relationship merely means the out-state business is the shareholder of a California business. Buy holding the shares of a business organized in California, the out-state business need not pay tax to California. Further, California government has no regulating power over the out-state shareholders. Most importantly, the out-state business enjoys no protection or privilege by being a shareholder of a California business.
In sum, although the California court may certainly have jurisdiction over that CCPA regulated businesses that do business in California and satisfy the CCPA threshold, the California court may lack personal jurisdiction over those who have no actual business activities in California.
II. The Violation of the Dormant Commerce Clause
According to the Article I of the United States Constitution, the United States Congress has the power to regulate international commerce, interstate commerce, and the commerce with the Indian tribes.11 From this authorization power, Courts have inferred a restriction on State power as the Dormant Commerce Clause (hereinafter referred to as “DCC”). The DCC prohibits states from discriminating against the out-state interest or unduly burdening interstate commerce.
Under the DCC, it is unconstitutional if state laws discriminate in-state and out-state competing interest in a way that benefits the in-state interests and burdens the latter, interfere with purely extraterritorial activities, or unduly burden interstate commerce. 12
It may be relatively safe to say that CCPA does not facially discriminate in-state and out-state businesses. It could also be relatively difficult to criticize the CCPA for imposing inconsistent regulations. However, the real issue is, does CCPA unduly burden interstate commerce by regulating purely extraterritorial activities? Courts apply the “Pike Balancing Test” to determine whether a state law violates the Dormant Commerce Clause.
In Pike v. Bruce Church, Inc, the Supreme Court of the United States holds that a state law may not be found unduly burdening interstate commerce if it regulates even-handedly to achieve a legitimate state government interest and its effects on interstate commerce are only incidental 13. However, the state law is unconstitutionally void if the burden it imposes burden on interstate commerce is clearly excessive in comparison with the putative local benefits.14
A. CCPA may violate the Extraterritoriality Principle.
In applying the Pike Test to determine the constitutionality of a state statute, the extraterritoriality principle is a pre-requisite prong for the "Pike Balancing Test."
1. The Extraterritoriality Principle
The extraterritoriality prong of the DCC jurisprudence prohibits laws from exercising practical control of commerce occurring entirely outside the boundaries of the state. 15 That said, if state law applies to conduct that takes place wholly outside of such state, the state law is per se invalid.
The Supreme Court has held state laws were unconstitutional for regulating purely out-state activities in the following cases: Baldwin v. G.A.F. Seeling Inc, Brown-Forman v. N.Y. State Liq. Auth., and Healy v. Beer Institute, Inc.
In Healy v. Beer Inst., Inc., beer suppliers are required by a Connecticut law to present that they did not charge Connecticut wholesalers higher prices than wholesalers in other states. The Supreme Court held that the Connecticut law is unconstitutional because it has practical effect on regulating the scope of price of other states. According to the ruling, any state law that regulate commerce occurring wholly outside the boundaries of a State exceeds the constitutional limits of the State’s authority.16
In Brown-Forman Distillers Corp. v. New York State Liquor Authority, the Supreme Court holds a New York law that regulating the price of liquor produced in other states unconstitutional. Although the New York’s interest in assuring its residents’ enjoying the lowest possible price could be legitimate, New York did not have the authority to regulate the price system of other states.17
The Extraterritoriality Principle stated by those Supreme Court ruling is at point to void the CCPA for its violation of the DCC.
2. The CCPA is unconstitutional because it regulates purely extraterritorial business.
Given that the Supreme Court never struck down a state law purely based on the extraterritoriality theory, some scholars stated that the theory was dead. But, in some areas, the theory does survive: (1) in cases regarding prices between states; (2) in cases where the state’s statute attempts to control activities taking place in another state; and (3) in cases regarding the regulation of the Internet.18
Because California has every right to protect California residents’ privacy, CCPA certainly has a legitimate state interest. However, CCPA’s overreaching to out-state business and commercial activities impermissible projects California sovereignty onto other states.
Firstly, the CCPA regulates purely out-state persons. CCPA regulates businesses even if they do not do businesses in California. According to Cal. Civ. Code §§ 1798 c (1), any entity who has controlling relationship or shares the common branding with a business met the above-mentioned requirement is also within the scope of CCPA’ jurisdiction. According to that definition, any business, whether it is located or organized in Hawaii or Alaska, if it controls or is controlled by a California business, it is mandated to comply with the CCPA’s regulation.
Secondly, through CCPA’s overbroad definition of "personal information," "service providers," "third parties," and "sale," it comprehensively regulates business's collection of personal information on their website. Obviously, the storing and spreading of information through internet could not limited within the scope of California.
Finally, due to the nature of the subject matter of the CCPA, the personal information, most of the regulated activities occur through the Internet. The activities do not occur in any states but virtually occurs everywhere. It is impossible for the CCPA to apply solely to the intrastate business.
As discussed above, by implementing the CCPA, California could regulate the subject matter, the channel, and the person involved in interstate commerce even if the regulated activities occurred purely outside of California. That is a facial violation of the Extraterritoriality Theory of the Dormant Commerce Clause.
B. CCPA may fail the Pike Balancing Test.
1. The Pike Balancing Test
The Court apply strict scrutiny review over expressly discriminatory state law. A state should prove that the purpose of the law is non-protectionist and there are no alternative means to achieve the legitimate public interest which is less discriminatory legitimate state interest. 19 Otherwise, if a law does not facially discriminate against out-of-state interests but only affects interstate commerce incidentally, the "Pike balancing test” applies.
In Pike v. Bruce Church, Inc, an Arizona statute required the producers of Arizona-grown cantaloupes display their state of origin on each package. The plaintiff was an Arizona grower of high-quality cantaloupes. Instead of packing its products in Arizona, it transported them to nearby California facilities and packed the products without labeled as grown in Arizona. Arizona prohibited the plaintiff from doing so and ordered that the cantaloupes should be packed in Arizona. This would substantially raise defendant’s packing cost.20
The Supreme Court held that Arizona law negatively interfered with interstate commerce. The Arizona law is unconstitutional under the Dormant Commerce Clause. Justice Stewart wrote for the Court that when state law regulates even-handedly for the purpose of a legitimate state government interest with only incidental interference with interstate commerce, it will be constitutional unless it imposes excessive burden imposed on such commerce regarding the putative local benefits. If there is any legitimate local purpose, then the question becomes whether the interference’s negative effect is proportionate with the legitimate purpose. Courts will look at the nature of the local interest and the less restrictive alternative method. 21
Applying this test to the Arizona statute, the Court found the Arizona law imposed excessive burden on interstate commerce. The local interest is not sufficient to justify the adverse effect on the interstate commerce.
The "Pike Balancing Test" may be used to determine whether the state law is unduly burdensome. Under the Pike Balancing Test, the following factors should be looked into: (a) whether the state law serves a legitimate local purpose, and (b) what is the burden placed by the state law on interstate commerce in light of the local benefit derived by nature.
In applying the Pike test, we assume that CCPA does not facially discriminate out-state business and serves the legitimate purpose of protecting the Californian’s privacy. However, CCPA will be unconstitutional if the burden it imposes on interstate commerce is "`clearly excessive in relation to the putative local benefits.'"22.
2. The CCPA’s legitimate local purpose
According to the California Attorney General’s website, the CCPA serves the state interest by giving consumers more control over the personal information collected by businesses. The CCPA also provides guidance on how to implement the law. This law protects the following privacy rights for California consumers:
•The right to know what personal information collected by businesses and how the businesses use and share the information;
•The right to delete personal inform the collected information;
•The opt-out right of the sale of their personal information; and
•The right to not be discriminated by businesses for exercising their CCPA rights.
Businesses should give consumers certain notices to explain their privacy practices.23
Generally speaking, CCPA is supposed to promote the protection of Californian’s personal information and other privacy rights from being abused and improperly disclosed. It is safe to say that CCPA does serve a legitimate interest of the State of California.
3. The Burden Placed by CCPA on Interstate Commerce
Although the CCPA does not discriminate against businesses out of California and serve legitimate public interest of California, it imposes economic and non-economic cost on interstate commerce. According to CCPA's regulating scope, any business that has a business relationship with California residents who meets the financial or another threshold of CCPA will be subjected to the jurisdiction of CCPA. Accordingly, CCPA applies to absent businesses even they just have tenuous nexus with the State of California. The economic interest of those out-of-state will be significantly impacted by CCPA. The cost incurred to the out-of-state business and the impact on interstate commerce includes but not limited to the following:
a. In order to meet the requirement imposed by the CCPA, businesses, either in-state or out-of-state, would have to establish their compliance system. Lawyers' fees, salaries, office equipment, training cost, and other consequential costs would be unavoidable. Although we could not estimate the exact amount of compliance cost per company needs to pay, it is safe to say that the price could not be very low. More importantly, those costs would not have been incurred but for the implementation of the CCPA.
According to a conservative estimation, at least 500,000 US non-Californian companies will be affected by the CCPA.24 They will have to make their decision about whether to spend the money to comply with the CCPA or to avoid the California market.
b. To make the things worse, businesses would have to spend money to comply with multiple, inconsistent privacy-protecting laws. Before the implementation of CCPA, GDPR of the E.U. has been the most important privacy rule that affect any business whose operation involves collecting, using, or disclosing personal information. After the CCPA, several states in the U.S., including Virginia, also enacted their own privacy protection laws. One could reasonably foresee that more and more of the states in the U.S. would follow the step of California and Virginia.
Generally speaking, the framework of the privacy protection laws of different jurisdictions are similar. But the devil is in the detail. None of any two-state laws and the GDPR are exactly identical. For example, The CCPA defines personal information as any information that can be used to identify, describe, or be reasonably linked with a consumer or household. However, under the GDPR, personal data refers to any information that directly or indirectly identifies someone. Further, the CCPA allows organizations to process data if they provide a clear opt-out option for consumers personal information from being sold or shared. On the contrary, under the GDPR, entities can process the data only when at least one of the six legal grounds is satisfied: Consent, Contract, Legal obligation, Vital interests, and Public task. 25
The differences between different regulation regimes are subtle, unapparent, and confusing. Compliance with one regulation regime does not necessarily means the compliance with the regulations of another jurisdiction. For a business that has involved in the data-related operation, given the nature of the industry, it is impossible to limit its daily operation within one jurisdiction. Actually, everything becomes interstate or even international when it is online. Thus, businesses will probably need to establish several different but similar compliance systems to keep their operation legal.
c. CCPA also imposes penalties against any business in violation of the state law. Although the consequences of the non-compliance of CCPA are not as harsh as that of the GDPR, a significant burden would be followed after the violation of CCPA.
Firstly, the California Attorney General could sue the business for any un-cured violation The AG can seek statutory damages of up to $2,500 per violation. If the violation is intentional, the upper limit of the statutory damages is $7,500 per violation.
Secondly, consumers may sue businesses for data breaches. A consumer may seek the greater of actual damages or statutory damages between $100 and $7500 per consumer per incident. Also, a class action is possible under the CCPA. 26
4. Did the CCPA unduly burden interstate commerce?
In order to determine whether state law imposes a significant burden on interstate commerce and the burden outweighs the local state interest, Court often looks at whether there is an alternative way that could achieve the same local legitimate interest but put less burden on the interstate commerce. In the case that the less burdensome is reasonably practical, the state law is unconstitutional for its failure of the Pike test.
a. Limited Local Interest
Although Californian residents can bring a private action against any business that allegedly violated the CCPA, the remedies awarded are very limited in comparison with the GDPR. Consumers will recover anywhere from $100 -$750 or actual damages per consumer per incident. The California General can invoke a civil fine of up to $7,500 for each willful violation. Although these penalties could significantly impact small or medium-size business, they mean very little to the tech giants. Due to the lack of the teeth of the CCPA, the local interest in this state law is very limited.
b. Practical Alternative Methods
In order to reduce the impact imposed by CCPA on out-state businesses, California legislator could reconcile the law with GDPR and its sister states' similar legislatures. If there is a unified consumer privacy law, a business could save compliance costs by establishing one general compliance system. Lots of money would be wasted just for the similar but different compliance requirements imposed by different jurisdictions.
In conclusion, CCPA may be unconstitutional for unduly burdening the interstate commerce.
III. Too Vague to be Constitutional
In Connally v. General Construction Co., the Supreme Court holds that the terms of a stature which impose penalties should be explicit to inform the regulated person about what is wrong or right to do. If the statute is so vague that a reasonably intelligent person could only get the meaning of the law by guess, the law violates the due process under the Constitution.27
According to the constitutional rule of the void for vagueness doctrine, the due process of law requires that state laws should be written in a way that they state the punishable conduct explicitly and definitely. The doctrine serves two purposes: providing the regulated person with fair notice of what is punishable and preventing arbitrary enforcement and prosecution.
State law could be challenged as too vague to be constitutional at least for two reasons: the law does not specifically state the required or prohibited practices, or the law does not state the procedures in sufficient details.
A. The Vague Definitions of CCPA
CCPA is broadly criticized for its vagueness and ambiguity. Given the fact that the law is passed in a rush, the mess is not surprising. The vagueness of the terms of CCPA lies in the but not limited to the following definition:
1. Personal Information
Among the numerous vaguely defined terms of the CCPA, the most concerned one was the definition of the subject matter the CCPA: Personal Information. CCPA defines "Personal Information" as the "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The problem is any information, if combined with other information, could be useful to identify a particular consumer or household. For example, studies found that if you know a person’s birthdate, zip code, and gender, you have an 87% chance of finding that person’s identity. 28 Thus, almost all the information falls within the scope of the CCPA. Accordingly, the definition leads to the result that any information qualifies as "personal information" under the CCPA. The overbroad definition of “personal information” actually does not define anything.
2. Business or Third Party
CCPA imposes different obligations on "businesses" and "third parties." It is critical for a covered entity to make certain whether it is qualified as a "business" or a "third party.”
According to the text of CCPA, “business” means any legal entity that operates for profit, does business in California, and meets at least one of the CCPA's "three thresholds.". On the other hand, “third party” means a person who is not a CCPA defined “business”, a “service provider to the business”, or a “contractor.”
According to the definition, a “third party” almost means nobody on earth. An entity could not be a third party and a business at the same time. The definitions of “third party” and “business” seem to be mutually exclusive. But that is not the case. That would be too easy to circumvent the CCPA and leads to absurd results. Actually, lots of CCPA's provisions suggest that a business could be a "third party" at the same time.
For example, if Acme Company intends to avoid the obligation imposed on a business, which is heavier than that on a "third party," it will simply establish a shell organization, Bad Company, as the entity that directly collects information from the consumers. Acme could always act as the "third party" company by receiving the personal information collected by Bad Company.
3. Service Provider
CCPA defines a "service provider" as an entity that processes information on behalf of a business. The problem lies in what activity qualifies as "processing" information. CCPA does not waste any words to explain that issue.
Further, if an entity is classified as a "service provider," is it required to comply with the CCPA's requirements? Although CCPA defines that business must impose some requirement on the service provider, it is silent on whether a service provider is required to comply with the same or similar obligation imposed on a "business" by the CCPA.
B. CCPA is void for vagueness.
In the case of vagueness, state law may be void on constitutional grounds. Courts have decided that vague law will deprive citizens of their right in violating due process.
1. the "Void for Vagueness" doctrine is applicable to CCPA
One may argue that the Vagueness doctrine only applies to criminal law. In Connally v. General Construction, the Supreme Court’s ruling seems to limit the Vagueness Doctrine within the state laws that impose criminal penalties on citizens. Because CCPA does not impose any criminal penalty, some argues that the Vagueness Doctrine does not apply to the CCPA.
However, In F.C.C. v. Fox Television Stations, Inc, the Government imposed civil penalties on the plaintiff. The Court ruled that the because the F.C.C. did not define the words "obscene," "vulgar," "profane," and "indecent" accurately, it was unconstitutionally vague to enforce the restrictions against "obscene," "vulgar," "profane," or "indecent" acts for the reason that any person may find different things as obscene, vulgar, profane, or indecent. 29 By the ruling of F.C.C., the Supreme Court held void-for-vagueness doctrine is applicable to cases that involve civil penalties.
Also, in Gentile v. State Bar of Nevada, 501 U.S. 1030, 1048–51 (1991), the Supreme Court holds that attorney disciplinary rule was unconstitutionally vague as applied; in Arnett v. Kennedy, 416 U.S. 134, 159-64 (1974), the Court holds that employment protection standard not impermissibly vague in regulating the speech of federal employee. None of those laws at issue is criminal law.
Thereof, we can safely conclude that the Void for Vagueness doctrine does not only apply to criminal law but also applies to quasi-criminal laws. The doctrine will apply to those laws that impose civil penalties. However, the doctrine does not apply to the laws that govern rights and obligations between private parties but only applies to laws that govern rights and obligations with the government. 30
Here, CCPA provides statutory damages against the incompliance of the law. The Attorney General of California can impose a civil penalty on any person who violates the CCPA. These fines could be more than hundreds of millions of dollars in some cases and will apply to any violation of the CCPA.
Thus, the Void for Vagueness is applicable to CCPA because it imposes civil penalties and potentially limits the constitutional rights of citizens.
2. A state law may be challenged for its vagueness in at least two ways:
a. The state law does not explicitly illustrate what practices are allowed or prohibited.31.
b. the state law does not specifically detail the procedure of the enforcement of the law. 32
Here, as discussed above, CCPA vaguely defines the regulated party of the law. It is hard to be certain about whether an entity should be classified as a "business", "a third party", or a "service provider", one must guess whether the CCPA has imposed obligation and liability on him or her.
Further, because the CCPA does not clearly define the purposely protected subject matter of the law, the "Personal Information", regulated entities would be at a total loss about what is the right thing to do according to the law.
In conclusion, the CCPA may be unconstitutionally void for its vagueness.
In sum, given the issues discussed above, it is doubtful whether CCPA is competent to achieve the goal of the protection of California residents' personal information as the Californian legislators intend to. A nationwide general privacy law with more sophisticated legislature techniques may be the ultimate solution to the problems.