CCPA and the 451 Error: Unavailable for Legal Reasons

We’ve all had this frustrating experience: you’re browsing the internet and come across an interesting link. You click on the link, but instead of being presented with the content you are expecting, you receive an error message: “404 Error: The page that you requested could not be found.”

The bane of every overworked web developer, 404 error messages are usually the result of a typo or a sloppy reconfiguration of a website’s architecture. It can create a frustrating user experience depending on the content you’re looking for, but it is generally isolated to one particular page on a website.

Now imagine that instead of the occasional broken link, entire swaths of the internet are reduced to error messages. And the next time you open that mobile game you enjoy on your commute, the newspaper you subscribe to, or the social media service you use to stay connected with your relatives, you are presented with the same error message: “451 Error: Unavailable for Legal Reasons.”

In computer networking, this standard error message is known as an HTTP status code. It was developed in 2015 by the Internet Engineering Task Force for situations in which web pages are deemed a danger to national security, or to violate copyright, privacy, blasphemy laws, or any other law or court order. And as you may have guessed, the 451 is a reference to Fahrenheit 451, Ray Bradbury’s 1953 dystopian novel in which books are outlawed.

So, why would this sinister error message be appearing on some of your favorite, harmless websites? That story begins in Europe. In response to the General Data Protection Regulation (GDPR), a privacy law passed in Europe in 2016, thousands of U.S. newspapers discovered that they could no longer profitably operate in Europe. The compliance costs of a well-intentioned but poorly executed law outweighed the revenue potential of their European audiences. Even today, Europeans from Ireland to Bulgaria are unable to access the Pulitzer prize-winning stories on government corruption from the Chicago Tribune, the more than 250 years of reporting from The Hartford Courant — the oldest newspaper in the United States dating back to 1764, The St. Augustine Record — the newspaper of record in the first European Settlement in North America, and thousands of other sites.

In a worrisome example of historic recurrence, a similar story began to unfold in the U.S. in 2018. Passed in less than a week, the California Consumer Privacy Act (CCPA) duplicated many of the confusing compliance aspects of the GDPR, and added a few new ones of its own. The California Attorney General’s own assessment is that the law will cost up to $55 billion in upfront compliance costs, and that only accounts for costs to companies headquartered in California. These figures are similar to compliance costs for GDPR. The risks for violating CCPA’s vague statutes are also comparable to GDPR, and potentially much more severe.

From a business’s perspective, the decision of whether or not comply with a law is quite simple. If the benefits of complying with a law (e.g. the ability to continue selling to customers in Europe or California) outweigh the costs (e.g. legal expenses, risk exposure), a business will choose to comply and continue operating in that jurisdiction. But if the costs outweigh the benefits, a business will choose not to comply and pull its products from the covered territory.

Considering the similarities between GDPR and CCPA, I anticipate that in 2020, “451 Error: Unavailable for Legal Reasons” will become a well-known message to Californians, who will no longer be able to access the websites and apps that the rest of the U.S. continues to enjoy.

To me, the most important promise of the internet is the development of a fully networked world where knowledge and community are no longer bound by distance. That is why I’ve been a staunch advocate for the free flow of data and information across borders and a critic of digital protectionism and unilateralism. And that is why we can, and must, do better than CCPA.

I am not arguing against the importance of information privacy or the tenets of CCPA and GDPR. It is noble for all citizens to demand that their privacy be protected. And we should provide those protections through fair and reasonable laws. But we’ll only arrive at fair and reasonable laws if we have an honest discussion about the consequences, both positive and negative, of CCPA and GDPR, and continue to approach technology policy with humility and care.

Ongoing efforts to create a unified federal privacy law will go a long way toward creating more efficient and effective regulatory landscape, which will improve the internet experience for all Americans. With any luck, the 451 Error will be a short-term phenomenon in California.