Monterey Park's Data Center Ban: Why Zscaler, Netskope, Forcepoint, and Cisco Umbrella Customers Should Pay Attention
.jpeg)
On June 2, 2026, voters in Monterey Park, California became the first in the US to permanently ban data centers via ballot initiative. Measure NDC passed with 86% of the vote. The signal it sends to enterprise security buyers is direct: every cloud-proxy SSE vendor (Zscaler, Netskope, Forcepoint ONE, Cisco Umbrella SIG) operates a data center footprint that depends on local power, water, and political tolerance. As bans and moratoriums spread, the architecture of choice is shifting toward on-device SWG, which has no PoP exposure at all.
What happened in Monterey Park
Measure NDC, a permanent prohibition on data centers within city limits, passed in a special election with 86% support. The trigger was a proposed 250,000-square-foot facility on the site of a vacant office building. The project's projected electricity demand alone would have tripled the entire city's existing power consumption. The ballot text framed the ban as necessary to "protect air quality, drinking water resources, and public health" and "prevent impacts to electricity and water rates." It faced no formal opposition.
The vote is the first US municipal-level permanent ban on data centers passed by ballot. It is not the last in the queue. Coachella's city council is weighing a moratorium and potential permanent ban. California's SB 886 would impose data center tariff requirements on facilities with peak demand at or above 25 MW. Other states are tracking similar mechanisms.
The data behind the backlash
Three numbers explain why this is happening now.
Source: IEA Energy and AI 2025, US grid load growth analysis.
Data center electricity consumption grew 17% globally in 2025 alone. AI-focused data center consumption grew 50% in the same period. In the US, data centers now consume roughly 176 TWh per year, or about 4.4% of total US electricity. They accounted for roughly half of all US electricity demand growth last year.
The macro story is clear: data center power demand is on a trajectory that local grids, water tables, and city councils are increasingly unwilling to absorb. Monterey Park is the first ballot box result. It won't be the last.
State and local data center pressure: a tracker
The trajectory: more disclosure requirements, more tariff regimes, more moratoriums, and more outright bans. Each one tightens the supply of where cloud-proxy SSE vendors can place or expand a PoP.
Why this is a cloud-proxy SSE problem
Every legacy SSE/SWG vendor in the market operates the same architecture: route customer traffic from the user's device through a vendor-operated data center (PoP), inspect there, forward to the destination. The vendor's economics, performance, and geographic coverage all depend on data center supply.
When data center power gets more expensive, those costs flow into renewal pricing. When data center buildouts get blocked, geographic coverage thins. When water and air-quality lawsuits land, vendors carry the regulatory drag.
The first five rows are architecturally identical at the data plane. The sixth row is the category change.
The renewal math: where this hits the customer
Cloud-proxy SSE vendor renewal pricing is structurally linked to vendor infrastructure cost. As power, cooling, real estate, and bandwidth costs rise, multi-year SSE contracts repeat that trajectory at renewal. The Monterey Park ban is one signal in a longer trend that is already moving renewal quotes upward.
The 2023-2024 increases tracked broader IT inflation. The 2025 increase accelerated as AI workloads competed with SSE workloads for the same data center capacity. The 2026 forecast factors in additional cost pressure from local bans, state tariff regimes, and grid capacity constraints. Rising data center costs and SASE/SSE pricing walks through the macro trend in detail.
Why on-device SWG is structurally different
dope.SWG runs SSL inspection, URL filtering, Cloud Application Control, anti-malware, and Dopamine DLP directly on the endpoint. There is no PoP fleet. There is no vendor data center sitting between the user and the destination. Traffic flies direct.
That architecture eliminates the entire exposure surface that Monterey Park's vote highlighted.
The architectural delta isn't marketing. It's that dope.SWG doesn't need a data center at all to deliver the SWG, CASB, DLP, and AI governance functions. The agent runs in roughly 100 MB of RAM on the user's Mac or Windows device, with 4x performance compared to legacy proxy SWGs.
Cloud Application Control and AI governance: the bonus layer
The 2026 buyer leaving a cloud-proxy SSE vendor usually also wants real AI governance. Cloud-proxy SSE ships partial tenant control and policy-based cloud DLP. dope.SWG ships purpose-built Cloud Application Control (CAC) for the four AI tools that drive most enterprise conversations.
Detail: Blocking personal ChatGPT. Blocking personal Claude accounts. Meet Dopamine DLP.
Customer evidence: the architectural case at scale
Greylock Partners. Replaced Cisco Umbrella for dope.security. 27 days first proposal to signed contract. Deployment via Intune.
Outreach Health. Healthcare, 5k-10k employees, 34 offices. 99% of devices secured within one week. 70% reduction in web access-related IT tickets in 90 days.
City of Visalia. 700+ user government workforce. On-device SSL decryption with no data center backhaul.
A VC firm. 2,000 machines migrated off a cloud-proxy SWG in two days.
Fortune 100 deployment. 18,000+ devices secured.
"Every renewal we did with a cloud-proxy vendor came with a power-cost preamble. The Monterey Park vote was the moment our procurement team asked whether we could just stop being exposed to that. dope.SWG was the only architecture where the answer was yes."
By a CISO, mid-market technology organization.
What this means for SSE buyers in 2026
Three implications.
1. Renewal trajectory is structural, not cyclical. The forces pushing cloud-proxy SSE renewal quotes up (power, water, regulation, grid constraints) aren't reversing. The renewal math compounds across multi-year contracts.
2. Geographic coverage is going to get patchier. Local bans, state tariffs, and grid scarcity will constrain PoP expansion. Customers in high-pressure regions will see slower performance and more bypass exceptions.
3. On-device SWG is the architectural hedge. An on-device agent enforces policy locally with no PoP dependency. The cost model is per-device, not per-byte-through-our-data-center. The exposure to municipal politics is zero.
The migration playbook
Six concrete cutover steps. Real-world deployments have finished in days, not months.
Step 1: Inventory current cloud-proxy scope. SWG, CASB, ZTNA, DLP modules, plus PAC files, IPsec tunnels, and GRE configurations.
Step 2: Map AI governance asks across ChatGPT, Claude, Gemini, and Copilot. dope.SWG ships out-of-the-box Cloud Application Control for all four.
Step 3: Scope endpoint DLP channels. AI prompts, SaaS uploads, copy-paste, file movement.
Step 4: Plan MDM rollout. dope.endpoint deploys via Intune, Jamf, Kandji, or any standard MDM.
Step 5: Phase the cutover. Pilot in parallel with the incumbent, then expand. Decommission the legacy agent and remove PAC files, IPsec tunnels, and GRE configurations from the network edge.
Step 6: Reclaim the renewal. One SKU at $60 per device per year replaces multi-product legacy SSE bundles.
The non-technical reason it sticks
Architecture wins the eval, but support wins the rollout. dope.security's 24/7 white glove global support team is the reason migrations finish on schedule. For a lean security org that's already stretched, that's the practical reason the cutover sticks.
FAQ
Does the Monterey Park ban actually affect my Zscaler renewal?
Not directly. Zscaler doesn't have a PoP in Monterey Park. But the vote is a leading indicator of a broader trend. State-level tariff regimes, local moratoriums, and grid scarcity are already pricing into cloud-proxy SSE renewal quotes nationally.
Will Netskope, Forcepoint, or Cisco Umbrella SIG have different exposure?
No. All four vendors operate the same architecture: customer traffic routes through vendor data centers for inspection. The exposure to power, water, regulation, and renewal cost trajectory is structurally identical.
How does on-device SWG avoid this exposure?
The agent runs SSL inspection, URL filtering, Cloud Application Control, anti-malware, and Dopamine DLP on the device itself. There is no vendor data center in the data path. No PoP fleet, no infrastructure cost pass-through, no geographic dead zones.
Can dope.SWG govern ChatGPT, Claude, Gemini, and Copilot out of the box?
Yes. Cloud Application Control distinguishes personal accounts from enterprise tenants for all four AI tools, combined with Dopamine DLP on prompt content, in a single console.
How fast can I migrate to dope.SWG?
With on-device SWG and MDM-based rollout, days. Outreach Health secured 99% of devices in a week. A VC firm migrated 2,000 machines off a cloud-proxy SWG in two days. Greylock Partners closed first-touch-to-signed-contract in 27 days.
Is dope.security mature at enterprise scale?
Real-world references include a Fortune 100 deployment of 18,000+ devices, Outreach Health (healthcare, 5k-10k employees), Greylock Partners, the City of Visalia, and a VC firm 2,000-machine migration.
Related reading
- Rising data center costs and SASE/SSE pricing
- Secure Web Gateway 2026: Fly-Direct SWG
- Zscaler real pricing comparison
- Cisco Umbrella vs Zscaler
- Greylock Partners customer story
- Meet Dopamine DLP
.jpg)
.jpg)
.jpg)
