National data privacy standard would preempt state efforts

For nearly six years now, states have slowly been plugging a gaping hole where a national data privacy standard should be. As Congress has failed to advance legislation, states have written and passed their own comprehensive data privacy laws. 

Starting with California in 2018, more than a dozen states today have their own laws, with Maine and Maryland advancing legislation in just the past few weeks.

But all those laws could soon be moot if Congress finally acts on its latest version of a national data privacy law. 

At a hearing Wednesday before a subcommittee of the House Committee on Energy and Commerce, lawmakers heard from advocates and experts on several pieces of privacy legislation. The discussion, though, mainly focused on the recently introduced American Privacy Rights Act, which would establish national standards and preempt states’ comprehensive privacy laws.

In the draft text of the bill, the law pledges to “establish a uniform national privacy and data security standard in the United States to prevent administrative costs burdens placed on interstate commerce.” It also promises to “expressly preempt laws of a State or political subdivision of a State,” although it would not preempt state laws on consumer protections, employee privacy, student privacy, data breaches, public records and criminal law, among others.

But the bill has state leaders worried. Ahead of the House subcommittee hearing to debate it, the California Privacy Protection Agency, or CPPA, sent a letter outlining what they deemed “weaknesses” in the bill.

Ashkan Soltani, the agency’s executive director, said the bill would eliminate or weaken many of the privacy protections Californians enjoy, and as written would prevent states from adopting new consumer privacy protections in the future. Soltani said the bill also breaks with the tradition of federal laws setting a baseline of protections to then allow states to go further if they choose.

Maureen Mahoney, CPPA’s deputy director of policy and legislation, also raised concerns that certain categories were missing from the definition of sensitive covered data, particularly protections with respect to sexual orientation, union membership and immigration status. She said in a statement that the omission could be “particularly damaging for groups that tend to be the most vulnerable.”

“A federal privacy law with sweeping preemption language could freeze protections for the next 30 years,” Soltani wrote in the letter. “Strong federal protections do not have to come at the expense of the states. Indeed, if we view states as laboratories in our federal system, the [American Privacy Rights Act] would slam the door closed when it comes to privacy and emerging technology.”

Outside groups are similarly concerned about the bill’s overriding of existing state laws. In a statement, nonprofit Fight for the Future said preemption “removes the ability for state governments to be responsive to evolving threats to our digital privacy and safety.” The group also criticized it for ending “important” state laws like Illinois’ Biometric Information Privacy Act and the California Consumer Privacy Act.

But in a statement, the privacy and open government nonprofit Electronic Privacy Information Center suggested a potential path forward on the preemption issue. The group compared the privacy situation now to the situation before 1963’s Clean Air Act. Like today, states passed their own laws. When Congress passed a national law to reduce air pollution, it mostly preempted state laws, except if states could show their law was stronger than the federal standard.

What’s more, the group said the law could help keep pace with the evolution of technology through rulemaking authority for certain provisions in the bill, like for design evaluations or the assessment of algorithm impacts.

If the bill “is to preempt existing and future state privacy laws, it must be stronger than current state laws and resilient to future shifts in technology and business practices,” the group said. “[The Electronic Privacy Information Center] has long argued that federal privacy laws should set a floor, allowing states to enact stronger protections.”

In an analysis of the bill released before the hearing, open internet advocacy group NetChoice said the legislation “fails to create a true national standard” as it has all manner of “carveouts.” NetChoice did not elaborate further on what those carve outs are.

Meanwhile, U.S. Rep. Frank Pallone Jr., a Democrat from New Jersey and the ranking member on the House Energy and Commerce Committee, said Americans all need “strong, comprehensive, data privacy and data security protections.”

“For far too long, Americans have been virtually powerless against big tech’s unceasing drive to collect, use and profit from the sale of vast amounts of Americans’ personal information,” he continued in his opening remarks.

And Rep. Gus Bilirakis, a Republican from Florida who chairs the subcommittee, said in his opening remarks that “one national standard” is necessary “so when consumers and businesses cross state lines there are consistent rights, protections and obligations.” 

Several witnesses similarly testified before the hearing on the confusing nature of existing state laws.

“In the absence of such a [national] framework, consumers and businesses today are required to navigate a tangled web of confusing, and often inconsistent, data privacy requirements from various levels of government,” Maureen Ohlhausen, co-chair of the 21st Century Privacy Coalition, which pushes for data privacy laws, said in her written testimony. “American consumers and businesses deserve the clarity and certainty of a single federal standard for privacy.”