[co-author: Stephanie Kozol]*
On May 8, attorneys general (AG) from 14 states and the District of Columbia sent a letter to Congressional leadership opposing provisions of the recently proposed federal American Privacy Rights Act (APRA). In addition to the District of Columbia, the signatory states include California, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, and Vermont. Their objections primarily center on the APRA’s preemption clause, which would nullify 16 state comprehensive data privacy laws that have been enacted since 2018.
The AGs write, “We encourage Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents. A federal legal framework for privacy protections must allow flexibility to keep pace with technology; this is best accomplished by federal legislation that respects — and does not preempt — more rigorous and protective state laws.”
The currently enacted state comprehensive privacy laws have common elements among them that allow for greater consumer control of personal information and impose minimum data handling requirements on data controllers and processors. However, some state laws, such as California, are more stringent than others, thus creating a complex regulatory patchwork that companies must navigate. California, for example, includes strict consumer opt-out requirements and risk assessments that other state laws do not mandate. The proposed federal APRA also falls short of these stricter requirements.
There has long been tension in the privacy realm between state and federal authorities, including the prospect of federal preemption of state privacy laws. For example, over the past 15 years, industry sectors have pushed for a federal data breach notification law that preempts the patchwork of 50+ state and territorial notification laws, however, no such legislation has successfully passed Congress. Similarly, attempts to pass federal comprehensive privacy legislation, most recently in 2022, have failed in committee, partly due to the lobbying by states.
Industry advocates argue that federal legislation that preempts the wildly varying patchwork of state laws, would provide a unifying standard which companies could more easily comply with. State authorities, however, often argue that they are better positioned, with more focused resources, to address violations in their own jurisdictions, and can do so most effectively by having a wide variety of enforcement tools at their disposal, such as consumer protection acts that augment state privacy laws. Accordingly, state authorities have generally supported federal laws, such as the Health Insurance Portability Accountability Act and the Children’s Online Privacy Protection Act that provide dual enforcement authority between state and federal regulators and allow for preemption only where state laws directly contradict federal law.
The current AG letter signals that the states will continue their lobbying push against federal preemption in the privacy realm. Companies must therefore remain vigilant to keep abreast of the patchwork of state privacy laws to ensure compliance and avoid myriad pitfalls. In addition to the 16 enacted state comprehensive privacy laws, 14 other states are currently considering similar privacy legislation, including Maryland, which recently passed legislation that is now awaiting the governor’s signature. Stay tuned as we continue to monitor and provide updates to the ever-changing privacy landscape.
*Senior Government Relations Manager