The recommendations in this post, along with two upcoming posts on private right of action and civil rights protections for personal information, are adapted from a June 2020 Brookings Institution report, "Bridging the Gaps: A Path Forward to Federal Privacy Legislation." A version of this post originally appeared on the Lawfare blog.
Despite a promising start in the 116th Congress, comprehensive information privacy legislation appears stalled on Capitol Hill. Although key Senate and House leaders on both sides of the aisle put forward bills with promising similarities, there has been little movement on a few pivotal and polarizing issues.
Cameron F. Kerry
Ann R. and Andrew H. Tisch Distinguished Visiting Fellow - Governance Studies, Center for Technology Innovation
In particular, proposals are the most divided on federal preemption of state privacy laws and a right for individuals to bring lawsuits for privacy violations. These are the same issues on which stakeholders—industry (broadly speaking) on one side and advocates for privacy, consumers and civil rights on the other—have staked out polar all-or-nothing positions. So long as these protagonists remain in their own corners, the broader privacy debate will be frozen and federal legislation stalled.
Because the path to privacy legislation goes through preemption and private right of action, we propose solutions on federal preemption and private lawsuits that depart from the maximalist approaches shaping the current debate. In this post, we explain our suggested approach to preemption. A second post will address the equally contentious issue of a private right of action.
Preemption, like the private right of action, can be an article of faith on both sides. Justice Louis Brandeis famously celebrated the role of state laws by saying, almost 90 years ago, that a state may “serve as a laboratory … and try novel social and economic experiments without risk to the rest of the country.” In the modern privacy realm, many privacy advocates celebrate Brandeis’s description and resist any prospect of closing off state legislative action. In the face of industry resistance and congressional inaction, state legislatures have taken the lead on privacy legislation; advocates hope for a steady march forward from California and Illinois to other states.
In turn, the single most important reason for industry to accept and support federal privacy legislation is an understandable desire for a single national set of rules to follow. Since the internet operates across state borders, industry leaders want to avoid differing—and potentially conflicting—state laws that would set privacy rules based on a user’s residence or current location.
These positions are reflected in starkly different proposals from Senate Commerce Committee leaders. In November 2019, Democratic Sen. Maria Cantwell introduced the Consumer Online Privacy Rights Act (COPRA) and Republican Sen. Roger Wicker released the draft United States Consumer Data Privacy Act (USCDPA).
The preemption provision in Wicker’s USCDPA is brief and broad. With the sole exception of data breach laws, the proposed text would enact “field preemption” to supersede all state laws and regulations “related to the data privacy or security and associated activities of covered entities.” Such a provision would sweep away a body of state privacy laws developed over decades, including some that address issues that are wholly offline and within a single state. For example, states have laws concerning the privacy and security of educational, library and insurance records—among many other topics that affect a range of predominantly local interests.
In contrast, Cantwell’s COPRA would preempt “directly conflicting” state laws, while preserving a variety of state statutes of general applicability and state rights of action. Although providing a useful road map to approach preemption, COPRA’s preemptive impact is largely negated by an additional provision that a state law “shall not be considered in direct conflict if it affords a greater level of protection to individuals protected under this Act.” This approach undermines the goal of a national standard for privacy practices, compliance systems and consumer expectations. The risk of a patchwork of differing state laws undermines the goal of strong privacy protections for all Americans. And as a matter of political reality, an increasing profusion of state privacy laws may complicate—rather than motivate—the prospect of congressional enactment.
In grappling with these differing views, we—along with our Brookings colleagues Caitlin Chin and Nicol Turner Lee—reviewed existing privacy laws and pending legislative drafts proposing comprehensive privacy law. On preemption, Peter Swire put together a thorough and very helpful look at the history of preemption in U.S. privacy laws and an analysis of then-pending privacy proposals on the Hill. Swire’s conclusion was that, in addition to being politically charged, the privacy preemption question is technically challenging, with many hidden pitfalls awaiting any legislative drafter.
In addition to research, we also had numerous conversations with Capitol Hill staffers on both sides of the aisle and with a broad spectrum of stakeholders and experts across all sectors. These included a series of focused, private roundtables to explore issues of convergence and divergence in the privacy debate.
Those conversations confirmed that preemption was the paramount goal for corporations. The public interest advocates recognized this reality but sought to ensure that any federal bill provides truly meaningful privacy protections with strong enforcement mechanisms—including, as discussed in our next post, a private right of action.
Ultimately, we believe that a preemptive national law with effective privacy protections that apply both online and offline is more beneficial for people everywhere in the U.S. compared to no national law, or to a weak national law without preemption. And, looking more specifically at the online environment, we are also persuaded that the internet and the applications and services that use it are more akin to railroad and automobile standards, which are largely subject to federal regulation—rather than the insurance industry, which is largely regulated by states.
In evaluating the competing interests of advocates and corporations—to protect states’ ability to innovate on privacy protections and avoid a patchwork of regulation, respectively—we propose a path that preempts state laws that compete with a national standard, preserves other state privacy laws and rights, and prompts Congress to revisit this question a few years after implementation of the new federal law.
We believe that the current privacy debate presents a genuine opportunity to achieve meaningful privacy protections on a national basis. We also believe that significant preemption is the price to pay for establishing strong privacy protections for all Americans. Because we also recommend preserving a robust role for states in the enforcement of federal privacy legislation—as both COPRA and USCDPA provide—we do not believe that a well-focused preemption provision would unduly impinge on a state’s ability to protect its residents.
A Tiered Approach to Preemption
We believe that the general structure of COPRA’s preemption language can be revised to provide a strong national standard for privacy while leaving significant room for state laws that fill gaps or address traditional state interests. We recommend several changes and additions to the approach and language in COPRA.
State Law Preservation
To COPRA’s good list of state laws to be preserved—which includes consumer protection laws of general applicability, laws prohibiting unfair and deceptive practices, civil rights laws, laws that govern employee or student privacy, and data breach notification laws, among others—we suggest adding state constitutional law and laws relating to other topics, including Social Security numbers, motor licenses and public records. We do not, however, support COPRA’s preservation of state laws giving private rights of action.
Preemption of “Inconsistent” State Laws
Our most significant modification to COPRA’s preemption provision is to preempt “inconsistent” laws rather than only those that are “directly conflicting,” and to omit the exception permitting state laws with a greater level of privacy protection than the federal law. Specifically, we recommend the preemption of state laws “regulating the collection, processing, sharing, and security of covered data to the extent such law is inconsistent” with the federal law or regulation. This suggested approach aimed at “inconsistent” state laws is modeled on Section 536 of the Cable Communications Policy Act of 1984, 47 U.S.C. § 536. Cable television, like privacy, is a field in which federal law is overlaid on a body of existing state regulation. Although such issue preemption sets indefinite boundaries that may be defined on a case-by-case basis, federal law dominates the shape of cable television regulation and, in our experience, most disputes about preemption have been resolved by accommodation. A narrower “directly conflicting” standard, we believe, would lead to a patchwork or overlap in privacy regulation and result in more uncertainty and disputes parsing whether a state statute “conflicts” with a national law, and does so “directly.”
Federal Trade Commission Regulatory Authority
To provide a method for resolving uncertainty about whether a state law conflicts with a federal law that is faster and easier than litigation, we recommend giving the Federal Trade Commission (FTC) authority to resolve questions about preemption, either in response to a petition or on its own accord. To avoid excessive preemption, we suggest that the FTC’s ability to preempt a state law be limited to the extent “necessary to prevent such conflict,” thereby requiring the commission to leave in place a state statute as a whole when a small preemptive action can reconcile any inconsistency.
Partial Sunset of Preemption
We propose a sunset of one aspect of our recommended approach to preemption: After eight years, states would be permitted to enact privacy rules that provide greater protection than the federal law, leaving the federal law as a floor for privacy protection. Specifically, we suggest that a state law be permitted when it:
(i) is enacted eight years after the enactment of a comprehensive federal privacy law;
(ii) states explicitly state that the provision is intended to supplement the new federal law; and
(iii) gives greater protection to individuals than is provided under the new federal law.
The concept, text and duration of this suggested preemption sunset are drawn directly from the 1996 amendments to the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681t.
We believe that a partial sunset would serve two valuable purposes. First, it would ensure that there will be demand for Congress to revisit the success—or lack thereof—of the federal privacy regime, from the perspective of both enhancing privacy protections and fixing procedural or other problems that may arise with the law. In all likelihood, industry stakeholders would lobby for elimination of the sunset—as occurred with the 1996 FCRA sunset—while advocates would lobby to improve the federal law and protect the sunset. The resulting conversation before Congress would be valuable.
Second, the sunset provision provides a safety valve to address future privacy concerns in case Congress does not act. States could then seek to address privacy problems that may have evolved over the eight years after the enactment of a federal law, while the FTC would retain the ability to preempt state law provisions that undermine the federal privacy regime.
A Path Forward
We submit that both sides of the policy debate have something to gain by striking a balance—and both have something to lose from the continued stalemate. Businesses have come a long way in recognizing that strong privacy legislation is important to promoting trust in their brands and competitiveness in national and international markets. However, the longer industry holds out for sweeping preemption without any individual remedies, the harder it becomes to achieve a consistent national standard.
On the flip side, reliance by advocates on state-by-state legislation is destined to leave an incomplete and haphazard set of protections for Americans. It took more than 15 years for all 50 states to adopt data protection laws as basic as breach notification. A similar path forward, simply put, would provide less comprehensive and meaningful privacy protections over a longer time frame than what might be achievable at the federal level in the near future—if industry, advocates and political leaders are willing to make some hard choices. We hope that our broad, but carefully calibrated, compromises can point toward steps key stakeholders can take to reach effective national protection of information privacy.
We believe that, taken together, our approach to preemption strikes a constructive balance among the competing goals of establishing strong national privacy standards, preserving long-standing state laws and ensuring continued focus on privacy. We believe that this balance, coupled with our private right of action recommendation discussed next in our series of posts on this topic, can provide a path forward for stakeholders to find solutions toward successful comprehensive federal privacy legislation.
Stakeholders are generally polarized on these issues, yet they must be addressed if privacy legislation is to become law. Our approach will not satisfy maximalists on either side of the debate, but we hope that our recommendations address the legitimate interests of divergent stakeholders and allow them to bridge these wide gaps.