In response to calls prompted by advances in technology and mainstream news accounts of privacy violations, congressional lawmakers this year introduced more than a dozen pieces of privacy legislation. While 2019 has been called the year of privacy, a federal law has yet to be passed, and enactment of the California Consumer Privacy Act raises concerns that passage of similar laws by other states will result in a complex array compliance obligations companies will have to meet.
But less than two months before the CCPA is to take effect on Jan. 1, the question of state pre-emption remains central to the debate about U.S. privacy law. Should a federal law pre-empt state privacy law? In what circumstances, if any, would pre-emption be appropriate? What should the limits of pre-emption be?
Federal pre-emption has long been critical for business community support of any privacy legislation. Companies worry that without it, individual states will pass legislation that conflicts with federal law and creates a patchwork of differing compliance requirements. Their fears are not misplaced. The National Conference of State Legislatures notes that bills related to consumer data privacy have been introduced in 25 states and Puerto Rico since the beginning of 2019.
The array of state laws that could result from these proposals would impose significant costs on small and medium-sized organizations that lack in-house legal staff or resources to hire expensive outside counsel. Attempts by good actors to design systems to facilitate compliance would be frustrated by rules that may conflict and the need to reconcile requirements. Diverse state laws could also undermine the free flow of data – both within the United States and with its trading partners – threatening innovation and compromising businesses’ ability to deliver goods and services.
Privacy and consumer advocates, however, view pre-emption of state law with suspicion, citing concerns that federal pre-emption is nothing more than a thinly veiled way to lower the level of protection across the 50 states. Any attempt to enact a weak federal law that pre-empts the states will be met with opposition – as well it should. Pre-emption is only appropriate if federal law is robust and effective.
The European Union recognized the importance of a streamlined approach to data protection when it enacted the General Data Protection Regulation, which went into effect in May 2018 and now governs the data practices of any company that processes data about EU residents. The regulation cites a need to “remove obstacles to flows of personal data within the union.” It also states that data protection “should be equivalent in all Member States” and that application of rules should be “[c]onsistent and homogeneous.”
But in enacting the GDPR, European lawmakers did more than streamline data protection law. They applied rigorous requirements across the EU Member States, pursuing both “a consistent and high level of protection for individuals.” (Emphasis added.) The GDPR not only imposes on companies specific requirements grounded in fair information practice principles. It also obligates them to act as data stewards – to be accountable for making responsible decisions about the collection, processing and protection of personal data.
If federal law is to be credible, U.S. lawmakers should follow the example of countries around the world that have looked to the GDPR for guidance in designing their own privacy regimes. To warrant pre-emption, federal law must provide real protection for consumers, meaningful oversight and effective sanctions for violations and failures to comply. It must make companies answerable for how they use personal data. Noting the influence of the GDPR, some companies have called for a similar law, recognizing that only legislation with rigorous requirements will foster the trust of consumers and U.S. trading partners and facilitate the movement of data needed for innovation and commerce. Companies already working to meet GDPR requirements are well positioned to comply with a U.S. law that provides similar protections.
While pre-emption is essential to streamline compliance, federal law can preserve a role for the states. Federal law could benefit from pre-emption that expires after a specified period, during which gaps and shortcomings in the new law can be identified, and its effectiveness at protecting consumers as technologies and data uses evolve can be assessed. Given the rapid pace of innovation and the United States’ limited experience in legislating in this area, time-limited pre-emption that allows states to step in after an appropriate period to address deficiencies could be key to ultimately establishing an effective national framework. The states also could be given the power to establish remedies consistent with enforcement by state attorneys general but prohibited from setting standards that might complicate compliance.
If 2019 is indeed the year the United States finally enacts privacy legislation, lawmakers owe it to both consumers and businesses to get it right. State pre-emption can be important for creating effective privacy law, but only if it is crafted in a way that promotes rigorous protection for consumers and creates for companies a path toward better compliance.
Paula Bruening is an Innovators Network Privacy Fellow, counsel for Sequel Technology and IP Law, LLC and Founder and Principal of Casentino Strategies LLC.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.