Lines have been drawn for some time now regarding where U.S. lawmakers are willing to go with preemption provisions in the proposed American Data Privacy and Protection Act. Those lines were reluctance to allow the proposed ADPPA to preempt the California Consumer Privacy Act and California Privacy Rights Act is stymieing the federal bill's passage out of the House. In her statement opposing the current ADPPA preemption framework, House Speaker Nancy Pelosi, D-Calif., said California "leads the nation not only in innovation, but also in consumer protection" and deemed it crucial that the state "continues offering and enforcing the nation’s strongest privacy rights."
While California's concerns are warranted, the other side of the argument begs the question about what is best for the other 49 states. Connecticut, Virginia have comprehensive state privacy laws of their own coming online in the next year, all of which would likely be affected in some shape by ADPPA preemption. Then there are the states that would address privacy with passage of the ADPPA and implement a standard they otherwise wouldn't have.
And though some state views may align with California on preemption and the ADPPA's perceived gaps, opinions are not homogenous.
Congressional action welcomed, but worries remain
The state lawmakers who introduced comprehensive privacy legislation in recent years did so due in large part to federal inaction. They said as much when advocating for their bills in committee hearings.
"I agree that this is all policy that is better suited for the federal level or 15 years ago when data was transacted as a product and not a means to an end. But I don't want to sleep on Florida's right to privacy for another year, five years or 10 years while the federal government finds a cohesive way to address this problem," State Rep. Fiona McFarland, R-Fla.,
State Sen. Reuven Carlyle, D-Wash., was unsuccessful in passing the
Addressing the stalemate
The existing ADPPA preemption proposal was termed as "carefully crafted" by U.S. House Committee on Energy and Commerce Chair Frank Pallone, D-N.J. The description mostly stems from the inclusion of unique preservation clauses for state legislation related to facial recognition — specifically, the Illinois Biometric Information Privacy Act and Genetic Information Privacy Act — and the private right of action for data breaches under the CCPA, in addition to more broad carveouts.
"There's a little bit of an institutional arrogance that dominates the issue of preemption. Where you stand depends upon where you sit," Carlyle said, explaining a rare hesitation each level of government has to invoke preemption — whether it be federal law supplanting state law or state law overtaking local law.
Carlyle's initial pause with preemption had more to do with the expectation that Congress could not strike the right tune for data subject rights and business requirements. But the ADPPA brought a surprise resolution for Carlyle. He said the bill's rights and requirements are "admittedly a bit stronger than I expected they would be able to come up with" and lawmakers "can't discount and walk away from it."
The hang-up for Carlyle now is the legislative floor-versus-ceiling debate and the lack of trust in the federal government to update legislation after passage before it becomes obsolete in a matter of a few years.
The ADPPA is "not going to be tinkered with in a meaningful way for a decade or generation. We are living with it because of the general dynamic for how Congress works," Carlyle said.
Sunsetting preemption after a certain number of years could appease federal and state lawmakers. While it wouldn't be immediate, a sunset creates the highly sought-after floor and state-level intervention abilities.
"That may be a form of a compromise. I don't know what the timeframe is because of the ability for technology to change much faster than the ability to regulate it," Connecticut's Maroney said. "Ten years would be too long to not allow action on new things that come up. In some ways I feel like five years is too long. I do see how it'd be good for companies to all be able to come into compliance and have that certainty for a few years."
But even the soft landing of a sunset brings opposition.
State Rep. Collin Walke, D-Okla., CIPP/US, CIPM, told The Privacy Advisor the goal should be to pick a direction: Choose between the network of state laws with states handling matters at their pace or full federal preemption.
"I have to ask, what would be the point (with a preemption sunset)?" said Walke, whose proposed Oklahoma Computer Data Privacy Act passed the Oklahoma House two years in a row before dying in the Senate. "Create consistency and homogeneity — both good things — only to create balkanization down the road? I believe that the better route would be to set a federal floor, not a ceiling."
The California dilemma
Public pushback on preemption at the state level has come primarily from California. The one exception was a
California has coordinated opposition to preemption. California members of the U.S. House made their opposition clear in committee while Gov. Gavin Newsom, D-Calif., California Privacy Protection Agency Executive Director
"For the roughly four million Oklahomans who have no data privacy rights, the ADPPA at least provides a baseline of rights that don’t currently exist," Walke said. "Watch almost any debate in the Oklahoma House of Representatives and you’ll see legislators say, 'This bill isn’t perfect. No bill we ever pass is.' That’s my attitude toward the CCPA-versus-ADPPA debate. Don’t deprive me of my rights simply because you don’t get 100% of what you want."
