The debate around preemption within federal privacy legislation in the U.S. can be boiled down to a simple question: Should a federal data privacy law function as a ceiling or as a floor?
For proponents of state law preemption, a federal law should serve as a ceiling. This means it would create a federal standard that invalidates all state privacy laws, including any that offered more protection. One of the strongest arguments for a federal ceiling, found within the discussion draft of the American Privacy Rights Act, may be to eliminate the "administrative costs and burdens placed on interstate commerce" brought about by a growing "patchwork" of state privacy laws. Several federal bills that preempt state law, such as the Consumer Data Privacy and Security Act, do so with the express intention to "promote consistency in consumer expectations, competitive parity, and innovation."
By contrast, supporters of state law preservation believe a federal law should serve as a floor or a minimum standard. While such a federal law would extend nationally, any state privacy laws that offer additional protections would remain in force, and states would retain the authority to write new ones. If a federal floor were in place, privacy laws at the state level would only be invalidated insofar as they offered protection less than or equal to the federal minimum. Arguments in favor of state law preservation revolve around respect for existing state-level privacy rights, as well as the idea that state governments are nimbler, more dynamic "laboratories of democracy" and are thus better positioned than the federal government to regulate the rapidly changing technologies that affect data privacy.
This presents a simplified picture, with each type of provision — preemption and preservation —more nuanced in reality. The following sections tease out the variations found within federal privacy bills regarding both state law preemption and state law preservation. The primary dichotomy of interest is between federal bills that preempt comprehensive state privacy laws, i.e., federal ceiling, and those that do not, i.e., federal floor. Those that do not preempt comprehensive state privacy laws may preempt something else and are still considered here to serve as a federal floor when it comes to privacy law.
Preemption of state law: Federal ceiling
Within proposed federal privacy legislation, clauses that preempt state law generally read as follows:
" … no State or political subdivision thereof may adopt, maintain, enforce, or continue in effect any law, regulation, rule, or requirement covered by the provisions of this Act or a rule, regulation, or requirement promulgated under this Act."
While there are several variations of this language found throughout proposed legislation, this particular text comes from the APRA discussion draft, and nearly identical language is found within the American Data Privacy and Protection Act as well as within predecessors such as the SAFE DATA Act.
In many cases, these state law preemption clauses are followed by any number of narrow carve-outs — also known as savings clauses. Before 2022, federal privacy bills with preemption tended to only include savings clauses for federal sectoral information privacy laws, such as the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Children's Online Privacy Protection Act, and Family Educational Rights and Privacy Act, as well as for state data breach notification laws.
Since the ADPPA was introduced, however, the list of state-level exemptions included in federal preemptive bills has grown significantly. The ADPPA listed 19 types of state laws that are preserved, while the APRA lists 16, including those on consumer protection, civil rights, employee and student privacy, data breach notifications, facial recognition, biometrics, and health privacy. The APRA savings clause for "laws that protect the privacy of health information" would presumably encompass laws like Washington state's My Health My Data Act, while the ADPPA explicitly called out the Illinois Biometric Information Privacy Act for preservation.
In essence, the preemption clauses found in the APRA and ADDPA are narrowly tailored to preempt only comprehensive state privacy laws, such as the California Consumer Privacy Act.
Preservation of state law: Federal floor
Clauses that would preserve comprehensive state privacy laws within federal privacy bills appear in a couple of different ways. The most straightforward language of state law preservation is perhaps found in the following examples:
"Nothing in this Act may be construed to preempt any State law."
"Nothing in this Act shall preempt or supersede, or be interpreted to preempt or supersede, any Federal or State law or regulation…"
Other bills that would act as a federal floor sometimes contain two specific provisions related to preemption. In general, these bills contain an initial preemption-related clause that states:
"The provisions of this Act shall preempt any State privacy law only to the extent that such State law is inconsistent with the provisions of this Act."
Such clauses are always followed by a second one carving out state laws that would afford greater privacy protections, by clarifying:
"…a State privacy law is not inconsistent with the provisions of this Act if the protection such law affords any person is greater than the protection provided under this Act…"
In sum, federal floor bills with clauses of this type preserve state privacy laws that afford greater protection than they do. At the same time, they only preempt state law to the extent that there is an inconsistency, which only occurs if the state law offers the same or lesser protection. Most of these clauses further specify that such a determination of consistency is to be made by the Federal Trade Commission.
Trends in preemption and preservation, 2019-2023
Looking back over the past few sessions of Congress, several trends are discernable from the frequency with which provisions related to the preemption and preservation of state law appear.
In total, between 2019 and 2023, 11 of the federal privacy bills proposed would have explicitly preempted comprehensive state privacy laws. Over that same period, a total of 37 federal privacy bills were introduced that would have preserved comprehensive state privacy laws that afforded stronger protections. Provisions that preserve state law have also become greater in number over time, with a total of 18 introduced in 2023. This contrasts with the volume of bills containing preemption clauses, which peaked at five in 2021 and declined to just one in 2023.
In total, two bills that preempt state law have received bipartisan support, while three that preserve state law have been bipartisan. The two bipartisan laws that include preemption are the Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019 and the American Data Privacy and Protection Act.
Bills that preserve stronger state laws include the House and Senate versions of the Data Elimination and Limiting Extensive Tracking and Exchange Act and the Digital Consumer Protection Commission Act of 2023.
Partisanship and preemption
In general, federal privacy bills that have received support from only Democrats or from only Republicans differ in occurrences of preemption and preservation clauses. Of the privacy bills sponsored only by Democrats, only two have contained a provision that would preempt state law. The Information Transparency and Personal Data Control Act, introduced in both 2019 and 2021, would have preempted state law.
When looking at federal privacy bills with only Republican sponsors, a different picture emerges. Of these, seven would preempt state law, while three would preserve it.
Conclusion
A review of the frequency with which provisions that either preempt or preserve state law appear within proposed federal privacy legislation reveals several trends.
First, clauses that preserve state law, i.e., federal floor bills, are more numerous and have been introduced with increasing frequency over the years. While just two federal floor bills were seen between 2019-2020, as many as 35 were introduced between 2021 and 2023. By contrast, clauses that preempt state law, i.e., federal ceiling bills, have been fewer in number, with 11 introduced between 2019 and 2023. Preemption clauses have also appeared less often over time, with only one introduced in 2022 and one introduced in 2023. Thus, judging by the frequency with which each type of clause appears, members of Congress are more inclined to propose federal privacy legislation that preserves state law rather than preempts it.
Second, there are partisan differences around both preemption and preservation. Among federal privacy bills sponsored solely by Democrats, there is a strong preference for state law preservation over preemption, with 31 of the former and just two of the latter. Among bills sponsored solely by Republicans, there is an opposite preference for preemption over preservation, with seven of the former and three of the latter. This indicates there is still a significant partisan gap to overcome regarding whether state law should be preempted or preserved within any new federal privacy legislation.
Third, and despite the previously mentioned party-level differences, both bills that preempt and bills that preserve state law have secured bipartisan support. From 2019-2023, two federal ceiling bills as well as three federal floor bills received support from both parties. Since both types of clauses can elicit support from both Democrats and Republicans, this gives some reason to believe a bipartisan compromise over federal privacy legislation can ultimately be reached.
Müge Fazlioglu, CIPP/E, CIPP/US, is the principal researcher, privacy law and policy, at the International Association of Privacy Professionals.