TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | US federal privacy preemption part 1: History of federal preemption of stricter state laws Related reading: 2019 global legislative predictions



Editor's Note:

This article is the first in a two-part series. Read part 2 on examining preemption proposals here.

The IAPP has reported on the recent sharp increase in proposals for general U.S. privacy legislation, driven by developments such as the 2018 passage of the California Consumer Privacy Act. One of the most complex and politically charged aspects of such legislation is whether and to what extent a new federal law would “preempt” state privacy protections. To answer that question, it is worthwhile to first examine the history of how previous federal privacy legislation has handled preemption issues, which I’ll tackle in this piece; and then look at the preemption issues (I count roughly a dozen) that have already arisen in recent discussions of possible federal privacy legislation, which you’ll see in a follow up piece tomorrow.

The preemption debate takes place principally between industry (which generally favors broad preemption) and “privacy advocates,” meaning those public interest groups, academics, and others who generally support stricter privacy laws. Privacy advocates historically have either opposed preemption or sought to narrow whatever preemption exists. For instance, privacy advocates point to research by Paul Schwartz and others, which has found that state privacy law innovation has often been an important step toward eventual federal privacy protections.

In contrast to these views of privacy advocates, industry usually insists that preemption is essential to passage of any general federal privacy law. A major industry theme is the same issue of harmonization that has been used as a rationale in Europe for the harmonized data protection rules under the GDPR. In the U.S., industry must operate throughout 50 states, and compliance becomes more expensive when there is a “patchwork” of state laws. Industry can cite the current patchwork of state data breach laws as an outcome that privacy legislation should avoid. Another reason is practical politics — why should industry accept heavier compliance burdens at the federal level only to be exposed to a ratcheting up of requirements every time California or some other state decides to pass a new privacy law?

Now, before diving in, I offer a mild disclaimer: I have sought to be careful and accurate in describing these multiple laws and how they operate. I have not, however, gone back and done a full legal research memorandum on each statute and how it has been interpreted over time. All of those considering general U.S. privacy legislation are moving up the learning curve on multiple topics. I welcome corrections and supplementary comments on the preemption discussion here.

Preemption in earlier U.S. privacy laws

Practice has varied over time about whether a federal privacy statute should preempt stricter state laws. When we were working on medical and financial privacy in the late 1990s, the Clinton Administration position was that the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act should not preempt stricter state laws. The rationale was that privacy laws exist to protect individual rights, and states should have the ability to offer greater protection of rights to their citizens. Especially in the medical privacy area, many states have passed laws stricter than the federal floor. Congress passed these non-preemptive bills in 1996 (HIPAA) and 1999 (GLBA).

Many earlier U.S. privacy statutes took the same position, and did not preempt stricter protections under state law. These statutes include: the Electronic Communications Privacy Act; the Right to Financial Privacy Act; the Cable Communications Privacy Act; the Video Privacy Protection Act; the Employee Polygraph Protection Act; the Telephone Consumer Protection Act; the Driver’s License Privacy Protection Act; and the Telemarketing Consumer Protection and Fraud Prevention Act (Do Not Call ).

Over time, preemption has become more common. At least three federal privacy statutes have preemption provisions: the Children’s Online Privacy Protection Act of 1998; the CAN-SPAM Act, passed in 2003, and the 1996 and 2003 updates to the Fair Credit Reporting Act, the latter of which is called the Fair and Accurate Credit Transactions Act.

Practical politics is probably the best explanation for the increasing use of preemption over time, with industry seeking to insist on preemption to accompany new federal rules:

  • The 1998 passage of COPPA was done on a bipartisan basis. My understanding is that preemption was included as part of an extensive negotiation process, and preemption helped get broad Congressional support for the new rules.
  • For unsolicited commercial email, the history is similar to what is driving the current support for federal legislation. Washington state passed a law in 1998 that was upheld by that state’s Supreme Court in 2001. Congress passed the CAN-SPAM Act two years later. The result was a set of new federal regulatory requirements, with a limit on additional state laws.
  • The FCRA reforms also show this pattern of new federal consumer protections accompanied by preemption. Consumers gained some new rights under the 1996 amendments, such as time limits for credit reporting agencies to investigate complaints. Similarly, consumers gained some new rights under the 2003 amendments, including free credit reports annually. As shown in detail by Joseph Seidel, the 1996 deal in Congress is that these new consumer rights were part of package that included federal preemption of stricter state laws.


COPPA’s preemption provision applies to activities covered by COPPA. In 15 USC 6502(d), COPPA had the following provision about “Inconsistent State law”: “No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.”

The most extensive discussion of this preemption provision was in a 2014 amicus brief by the Federal Trade Commission. In reviewing a proposed settlement, a district judge, as one of multiple rationales for its holding, stated that COPPA might preempt state laws applying to teens between 13 and 18 years old. The FTC strongly objected, saying: “Nothing in the language, structure, or legislative history of COPPA evinces a congressional intent to displace state protections of teenagers’ online privacy in their entirety.” There was no subsequent judicial holding on the issue. The plain text of the statute, however, is that COPPA preempts where COPPA rules apply, and not otherwise.


In 2003, Congress passed the CAN-SPAM Act (Controlling the Assault of Non- Solicited Pornography and Marketing Act). The general preemption provision is in 15 USC 7707(b)(1): “IN GENERAL.--This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” (emphasis added).

One thing to highlight is the narrowness of the scope of preemption under CAN-SPAM — the preemption applies to a law that “expressly regulates the use of electronic mail to send commercial messages.” Even for this narrow provision, the law then has a number of exceptions.

The scope of a general privacy bill is far broader, potentially touching the processing of personal information in almost any commercial activity. The gap between the narrow scope of CAN-SPAM and the broad scope of proposed privacy bills today hints at the challenges of writing an effective preemption provision, as discussed in the second essay published by IAPP this week.


The FCRA as originally drafted had a narrow preemption provision aimed at protecting credit-reporting agencies from state court tort suits for defamation. In 1996 and 2003 Congress updated a number of consumer protections. At the same time, Congress added a somewhat complex preemption mechanism.

The structure of FCRA preemption begins with a statement that state laws generally still apply, except where the FCRA has a specific preemptive effect. Under 15 USC 1681t, “This subchapter does not annul, alter, affect, or exempt any person subject to the provisions of this subchapter from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers, or for the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of the inconsistency.”

The FCRA then provides statutory subsections where preemption does apply, such as for adverse action reports to consumers under 15 USC 1681m(a) and (b), or 15 USC 1681s-2, on the responsibilities of furnishers of information to consumer reporting agencies.

To summarize: Earlier federal privacy laws did not preempt, while some, but not all, of the privacy bills passed since 1996 have preempted. Studying the details of earlier preemption provisions can help inform discussion of specific text on preemption in current proposed bills, which I’ll turn to in Part 2.

photo credit: Mr.TinDC Law Books via photopin (license)

US Federal Privacy Watch

IAPP members can keep up with the latest news on potential U.S. federal privacy legislation in the IAPP Resource Center.

1 Comment

If you want to comment on this post, you need to login.

  • comment Lucia Savage • Jan 24, 2019
    Thanks for this history, Peter.  I would add that in the area of health, in the 1990s, state privacy laws were in part to protect those with particularized health statuses from discrimination and stigma by protecting the data. We should not have a discussion about privacy and digital data (because it can all be about health now) without ALSO talking about how to protect people from the negative impacts of stigma that manifests because of the data, whether it is racially categorized housing adds on Facebook, or health status discrimination.