As momentum continues to build for an over-arching U.S. federal privacy law, the issue of preemption looms large. In the first part of my look at preemption, I considered the history of how previous federal laws have handled preemption issues. Here, I’ll tackle issues that are likely to arise from actual suggested legislative texts.
Recently, for example, David Hoffman of Intel Corporation posted proposed legislative language, and created a forum where 10 privacy experts offered comments on a range of privacy issues. These thoughts on preemption arose from discussing that bill, which is more-or-less similar to other current proposals on the preemption topic. (As noted in part one, I write here as an individual, and not on behalf of any client, and seek to be roughly neutral about how broad or narrow federal preemption should be.)
More than many have realized, preemption is a technically complex subject, as well as being politically controversial. Some participants in the current federal privacy debates implicitly think of privacy law as being primarily about the jurisdiction of the Federal Trade Commission. On that view, federal privacy legislation would provide a set of legal requirements that would replace or supplement the current FTC actions to enforce Section 5’s prohibition on unfair and deceptive trade practices. In response, I highlight the numerous federal and state privacy laws that currently exist, from wiretap law to employee polygraph protection to state laws governing use of Social Security numbers.
Put simply, to avoid unintended consequences on other areas of law, a federal privacy preemption provision will need to contemplate interactions with a much bigger range of laws than many have realized. As just a start, here are 13 issues that arise from the Intel bill, as an illustration of the range of issues facing any general federal privacy law:
The general preemption provision
Section 10(a) of the draft bill sets forth the general preemption provision. The bill would preempt “any civil provisions of the law of any State” that “are primarily focused on the reduction of privacy risk through the regulation of personal data collection and processing activities.”
The draft bill chooses to preempt in general, with exceptions where federal preemption would not apply. By contrast, as discussed in Part 1, the Fair Credit Reporting Act takes a different approach. The FCRA allows stricter state laws to remain in effect, but preempts concerning specific topics, such as how to issue adverse action reports. Those considering how to implement preemption thus have these two different approaches to consider.
The general rule, under the draft bill, is to preempt state laws that “are primarily focused on the reduction of privacy risk.” Any reader recognizes that there will be debates about what counts as “primarily focused on the reduction of privacy risk.” Who will refine this definition over time? At least in part, the federal courts will interpret the meaning of the federal statute, developing case-by-case precedents that State Law X is preempted while State Law Y is not.
A major question, however, is whether the FTC will gain notice-and-choice rulemaking authority to assist in the statute’s interpretation. The Intel bill would provide the FTC with this rulemaking power — the FTC would solicit public comments and then use its expertise to define what types of state laws are preempted. The FTC has notice-and-comment rulemaking power under COPPA and CAN-SPAM, and has shared such power for the FCRA with the Consumer Financial Protection Board.
Notice-and-comment rulemaking is likely more effective at clarifying the federal law’s scope than waiting for court cases. On the other hand, some industry groups have opposed granting the FTC such rulemaking power, out of concerns that the FTC may impose high compliance burdens on industry. For preemption purposes, my point is that rulemaking authority will likely be more effective at clarifying the scope of preemption than waiting for case-by-case adjudication of numerous state laws that affect privacy.
If the FTC has rulemaking authority, then Congress won’t need to solve as many of these preemption issues in the statutory text.
Role of state attorneys general and enforcement preemption
Section 10(b) of the draft bill says that the new law will not be “construed to limit the enforcement of any State consumer protection law by the attorney general of the State.” Put more positively, state attorneys general would retain the ability to use state consumer protection law to bring civil suits to protect individuals’ privacy.
One perhaps unintended consequence of this language is that it would appear to exclude enforcement by the numerous state consumer protection agencies that exist outside of the office of the state attorney general. To retain this category of existing enforcement, the text might read that actions could be brought “by the attorney general of the State or another state consumer protection agency.”
Section 10(b) is an example of the general issue of how enforcement powers will be shared between the FTC and the states. As written, the text would apparently preempt general consumer protection law protections brought by individuals or class actions. All 50 states have “little FTC Acts,” which prohibit unfair and deceptive practices. In quite a few states, there are at least some circumstances where individuals can bring claims under the little FTC Acts. The apparent intent of the provision is to prevent “privacy” claims by individuals under the little FTC Acts.
My point here is not to take a position on whether preventing individual claims is a good idea; instead, Section 10(b) shows that legislative drafters should consider who gets to enforce each state law, in addition to defining which state laws are preempted.
State tort, contract and property law
Section 10(c) of the draft bill sets forth a fairly short list of state laws that would remain in effect despite the broad preemption language. As discussed below, I believe the list of relevant statutes is much longer than the draft bill or most observers have thus far contemplated.
One important, but potentially complex, topic is whether background state tort, contract, and property laws would be preempted. Section 10(c) of the bill upholds this body of state law: “Nothing in this Act shall be construed to preempt the applicability of State trespass, contract, or tort law.” The bill has a useful provision stating that contracts protecting privacy are enforceable under state law. For instance, many companies out-source to service providers (or, as phrased in EU law, “controllers” out-source to “processors”). The new federal privacy law would allow these contracts to be enforced, even though they are based in state law.
Most supporters of a federal privacy law presumably agree that it makes sense to maintain the background common law (and statutes) of broad topics such as torts and contracts. With that said, one can imagine the following interpretive problem. Suppose that a state passes a statute that says: “Under State tort law, it is a tort if there is a privacy invasion.” Or, “Under State contract law, violation of privacy is breach of contract.” At that moment, the preemption provision in Section 10(a) conflicts with the retention of state law under Section 10(c).
My tentative view here is that substantial research would assist drafters on how to write a new federal statute while appropriately preserving background state law. Other regulatory regimes over the years have faced similar challenges, including environmental law or the long-running dispute about the scope of preemption power of the Office of Comptroller of the Currency concerning national banks.
One simple possible fix would not work well, however. The simple fix would be to preserve “common law” tort and contract protections, while preempting “statutory” protections. The problem is that modern tort and contract law contain a huge number of statutes in addition to common law case development, with the Uniform Commercial Code being one of myriad examples. In the absence of a simple fix, I suggest congressional hearings and other research to consider how to craft a federal bill that would not unduly disrupt underlying state tort, contract, and property law.
State medical privacy laws
HIPAA does not preempt state privacy laws. When both state and federal requirements exist, HIPAA provides that the stricter privacy protection applies. Many states had medical privacy laws before HIPAA went into effect in 2003, and additional state law has developed since that time.
Section 10(c)(3) provides that medical privacy provisions, with respect to entities covered by HIPAA, are not preempted. (“Covered entities,” under HIPAA are primarily medical providers, payers, and clearinghouses.) Note, however, that state medical privacy laws apparently would be preempted with respect to organizations that are not HIPAA covered entities. These might include, for instance, HIV-discrimination laws or private substance abuse clinics that are outside of HIPAA.
I doubt that privacy bill drafters have had the goal of repealing city and state HIV-discrimination laws. This sort of example shows the importance of nuanced research into state laws that protect medical privacy. When HIPAA went into effect in 2003, there was a great deal of work done to clarify the intersection with state laws. For any federal privacy law to move forward, I suggest careful attention to this range of state medical privacy laws, by the Department of Health and Human Services and others.
State financial privacy laws
GLBA sets the same type of floor for financial privacy protections that HIPAA creates for medical privacy protections. In general, states are allowed to write stricter privacy rules for the “financial institutions” covered by GLBA, except where FCRA preemption applies. The Intel draft bill treats financial and medical privacy differently, however – the draft bill would preserve state medical privacy laws for HIPAA entities, but it would apparently preempt existing state financial privacy protections.
I have two observations about preemption and financial privacy. First, Congress should develop a record on existing state financial privacy laws before, in effect, repealing them. Preemption would disrupt the practices of financial privacy protection, and Congress should understand these practices before creating possible unintended consequences. Second, the usual assumption has been that a person’s financial privacy is more sensitive than general data collected in other sectors. This sensitivity is a reason for having federal GLBA privacy protections, long before any general privacy law in the U.S.
The new federal privacy law leads to an interesting possibility — some of the general federal protections may turn out to be stricter than the equivalent GLBA protections. If so, which should apply to financial services institutions, the weaker GLBA provision or the stronger provision in the general privacy bill? As one example, many proposed bills have access provisions that do not exist in GLBA. In short, the federal privacy law should consider both its effects on state financial privacy law as well as possible “ratcheting up” of GLBA protections where Congress decides that such protections should apply generally.
Wiretap and many other federal privacy laws
As discussed in part 1, the majority of existing federal privacy statutes allows states to create stricter privacy protections. Such statutes includes at least these: the Electronic Communications Privacy Act (ECPA); the Right to Financial Privacy Act; the Cable Communications Privacy Act; the Video Privacy Protection Act; the Employee Polygraph Protection Act; the Telephone Consumer Protection Act; the Driver’s License Privacy Protection Act, and the Telemarketing Consumer Protection and Fraud Prevention Act (Do Not Call ).
To take one prominent example, the draft bill appears to preempt the state laws that require two-party consent for wiretaps. ECPA itself only requires one-party consent, but a number of states have long required consent from both parties before audio taping is permitted. An important legislative change, such as repealing state protections against wiretaps, should not be enacted except after careful consideration. Experts in each of these regulatory areas should be engaged in deliberations on the text of general federal privacy legislation.
Social Security number laws, and other lesser-known existing state laws
Many states have specific laws limiting how companies can use Social Security numbers. It appears that those laws would be preempted by the Intel draft bill, unless they qualify for the exception for “anti-fraud” laws. More generally, before preempting, Congress should hold hearings to learn the range of state laws that currently primarily address the reduction of privacy risk. At least where the states have sensible laws already in place, we should be thoughtful before repealing those laws. For years, the late Robert Ellis Smith published an annual update of state privacy laws that were in effect. Perhaps a member of Congress could task the Congressional Research Service with a study of those state laws.
Grandfathering of state laws
Given the somewhat dizzying possible number of existing state laws that would be preempted, an alternative approach would be to “grandfather” some or all existing state privacy laws. This sort of grandfathering provision is extremely common in federal legislation, including when the Fair Credit Reporting Act was amended to include preemption.
General use of grandfathering would likely face opposition from the business community, however. After all, one impetus for federal legislation has been industry’s hope of preempting the California Consumer Protection Act. If grandfathering is generally sensible, but politically unacceptable for some state laws, then Congress could write a general grandfathering provision, but negotiate a specific list of state laws that would be preempted, such as the CCPA.
Preempting state cybersecurity laws
Does the Intel draft bill (silently) preempt state cybersecurity laws? Multiple states have built extensive legal regimes that require businesses to use encryption and follow other cybersecurity practices. The question would be whether these state cybersecurity laws are “primarily focused on the reduction of privacy risk,” and thus preempted. After all, cybersecurity controls quite likely reduce privacy risk, and “security of data” is included in almost every list of privacy fair information practices. This cybersecurity example illustrates the challenge in drafting a broad preemption provision, without making it over-broad. The bill should, at a minimum, be clear whether it is preempting these state cybersecurity laws.
US privacy law extends far beyond the FTC
As shown for instance in my IAPP textbook on U.S. privacy law, there is an enormous amount of existing federal and state privacy law outside of the current FTC enforcement regime. In my experience, many of the people involved in general privacy legislation have implicitly assumed that the FTC more or less “occupies the field” for privacy protection. My comments here invite FTC-focused privacy experts to consider the huge amount of existing U.S. privacy law that has little or nothing to do with the FTC. Years of hard work and enforcement of those non-FTC existing laws should not be thrown away by an uninformed preemption process.
General privacy preemption differs greatly from CAN-SPAM and other precedents
Some statutes are relatively narrow in scope. CAN-SPAM, for instance, preempts only laws that “expressly regulate the use of electronic mail to send commercial messages.” Compare that with the incredibly broad scope of a general privacy law — all commercial use of personal data, in our $19 trillion annual economy, in this information age. Section 10(a) of the Intel draft bill may be about as good a general principle as can be found. But there should at least be a lot more subsections in Section 10 to address the other issues discussed here.
Preemption is technically complex, as well as politically controversial
Most people involved in debates about federal privacy legislation recognize that preemption is a politically controversial topic. Many parts of industry would only support a federal law if preemption is included. On the other hand, privacy advocates would only accept preemption (if at all) if the bill had notably strict new privacy protections, likely stricter than many in industry would support.
I focus here, however, on a different point — preemption is technically complex. To avoid unintended consequences from legislation, drafters must consider the interactions with numerous existing areas of state and federal law. Even if those interactions are well defined, the scope of general preemption may be unclear. For instance, the Intel draft bill can be read as preempting state encryption and other cybersecurity laws, which quite possibly was not the intent.
Here are two general recommendations: (1) subject matter expertise is needed about how the federal bill will intersect with all of the different regimes discussed in this post; and (2) careful drafting is essential, preferably after developing a detailed legislative record. The new Congress in 2019 can make progress on building that record, even if passage of federal privacy legislation is too much to achieve in one year.
An anecdote, to close
During the drafting of the HIPAA medical privacy rule, we had to consider its intersection with the federal education privacy law, FERPA (think school nurses and college medical clinics). Can you imagine how many states have at least some law governing the privacy and data of school children? To address the medical-related issues, I remember meeting with a lawyer whose practice focused on representing school boards. In the first meeting, she mentioned at least a dozen issues that I had never considered. I urge study of existing federal and state privacy laws before disrupting many things outside of the focus of those that are thinking mostly about FTC enforcement.