Preemption of State Law

Preemption Part 1: Background on Federal Preemption of Stricter State Laws For the discussion of this bill, I am planning to focus on one very tricky legal issue – preemption. reemption. My focus is not on whether preemption in general is a good idea. The basic trade widely discussed currently is get privacy protections nationally (with benefit to consumers, and protection of their rights). And, business gets a limit on its obligations. I take that as a given in the current debates. My focus is on somewhat more technical issues – if the goal is to have a preemption provision that clearly defines what is preempted, how to draft that. In this post, I address the history of federal preemption. In a forthcoming post, I examine the preemption text in the proposed bill.

In the discussion, my main attention is to the options other U.S. laws have used for preemption. Typically, I will seek to state what consumer advocates are likely to say, and what businesses are likely to say. My working assumption is that consumer advocates will support narrower preemption, in order to permit states to pass additional protective laws. My assumption as well is that businesses will seek broad preemption, in order to have rules as uniformly as possible across the fifty states.

I offer a mild disclaimer. I have sought to be careful and accurate in describing these multiple laws and how they operate. I have not, however, gone back and done a full legal research memorandum on each statute and how it has been interpreted over time. All of those considering general U.S. privacy legislation are moving up the learning curve on multiple topics. I welcome corrections and supplementary comments on the preemption discussion here.

As background, I have been involved in U.S. legislative privacy debates since the mid-1990’s. I am lead author of a textbook on many facets of US privacy law. I have also lived through previous rounds of preemption debates. For instance, I was Chief Counselor for Privacy for the Office of Management and Budget during the HIPAA proposed and final medical privacy rules (2000 version), as well as passage in Congress of the Gramm-Leach-Bliley Act, I served on the inter-agency rule-writing committee for the GLBA Privacy Rules. For the amendments to the Fair Credit Reporting Act (FCRA), passed in 2003, I testified in Congress.

Preemption in earlier U.S. privacy laws. Practice has varied over time about whether a federal privacy statute should have preemption. When we were working on medical and financial privacy in the late 1990’s, the Clinton Administration position was that HIPAA and GLBA should not preempt stricter state laws. The rationale was that privacy laws exist to protect individual rights, and states should have the ability to offer greater protection of rights to their citizens. Especially in the medical privacy area, many states have passed laws stricter than the federal floor.

Many earlier U.S. privacy statutes took the same position, and did not preempt stricter protections under state law. These statutes include: the Electronic Communications Privacy Act; the Right to Financial Privacy Act; the Cable Communications Privacy Act; the Video Privacy Protection Act; the Employee Polygraph Protection Act; the Telephone Consumer Protection Act; the Driver’s License Privacy Protection Act, and the Telemarketing Consumer Protection and Fraud Prevention Act (Do Not Call ).

At least three federal privacy statutes have preemption provisions: the Children’s Online Privacy Protection Act of 1999 (COPPA); the CAN-SPAM Act, passed in 2003, and the 1996 and 2003 updates to the Fair Credit Reporting Act, the latter of which is called the Fair and Accurate Credit Transactions Act (FACTA).

COPPA

In 15 USC 6502(d), COPPA in 1999 had the following provision about “Inconsistent State law: “No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.”

The scope of this preemption provision was discussed in a 2014 amicus brief by the Federal Trade Commission in a case involving whether COPPA’s rules applying to children under age 13 preempted state laws for teenagers between 13 and 18. The FTC argued that no such preemption applied: https://www.ftc.gov/system/files/documents/amicus_briefs/jo-batman-v.facebook-inc./140321batmanfacebookamicusbrief.pdf. That case was later settled.

CAN-SPAM

In 2003, Congress passed the CAN-SPAM Act, (“Controlling the Assault of Non- Solicited Pornography and Marketing Act”).

The general preemption provision is in 15 USC 7707(b)(1): “IN GENERAL.–This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” (emphasis added).

One thing to highlight is the narrowness of the scope of CAN-SPAM – the preemption applies to a law that “expressly regulates the use of electronic mail to send commercial messages.” Even for this narrow provision, the law then has a number of exceptions. The scope of a general privacy bill is far broader, potentially touching the processing of personal information in almost any commercial activity. The gap between the narrow scope of CAN-SPAM and the broad scope of proposed privacy bills today hints at the challenges of writing an effective preemption provision.

Fair Credit Reporting Act

The FCRA, as originally drafted, had a narrow preemption provision aimed at protecting credit reporting agencies from state-court tort suits for defamation. In 1996 and 2003 Congress updated a number of consumer protections. At the same time, Congress added a somewhat complex preemption mechanism.

The structure of FCRA preemption begins with a statement that state laws generally still apply, except where the FCRA has a specific preemption effect. Under 15 USC 1681t, “This subchapter does not annul, alter, affect, or exempt any person subject to the provisions of this subchapter from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers, or for the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of the inconsistency.”

The FCRA then provides statutory subsections where preemption does apply, such as for adverse action reports to consumers 15 USC 1681m(a) and (b), or 15 USC 1681s-2, on the responsibilities of furnishers of information to consumer reporting agencies.

To conclude this initial post, I have set forth a brief history of how previous U.S. privacy laws have or have not preempted stricter state laws. Earlier privacy laws did not preempt. Some, but not all, of the privacy bills passed since 1996 have preempted. Studying the details of earlier preemption provisions can help inform discussion of the specific text on preemption in the proposed bill, which I will turn to in a subsequent post.

 

5 comments

  1. Peter Swire
    Preemption Part 2. This post discusses points raised by the text of Section 10 of Intel’s draft bill, on preemption. The attempt in this post is to spot issues that that have not been widely discussed to date. A main theme – preemption is a technically complex topic, and a lot of careful legal work is needed to avoid unintended consequences.

    1. Section 10(a) sets forth the general preemption provision – “any civil provisions of the law of any State” that “are primarily focused on the reduction of privacy risk.”

    Comment: There will be debates about what counts as “primarily focused on the reduction of privacy risk.” Some sort of vagueness will likely be necessary for any preemption provision, because of the wide scope of laws that might address the handling of personal information in an information economy such as ours. This is one area where legislative history, including Congressional findings, may be of use in clarifying the meaning of the text.

    2. Section 10(b) says that the new law will not be “construed to limit the enforcement of any State consumer protection law by the attorney general of the State.”

    Comment: As written, the text would apparently preempt general consumer protection law protections brought by individuals or class actions. All 50 states have “little FTC Acts,” which prohibit unfair and deceptive practices. In quite a few states, there are at least some circumstances where individuals can bring claims under the little FTC Acts.

    Two interpretations seem possible here. First, the apparent intent of the provision is to prevent “privacy” claims by individuals under the little FTC Acts. Second, the provision could also be read to preempt ALL claims by individuals under state consumer protection laws, even if they were not privacy-related. If only the first is intended, then language should be added that clarifies that non-privacy consumer protection laws would remain in effect for individual enforcement.

    3. Section 10(c) sets forth a fairly short list of state laws that would remain in effect despite the broad preemption language. For instance, general common law or statutory claims under tort, contracts, and trespass would continue, as well as state laws aimed at preventing fraud. Also, 10(c)(4) has a useful provision stating that contracts about privacy are enforceable under state law.

    Maintaining the background common law (and statutes) of tort and contract is a sensible idea. One can imagine the following interpretive problem, however. Suppose that a state passes a statute that says: “Under State tort law, it is a tort if there is a privacy invasion.” Or, “Under State contract law, violation of privacy is breach of contract.” At that moment, the preemption provision in Section 10(a) conflicts with the retention of state law under Section 10(c). Some more work is needed here to clarify the interconnection of tort and contract law with the laws in 10(a).

    It won’t work to try to define laws as “common law tort and contract” protections. Modern tort and contract law apply a huge number of statutes in addition to common law case development.

    4. Section 10(c)(3) says that medical privacy provisions, with respect to entities covered by HIPAA, are not preempted. Most states have at least some additional medical privacy laws, so this provision would save those long-standing laws from preemption. Note, however, that state medical privacy laws apparently would be preempted with respect to organizations that are not HIPAA covered entities. These might include, for instance, HIV-discrimination laws, or substance abuse clinics that are outside of HIPAA. When HIPAA went into effect in 2003, there was a great deal of work done on the intersection with state laws. For any federal privacy law to move forward, I would suggest careful attention to this range of state privacy laws, by HHS and others.

    5. There is a somewhat glaring omission of how the draft bill intersects with state laws that implement previous federal privacy laws. As stated in my prior post, that list includes at least these: the Electronic Communications Privacy Act (ECPA); the Right to Financial Privacy Act; the Cable Communications Privacy Act; the Video Privacy Protection Act; the Employee Polygraph Protection Act; the Telephone Consumer Protection Act; the Driver’s License Privacy Protection Act, and the Telemarketing Consumer Protection and Fraud Prevention Act (Do Not Call ).

    To take one prominent example, the draft bill appears to preempt the state laws that require two-party consent for wiretaps. ECPA itself only requires one-party consent, but a number of states have long required consent from both parties before the audio taping is permitted. I am not taking a position on how to proceed with these previous privacy regimes, but experts in each regime should be engaged in deliberations on the text.

    6. Similarly, GLBA sets a floor for financial privacy protections, but states are allowed to be stricter (except where Fair Credit Reporting Act preemption applies). Many times, GLBA and HIPAA are considered somewhat equivalent, as federal laws that cover huge sectors (financial services and health care). The draft bill permits stricter medical privacy laws at the state level, but not stricter financial privacy laws.

    7. Social Security number laws, and other lesser-known existing state laws. Many states have specific laws limiting how companies can use Social Security numbers. It appears that those laws would be preempted, unless they count as “anti-fraud” laws. More generally, before preempting, Congress should hold hearings to learn the range of state laws that currently primarily address the reduction of privacy risk. At least where the states have sensible laws already in place, we should be thoughtful before repealing those laws. For years, the late Robert Ellis Smith published an annual update of state privacy laws that were in effect.

    8. Grandfathering of state laws. Given the somewhat dizzying possible number of existing state laws that would be preempted, an alternative approach would be to “grandfather” some or all existing state privacy laws. This sort of grandfathering provision is extremely common in federal legislation, including when the Fair Credit Reporting Act was amended to include preemption.

    This sort of general grandfathering approach would face opposition from the business community. After all, one impetus for federal legislation has been to preempt the California Consumer Protection Act. One possible approach for drafting is to have a general grandfathering provision, but negotiate a specific list of state laws that would be preempted, such as the CCPA.

    9. Data breach and cybersecurity laws. Are state data breach laws “primarily focused on the reduction of privacy risk”? Maybe so. If so, the draft bill preempts all the state data breach laws, without providing any federal framework for data breaches. I don’t think preempting data breach laws was the intent, so that needs to get fixed.

    Similarly, I can see a pretty good argument that state cybersecurity laws are “primarily focused on the reduction of privacy risk.” Multiple states have built extensive legal regimes about businesses using encryption and following other cybersecurity practices. The bill should, at a minimum, be clear whether it is preempting these state cybersecurity laws.

    10. As this post has tried to illustrate, there is an enormous amount of existing federal and state privacy law outside of the current FTC enforcement regime. In my experience, many of the people involved in general privacy legislation have implicitly assumed that the FTC more of less “occupies the field” for privacy protection. My comments here invite FTC-focused privacy experts to consider the huge amount of existing U.S. privacy law that has little or nothing to do with the FTC. Years of hard work and enforcement of those existing laws should not be thrown away by a casual preemption process.

    11. Why defining the scope of preemption is difficult. Some statutes are relatively narrow in scope. CAN-SPAM, for instance, preempts only laws that “expressly regulate the use of electronic mail to send commercial messages.” Compare that with the incredibly broad scope of a general privacy law – all commercial use of personal data, in our complex economy, in this information age. Section 10(a) may be about as good a general principle as can be found. But there should be a lot more subsections in Section 10 to address the other issues discussed here.

    12. Preemption is technically complex, as well as politically controversial. Perhaps the most important lesson is that preemption is a technically complex subject. Subject-matter expertise is needed to intersect with all of the different regimes discussed in this post. Careful drafting is essential, preferably after developing a detailed legislative record.

    13. An anecdote, to close. During the drafting of the HIPAA medical privacy rule, we had to consider the intersection with the federal education privacy law, FERPA. (Think school nurses and college medical clinics.) Can you imagine how many states have at least some law governing the privacy of school children? To address the medical-related issues, I remember meeting with a lawyer whose practice focused on representing school boards. In the first meeting, she mentioned at least a dozen issues that I had never considered. I urge study of existing federal and state laws before disrupting many things outside of the focus of companies that are thinking mostly about FTC enforcement.

  2. Omer Tene
    Great comment Peter. So invaluable. Really fleshes out why I believe this will end up being perhaps the most contentious and debated provision of the law. The comparison to CAN-SPAM PAM in item 11 is instructive. The difference between the relatively narrow scope of “commercial email” and the incredibly vague boundaries of laws “primarily focused on the reduction of privacy risk” couldn’t be starker. There is so much that could be packed into that term.
    Perhaps the most practical – and sure to be controversial – example is your item 9, state breach notification laws. Of course, there is good reason to harmonize 50 distinct state laws addressing the same issue. But by no means is it clear that this should be wrapped into a federal privacy bill. And if it is, of course the bill would have to address the issue head on.
    Thanks again for the insights Peter.

  3. David Hoffman
    Peter – I agree with Omer, that this is both going to be one of the most challenging areas for drafting, and also one of the most critical to get get right. Your post in a fantastic contribution to the discussion, and this is an area that needs much more analysis. Let me make a narrow point and then a broader comment about the goals of what we tried to achieve.

    State Data Breach Notification Laws – Our drafting goal was consistent with what Omer notes that we do not want to preempt these laws. While I do believe a federal data breach notification law would be much better than the non-harmonized patchwork we have right now, privacy legislation is difficult enough to draft without also including this task. We had thought we had effectively carved this out of the preemption language with the inclusion of “data breach notification” in Section 10(c)(1). However, there are several people who have said they do not believe we have exempted those laws from preemption. Do you have a recommendation on how to make this clearer in our next draft?

    Goals – Our overall objective with the preemption language was to create a uniform national standard for information privacy that would allow organizations to implement compliance programs while minimizing the need to pay large law firm lawyers to analyze fifty different (and potentially at times conflicting) sets of requirements. My experience is that such a patchwork is often bad for both individuals (unclear what rights they have) and organizations (the aforementioned challenge of designing a compliance program and the increased cost of legal fees). We also want to create an even playing field across industry sectors, as we increasingly see organizations operating in multiple areas and wanting to take advantage of the value of combining data across their diverse operations. Having the FTC oversee a common set of standards across all industry sectors seems like the best way to create that even playing field.

    To accomplish these objectives we wanted to preempt state laws aimed at the overall issue of information privacy (CCPA) while not preempting laws that while they may have privacy implications are primarily not aimed at the same topic (trespass). We also were not intending that this law would be the only law governing information privacy, and that Congress may consider some areas of information use so risky, that they may want an additional law (e.g. HIPPA, GINA). Once we made that decision, we also felt it important to leave in place the state laws that act as additional protections for those federal statutes. Perhaps that approach is not feasible. Your example of GLBA is excellent. I am hard pressed to understand why it would be a good idea to have a separate system for the financial sector in addition to this bill. Do you think it would be more advisable to attempt to also cover the privacy portions of other federal laws (HIPPA, GINA, COPPA, GLBA, VPPA, etc) and explicitly also preempt them here with a grandfathering clause?

  4. Tim Sparapani
    Peter, David, Omer and other friends – I see two key, unaddressed preemption questions that deserve extra thought from Intel and other thought leaders. They are, in brief: (1) How > (1) How to preempt without eviscerating private contractual requirements that reference other privacy laws (that might be preempted) and that function to create important privacy protections between businesses for consumers?; and
    (2) How to preempt without destroying several decades of important court decisions that substantially advance personal privacy and protect the public?

    To address the first question again: How can we have the sort of preemption that leads us to advancing privacy without accidentally jettisoning private contracts between parties (IMHO one of the most important forcing functions driving improved privacy practices from one company through its vendors, partners and customers)? I worry that preemption, which I generally favor as long as the floor of preemption is a high one that advances personal privacy substantially, will lead to accidental removal of either federal sectoral or state laws upon which private contracts requiring privacy standards are based. The clearest example of this might be state student privacy laws/regulations, COPPA, or HIPAA, which are referenced in a myriad of contracts leading to at least minimum privacy protections for the public.

    Addressing the second question, we must realize that numerous, essential court cases have incrementally advanced personal privacy. Often the basis for those important judicial decisions is the existence of either federal sectoral privacy laws or state privacy laws. Eliminate those laws through preemption and we accidentally produce a result that causes a retreat from important, judge-made law advancing personal privacy.

    I don’t have the answers, yet, but I know these questions need to come into focus and deserve our collective best efforts to answer them in a pro-privacy way.

  5. Kirk Nahra
    One additional possibly to think about on preemption. I base this on my experience primarily working with health care privacy laws over the past 20 years, where many of the the state laws are confusing, narrow, very detailed, and often ignored and unenforced. I have used the analogy for a HIPAA preemption analysis that says that HIPAA is written in english and the state laws are written in french, and they just don’t talk to each other. Most of these laws were passed long ago for separate specific purposes, typically before HIPAA existed. My suggestion – which I have made in the health care space and now encourage consideration of here on a broader level – would be to have preemption apply to essentially wipe out existing laws on the books today (subject obviously to Peter’s comments and other comments about what this would actually apply to), but then permit states to pass “tougher” laws in the future. This would be a compromise approach, borrowed from FCRA. It would wipe off the books older and perhaps unnecessary laws. It would permit a state to look at the new federal law and say “we want to improve privacy protection in this specific area as compared to the federal law.” Presumably (although this cannot be guaranteed – see the Texas health care privacy law that was passed after HIPAA) this approach would remove laws that are no longer needed or useful, but would allow newer laws that could be easily compared to the federal law in terms of where the differences are (if the states were thoughtful about what they were actually trying to make tougher). This would not be complete preemption (which, all things equal I might prefer), but would result in a more limited and focused set of additional laws that would require compliance.