Preemption Part 1: Background on Federal Preemption of Stricter State Laws For the discussion of this bill, I am planning to focus on one very tricky legal issue – preemption. reemption. My focus is not on whether preemption in general is a good idea. The basic trade widely discussed currently is get privacy protections nationally (with benefit to consumers, and protection of their rights). And, business gets a limit on its obligations. I take that as a given in the current debates. My focus is on somewhat more technical issues – if the goal is to have a preemption provision that clearly defines what is preempted, how to draft that. In this post, I address the history of federal preemption. In a forthcoming post, I examine the preemption text in the proposed bill.
In the discussion, my main attention is to the options other U.S. laws have used for preemption. Typically, I will seek to state what consumer advocates are likely to say, and what businesses are likely to say. My working assumption is that consumer advocates will support narrower preemption, in order to permit states to pass additional protective laws. My assumption as well is that businesses will seek broad preemption, in order to have rules as uniformly as possible across the fifty states.
I offer a mild disclaimer. I have sought to be careful and accurate in describing these multiple laws and how they operate. I have not, however, gone back and done a full legal research memorandum on each statute and how it has been interpreted over time. All of those considering general U.S. privacy legislation are moving up the learning curve on multiple topics. I welcome corrections and supplementary comments on the preemption discussion here.
As background, I have been involved in U.S. legislative privacy debates since the mid-1990’s. I am lead author of a textbook on many facets of US privacy law. I have also lived through previous rounds of preemption debates. For instance, I was Chief Counselor for Privacy for the Office of Management and Budget during the HIPAA proposed and final medical privacy rules (2000 version), as well as passage in Congress of the Gramm-Leach-Bliley Act, I served on the inter-agency rule-writing committee for the GLBA Privacy Rules. For the amendments to the Fair Credit Reporting Act (FCRA), passed in 2003, I testified in Congress.
Preemption in earlier U.S. privacy laws. Practice has varied over time about whether a federal privacy statute should have preemption. When we were working on medical and financial privacy in the late 1990’s, the Clinton Administration position was that HIPAA and GLBA should not preempt stricter state laws. The rationale was that privacy laws exist to protect individual rights, and states should have the ability to offer greater protection of rights to their citizens. Especially in the medical privacy area, many states have passed laws stricter than the federal floor.
Many earlier U.S. privacy statutes took the same position, and did not preempt stricter protections under state law. These statutes include: the Electronic Communications Privacy Act; the Right to Financial Privacy Act; the Cable Communications Privacy Act; the Video Privacy Protection Act; the Employee Polygraph Protection Act; the Telephone Consumer Protection Act; the Driver’s License Privacy Protection Act, and the Telemarketing Consumer Protection and Fraud Prevention Act (Do Not Call ).
At least three federal privacy statutes have preemption provisions: the Children’s Online Privacy Protection Act of 1999 (COPPA); the CAN-SPAM Act, passed in 2003, and the 1996 and 2003 updates to the Fair Credit Reporting Act, the latter of which is called the Fair and Accurate Credit Transactions Act (FACTA).
In 15 USC 6502(d), COPPA in 1999 had the following provision about “Inconsistent State law: “No State or local government may impose any liability for commercial activities or actions by operators in interstate or foreign commerce in connection with an activity or action described in this chapter that is inconsistent with the treatment of those activities or actions under this section.”
The scope of this preemption provision was discussed in a 2014 amicus brief by the Federal Trade Commission in a case involving whether COPPA’s rules applying to children under age 13 preempted state laws for teenagers between 13 and 18. The FTC argued that no such preemption applied: https://www.ftc.gov/system/files/documents/amicus_briefs/jo-batman-v.facebook-inc./140321batmanfacebookamicusbrief.pdf. That case was later settled.
In 2003, Congress passed the CAN-SPAM Act, (“Controlling the Assault of Non- Solicited Pornography and Marketing Act”).
The general preemption provision is in 15 USC 7707(b)(1): “IN GENERAL.–This Act supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” (emphasis added).
One thing to highlight is the narrowness of the scope of CAN-SPAM – the preemption applies to a law that “expressly regulates the use of electronic mail to send commercial messages.” Even for this narrow provision, the law then has a number of exceptions. The scope of a general privacy bill is far broader, potentially touching the processing of personal information in almost any commercial activity. The gap between the narrow scope of CAN-SPAM and the broad scope of proposed privacy bills today hints at the challenges of writing an effective preemption provision.
Fair Credit Reporting Act
The FCRA, as originally drafted, had a narrow preemption provision aimed at protecting credit reporting agencies from state-court tort suits for defamation. In 1996 and 2003 Congress updated a number of consumer protections. At the same time, Congress added a somewhat complex preemption mechanism.
The structure of FCRA preemption begins with a statement that state laws generally still apply, except where the FCRA has a specific preemption effect. Under 15 USC 1681t, “This subchapter does not annul, alter, affect, or exempt any person subject to the provisions of this subchapter from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers, or for the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of the inconsistency.”
The FCRA then provides statutory subsections where preemption does apply, such as for adverse action reports to consumers 15 USC 1681m(a) and (b), or 15 USC 1681s-2, on the responsibilities of furnishers of information to consumer reporting agencies.
To conclude this initial post, I have set forth a brief history of how previous U.S. privacy laws have or have not preempted stricter state laws. Earlier privacy laws did not preempt. Some, but not all, of the privacy bills passed since 1996 have preempted. Studying the details of earlier preemption provisions can help inform discussion of the specific text on preemption in the proposed bill, which I will turn to in a subsequent post.