It will be important for the states to monitor federal legislation to ensure that their interests are taken into account.
In June of this year, the California Legislature passed a sweeping new privacy law, created new data privacy rights for consumers and imposed significant new obligations on companies. The law prompted an outcry among tech companies who were concerned that it was hastily drafted and could lead to inconsistent and onerous obligations if other states were to enact such laws. The concern is that state regulation, like California’s, could have a detrimental effect on the digital economy.
This has led to a push by business interests for a federal privacy law. The Internet Association, which represents more than 40 companies, including Facebook, Alphabet, Microsoft and Twitter, has proposed “an economy-wide, national approach to regulation that protects the privacy of all Americans.” Similarly, the United States Chamber of Commerce published a list of principles that could serve as a framework for a federal privacy law:
It is difficult to predict how quickly Congress will respond to these requests. For the past decade Congress has considered from time to time a national security breach notification law, but has not yet been able to pass one. However, the digital economy has become such a key part of our overall economy that it will be difficult for Congress to ignore this push for a federal privacy law. In addition, the enactment of a uniform data protection regulation in Europe, the General Data Protection Regulation, has created a precedent for a more uniform approach across jurisdictions.
What does this mean for state regulators? Most likely Congress will be pushed to create a national framework that will preempt conflicting state and local laws as that is a significant concern of business interests. If a federal law is passed, it will probably not alter privacy laws that apply to government activities, but would likely limit the ability of states to enact conflicting state consumer privacy laws. It seems unlikely that Congress would allow states to enact more rigorous protection as that would defeat the purpose of creating a uniform federal privacy framework.
There will probably be some areas left to states. For example, states’ regulations against unfair and deceptive practice will likely continue to apply to companies that mislead consumers about their privacy practices. In addition, Congress may provide that the federal legislation can be enforced by state and local officials. For example, the CAN-SPAM Act of 2003 preempted most anti-spam laws, but provided that a state attorney general could enforce certain provisions of that law.
It will be important for the states to monitor federal legislation to ensure that state interests are taken into account. And, if the federal government is unable to develop a national framework, states should consider working together to develop a consistent approach among themselves. This is an approach taken in many other areas of the law through the Uniform Law Commission. Both consumers and businesses alike would be well-served by a uniform approach, whether at the state or federal level.