U.S. State Privacy Laws

Preemption

About Preemption

In the context of legislation, preemption refers to whether a law restricts the authority of states, counties, or cities to enact or enforce their own policies. Preemption is an issue of legislative power–if the federal government preempts the states on a field of law, that action effectively expands the jurisdiction of Congress to the detriment of states and local governments. Congress’ power to preempt state and local laws stems from the Supremacy Clause of the U.S. Constitution.

Federal preemption can take two forms–federal floor and federal ceiling preemption. In most consumer and civil rights legislation, federal law serves as a floor of protections. This “federal floor preemption” only supersedes weaker state laws, and it allows states, counties, and local governments to pass stronger laws. Under federal floor preemption, federal law only supersedes state and local law that conflicts with or is contrary to federal law.

Historically Privacy Law Allows States to Provide Greater Protections

In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver’s Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.

Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle communications to privacy), and medical records.

The National Association of Attorneys General Privacy Subcommittee has also argued that the states have a traditional role in regulating privacy:

There is a presumption in American law that state and local governments are primarily responsible for matters of health and safety. Hillsborough County v. Automated Medical Laboratories, 471 U.S. 707 (1985) (there is a “presumption that state or local regulation of matters related to health and safety is not invalidated under the Supremacy Clause”). Privacy is included in the category of health and safety issues as an area of regulation historically left to the states. For instance, in Hill v. Colorado, the Supreme Court upheld a law protecting the privacy and autonomy of individuals seeking medical care, as the law was intended to serve the “traditional exercise of the States’ ‘police power to protect the health and safety of their citizens.'” 530 U.S. 703 (2000).

EPIC’s previous work on preemption

EPIC has previously argued against federal ceiling preemption. EPIC has testified before Congress that, particularly in the rapidly changing world of information security, the states must be given room to innovate:

EPIC has also argued against preemption in federal court. In ABA v. Brown (formerly ABA v. Lockyer), financial services companies sued to invalidate the California Financial Information Privacy Act, the strongest financial privacy protection in the nation at the time, arguing that the law was preempted by the federal Fair Credit Reporting Act. EPIC and a coalition of groups representing 41 million individuals argued in an amicus brief that preemption of state law weakens protections against identity theft and consumer privacy. The Supreme Court ultimately upheld the California law.

Additional EPIC statements on preemption:

• EPIC’s testimony on the SAFE Data Act before the U.S. House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. (2011)
• EPIC’s testimony on Identity Theft: A Victim’s Bill of Rights before the U.S. House Committee on Oversight and Government Reform, Information Policy, Census and National Archives Subcommittee. (2009)
• EPIC’s comments to the FCC opposing preemption of junk fax laws. (2006)
• EPIC’s comments urging the FCC not to preempt strong anti-telemarketing laws. (2005)
• EPIC’s ABA v. Brown Amicus brief opposing preemption. (2004)
• EPIC comments to the Office of the Comptroller of the Currency on Rules, Policies, and Procedures for Corporate Activities; Bank Activities and Operations; Real Estate Lending and Appraisals, Docket No. 03-02. (2003).
• EPIC’s testimony, Consumer Privacy Protection Act of 2002, HR 4678, before the Subcommittee on Commerce, Trade and Consumer Protection, House Committee on Energy and Commerce. (2002).
• EPIC’s testimony, Hearing on Privacy in the Commercial World, before the Subcommittee on Commerce, Trade, and Consumer Protection Committee on Energy and Commerce U.S. House of Representatives. (2001).