As more states pass state-level data privacy laws, federal privacy law is becoming increasingly necessary to prevent a patchwork of confusing state-level legislation. The divergent legal obligations under such laws can pose a significant challenge for businesses as they navigate increasingly complex privacy requirements. This increasingly confusing patchwork makes it urgent for Congress to enact federal privacy legislation to preempt overlapping and conflicting state privacy laws, which risk creating significant uncertainties for businesses and consumers. Unfortunately, the latest proposed solution in Congress falls short of addressing that goal.
The House Energy and Commerce Committee held a hearing yesterday on the recently proposed draft federal data privacy legislation, the American Data Privacy and Protection Act. However, the proposed legislation falls short of this objective of preempting a growing patchwork of state privacy laws.
As of June 2022, five states—California, Connecticut, Colorado, Utah, and Virginia—have passed state-level privacy laws, and at least 22 more are considering doing the same. If all 50 states were to enact their own data privacy legislation, it could cost the U.S. economy more than $1 trillion in the next decade, according to estimates by the Information Technology and Innovation Foundation, a tech-focused think tank. That burden will fall disproportionately on startups and small and medium-sized businesses that lack large corporations’ legal and compliance staff.
The American Data Privacy and Protection Act seeks to achieve a bipartisan consensus on state preemption, but the draft bill ultimately falls short of achieving this goal. The proposed legislation includes language that would preempt specific state laws, but its lengthy list of exceptions significantly weakens the law’s preemption powers.
For instance, the proposed legislation does not preempt state-level consumer protection and civil rights laws, criminal laws related to online fraud and unauthorized access to electronic devices, and laws pertaining to financial and health records, among other exemptions.
It also includes exceptions for laws such as California’s privacy legislation and Illinois’ biometric data law. Furthermore, the proposed legislation could also face future legal challenges—since it is unclear whether the exemptions apply only to the current form of Illinois and California laws or to future changes to such laws.
Such exceptions will weaken the law’s potential to preempt state data privacy laws. Therefore, in its current form, the American Data Privacy and Protection Act will fail to do what most national data privacy laws do—create a uniform set of rules throughout the country. (Other aspects of the proposed law—such as the inclusion of non-data-privacy-related issues and the role of the Federal Trade Commission and state attorney generals to enforce privacy rules—also merit closer examination.)
In summary, against the backdrop of the confusing patchwork of state privacy laws, a streamlined federal privacy framework is becoming increasingly necessary to prevent an overregulated, fractured U.S. digital economy. Congress should instead work to develop a privacy law with stronger preemption powers to create certainty for businesses, protect data privacy, and promote technological innovation.