Preemption is the ability of the federal government to overrule or replace state law in favor of federal law. It is rooted in the U.S. Constitution’s Supremacy Clause, and it remains a central challenge in passing federal data security and privacy legislation.

Five U.S. states have passed comprehensive data privacy laws. In 2021, at least 25 states introduced comprehensive legislation, along with even more that introduced less-comprehensive legislation to address specific privacy issues. In fact, in the span of time it took us to write this article, the United States went from three to five states with comprehensive data privacy laws. State laws could all be affected by a preemptive federal law, so determining whether and how existing and future state laws should operate with federal law is an essential part of developing federal privacy legislation.

This has fueled a debate on whether federal privacy legislation should allow for stronger state privacy frameworks or whether it should prevent states from having their own frameworks at all. On one side of the debate, a federal law could set minimum requirements and allow states to make new or stricter laws. Proponents of this approach believe that states are best suited to account for their unique needs and to innovate. On the other side, a federal law could displace state frameworks and serve as the uniform standard, with or without carve-outs for state action and existing federal law. Proponents of this strong preemption approach assert that it would end the current patchwork of laws that have led to inconsistent protections for consumers and avoid the industry-related compliance challenges that would come with meeting the requirements of 50+ frameworks.

Fortunately, the preemption debate does not need to be resolved by taking one side or the other. The solution exists along a spectrum, depending on how much Congress wants to allow state laws to complement federal law. A balance can be achieved by having a uniform federal privacy law that can preempt states on substantive provisions covered at the federal level but also preserve existing privacy-related federal frameworks and carve out areas for traditional state authority and emerging areas.

This publication—the first in a series of three main articles—explores the various forms preemption can take and provides recommendations to reach consensus among these options. For more, read our explainer about tough questions and answers here.

CONSIDERATIONS AND OPTIONS

Consideration #1: Preemption and Savings Clauses

Preemption allows federal law to overrule or replace state law in a field or topic, but a savings clause, which is referred to as a carve-out for simplicity, can be added to prevent certain areas of state law from being preempted. Such a clause determines how federal law interplays with state law. Of note, preemption and savings clauses often arise with regard to federal legislation so they are not unique to privacy legislation. In certain situations, preemption is impermissible and considered commandeering (e.g., Murphy v. NCAA). Congress should be aware of these limitations as they craft preemption for privacy legislation.

Consideration #2: Carve-Outs for State Action

At least 10 areas could be considered for carve-outs in federal privacy legislation to keep existing state law intact, and statutory language should address how carve-outs involving covered data are handled. Doing so would result in uniform legislation while allowing states to retain control over certain areas. The areas that should be considered for carve-outs broadly fall into two categories: areas of traditional state control and emerging areas/gap-fillers.

Areas of traditional state control to consider include, but are not limited to:

Emerging areas and gap-fillers to consider include, but are not limited to:

Consideration #3: Carve-Outs for Existing Federal Laws

Multiple pieces of current, privacy-related federal law could be explicitly carved out so they are not modified by a new law. Statutory language should address how data is treated when it may be subject to a sectoral privacy law and a comprehensive privacy law, including whether compliance with a sectoral law satisfies requirements set by a new comprehensive law. Existing privacy-related federal laws already have regulatory frameworks in place, and any changes should be addressed through different legislation or amendments to the original statute. These broadly fall into six categories, including but not limited to:

Consideration #4: Other Aspects: The scope of preemption is important, but there are other aspects to consider when including preemption language. These include:

RECOMMENDATIONS

Taking these options into consideration, we offer three main recommendations related to preemption in federal data security and privacy legislation: preemption should not be approached as all-or-nothing, rights and provisions of a federal law should be compared to existing and proposed state laws, and state governments should have a role in enforcement.

Recommendation #1: Preemption should not be approached as all-or-nothing.

A federal privacy law should preempt states on substantive provisions covered by the federal law but should also include carve-outs. It is important to prohibit states from making stricter or additional protections, as failure to restrict this action would inevitably result in returning to the existing patchwork of state restrictions. Federal legislation must also be strong enough to provide adequate privacy and security protections to consumers while taking into account the needs of businesses and groups that will be tasked with complying with it.

This allows for a uniform approach for both consumers and industry while protecting areas of state concern through carve-outs. It will prevent entities from having to follow various state frameworks and any subsequent amendments, which would result in large compliance costs, uncertainty on what is needed to comply and the need to monitor all 50 states regularly. A single standard also produces greater trust and ensures that all individuals enjoy the same protections regardless of where they reside or travel.

Specifically, we suggest that federal privacy legislation include:

We recommend carve-outs for areas of traditional state concern (civil rights laws; state statutes surrounding unfair and deceptive acts and practices; state constitutional law; state laws relating to tort, contract, and property in statute or common law; state criminal law; laws governing specific relationships; and state laws pertaining to government activities) and for emerging areas and gap-fillers (state cybersecurity laws, state versions of federal laws that allow for stronger provisions and state laws governing an area the federal law does not address or contemplate; biometrics require special consideration, as highlighted above).

We also recommend that carve-out implementation be considered in statute in the following ways:

The federal carve-outs we recommend excluding from a federal privacy law are 11 of the statutes previously mentioned. They pertain to student privacy, health privacy, financial privacy, children’s privacy and other categories. These include FERPA, HIPAA, HITECH Act, GLBA, FCRA, COPPA, CALEA, ECPA, Communications Act of 1934 (except as noted below), Driver’s Privacy Protection Act of 1994, and the Federal Aviation Act of 1958. Specifically, data covered by and used in accordance with these existing federal privacy laws should be excluded, but if a covered entity collects data not subject to the other laws, it should follow the provisions in the comprehensive federal legislation for that other data. This will help avoid dual systems for the same data.

Also, we recommend that a data privacy federal law aims to have entities covered by the statute be regulated by only one agency for data privacy and security, rather than multiple. In the area of data security and privacy, specifically, Congress could consider allowing the FTC to solely regulate the area to avoid confusion and duplication with the Federal Communications Commission. Of note, certain provisions of existing statutes currently prevent the FTC from regulating data security and privacy fully, such as those related to common carriers; therefore, existing statues may need to be amended or superseded to allow for this approach.

Recommendation #2: Rights and provisions of a federal law should be compared to existing and proposed state laws.

The substance of a final privacy bill will reflect how the politics surrounding preemption are addressed. For example, advocates of California’s privacy framework may be less likely to oppose broader preemption if the rights and structures currently in place are comparable or stronger in a federal law. On the other hand, if federal law offers fewer protections and still preempts state laws, many are likely to see the federal law as a step backward.

This means that preemption is directly related to other areas of disagreement in the privacy debate like a private right of action (PRA), rulemaking authority and enforcement mechanisms. For example, if the FTC has rulemaking authority, there is an increased likelihood of conflict with state laws and regulations in the absence of broader preemption.

Recommendation #3: State governments should have a role in enforcement.

Permitting state attorneys general, consumer protection officials, or other state officials to share in enforcement will amplify enforcement efforts and make sure local concerns are being addressed. States should be able to conduct investigations into violations affecting their state and bring civil suits in federal court. However, the FTC or a designated federal agency should have the right to be heard in any case brought to help ensure consistency and expertise.

In addition, states should be permitted to maintain state-level data protection authorities, like the California Privacy Protection Agency. However, the agencies should not be permitted to take action that is inconsistent with federal legislation or that is exclusively granted to a federal agency. Sample roles could include serving as a subject-matter expert for implementation, addressing previously mentioned carve-outs, training and raising awareness.

 About this series: This is part of a series considering the major stumbling blocks of federal data security and data privacy efforts. It draws upon existing research and interview data to identify the most salient issues within data security and data privacy and recommend the most appropriate courses of action in an effort to find compromise on federal legislation.

INTRODUCTION – The Path to Reaching Consensus for Federal Data Security and Privacy Legislation

PART 1 – Preemption in Federal Data Security and Privacy Legislation

PART 2The Role of the Federal Trade Commission in Federal Data Security and Privacy Legislation 

PART 3 – Limiting a Private Right of Action in Federal Data Security and Privacy Legislation

EXPLAINER – Answer to Tough Questions: The Framework of a Federal Data Security and Privacy Law

(Image credit: “The Era of Oversharing (pt.3)” by is licensed under CC BY 4.0)

Featured Publications