SIIA, like many others in the tech industry, eagerly awaits a draft privacy bill from the Hill. We support a strong and comprehensive federal privacy law that is designed to prevent and remedy harms, gives consumers meaningful control and access to their personal data, and bars unreasonable data collection and use practices. As we have noted in many fora, how to achieve this will require many sensitive policy decisions, all of which Congress is uniquely poised to decide.
One of the sensitive policy decisions is whether the federal privacy solution should harmonize U.S. law through an express preemption provision. We believe a federal law must preempt state law in order for it to effectively protect our economy and consumers. Without a preemptive solution, U.S. companies and consumers will face a balkanization of state privacy standards.
This state regulatory patchwork, in turn, will lead to consumer confusion, disparate and unequal consumer protections, contradictory regulatory standards, economically infeasible compliance costs, and regulatory barriers to entry for startups and SMEs. It will also put U.S. firms at a disadvantage in the global market, as they struggle to implement and adhere to disparate national privacy standards while entering an inevitably complicated international compliance field.
SIIA recognizes, however, that whether and how to preempt is a sensitive matter that must be balanced against other legitimate concerns, including how to adhere to American federalist principles, the policy objectives and strength of the federal legislation at hand, political ideology, competing policy objectives, and canons of statutory construction. To help policymakers weigh these considerations, SIIA has published an issue brief exploring the constitutional doctrine of preemption: Preemption and Privacy: A Primer on Legal and Policy Considerations.
Released on September 18, the brief analyzes why the information privacy question is a matter of national and global economic importance, rather than a matter of local concern best left to state regulation. It examines the impact of disparate state standards on SMEs, particularly those that are born global and enter the international market from inceptions, and discusses why uniformity in privacy law is good for consumers.
The brief also provides an overview of the constitutional doctrine of preemption, its touchstone of congressional intent, and how the courts apply both an express and implied analysis when reviewing statutes for their preemptive effect. It notes that legislative clarity is critical to ensuring judicial review of the preemptive effect of statutes is consistent with congressional intent, and explains how a statute can be found to impliedly preempt state law by the courts even when Congress intended the opposite effect.
Lastly, the brief discusses why preemption is particularly complex in the privacy space, identifies which state laws a federal privacy law should seek to preempt, and discusses how Congress can draft preemption provisions to ensure that the federal privacy law only displaces the state laws necessary to harmonize U.S. information privacy regulation. Regarding the latter, the brief explores two legislative proposals with preemption provisions: the Information Transparency and Personal Data Control Act (H.R. 2013, 116th Congress), and the Intel Privacy Bill. The brief explains how the preemption provisions precisely identify the state laws that should be displaced and those that should be saved. The brief suggests how Congress can further clarify these proposals to avoid unintended displacement of state laws.
As we note at the conclusion of the brief, it is true that our federalist system often encourages concurrent state and federal regulation because it enables the states to act as “laboratories of democracy,” testing out new and innovative regulatory frameworks. This division of powers, however, cannot be used to justify regulatory to the detriment of our economy and consumers. Congress can, and should honor state ingenuity through a federal information privacy standard that draws on state regulatory lessons while harmonizing U.S. data privacy for the benefit of consumers, industry, and economy.