State attorneys general implore Congress not to preempt their privacy laws

Fifteen state attorneys general on Wednesday called on Congress to prevent new federal comprehensive data privacy legislation from preempting 17 states’ existing or recently passed laws protecting consumer privacy. 

The state attorneys general fear the draft federal American Privacy Rights Act (APRA) could wipe out existing, and in a few cases stronger, state data privacy laws. APRA currently includes language superseding those laws in the 17 states which have now passed comprehensive data privacy legislation.

While APRA includes some exceptions to state law preemption, it overrides several non-comprehensive yet significant state privacy regulations, including Illinois’s landmark Biometric Information Privacy Act (though it allows some remedies similar to BIPA’s in Illinois).

“A federal legal framework for privacy protections must allow flexibility to keep pace with technology; this is best accomplished by federal legislation that respects — and does not preempt — more rigorous and protective state laws,” the letter to congressional leaders said.

“States are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight.”

Previous federal comprehensive data privacy legislation, known as the American Data Privacy and Protection Act, prompted similar worries but was never brought to the floor for a vote. Shortly after it nearly unanimously passed out of committee, House Speaker Nancy Pelosi (D-CA) raised concerns over how the legislation would wipe out California’s pioneering comprehensive data privacy law.

The current draft of APRA would lead to California’s “landmark privacy law being replaced with weaker protections and would hamper the ability of California to adequately protect the privacy of its citizens in the future,” according to a press release issued by California Attorney General Rob Bonta, who led the coalition urging Congress to change the draft APRA bill.

Notwithstanding California’s strong law, many comprehensive state data privacy laws include far weaker provisions than those in the draft APRA legislation.

The letter also notes that under APRA, internet users will have to wait two years before they can “exercise their privacy rights” under the Global Privacy Control (GPC), a measure allowing internet users to alert businesses to their privacy preferences.

GPC was developed by privacy advocates, major media organizations such as the New York Times, civil rights organizations and Ashkan Soltani, the current head of the California Privacy Protection Agency, a privacy enforcement agency created by California’s state data privacy law.

The letter also said that as drafted APRA will “substantially” preempt state attorneys’ general ability to investigate privacy violations using “civil investigative demands” by blocking  state agencies  from compelling documents or other information from organizations they believe have violated the federal law. 

“California is at the forefront of privacy protections and must retain the ability to respond to privacy concerns as tech rapidly innovates,” he said. “We urge Congress not to undercut the important protections that states have established; states must be able to protect their residents from evolving privacy threats.”

The 14 additional attorneys general joining Bonta in sending the letter represent Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, Vermont and the District of Columbia.