How Would the Kerry-McCain "Commercial Privacy Bill of Rights" Affect State Security and Privacy Laws?
We’ve previously written about the Kerry-McCain "Commercial Privacy Bill of Rights," which tries to create a general federal privacy framework rooted in the Fair Information Practices (although we’re not sure how well it succeeds). Currently, federal privacy law is sector-specific, often applying only to certain types of information or certain categories of "covered entities," and thus leaving gaps in privacy protection. A good comprehensive federal privacy law could fill those gaps.
At the same time, privacy advocates are also fans of state privacy laws. States are often privacy innovators. A classic example is California’s pioneering data breach notification law, which helped shed light on just how often (and how badly) holders of our personal data mess up—and has since been copied by many states. There’s still no federal breach notification law.
More generally, many states have laws that authorize state officials (and in more limited circumstances, consumers) to bring consumer protection lawsuits against unfair or deceptive trade practices. In California, Business & Professions Code § 17200 can be enforced not only by the state attorney general but also by: 58 county district attorneys; 5 city attorneys (for each of the cities with populations over 750,000); and full-time city attorneys for any of the other 400+ smaller cities (with the consent of the county district attorney). District attorneys across California—Alameda, Los Angeles, Sacramento, San Diego, San Francisco, San Mateo, and Sonoma (to name a few)—have actively used § 17200.
But these powerful state-level laws for protecting consumer privacy might be endangered. Under the U.S. Constitution’s Supremacy Clause, both the Constitution and federal law “shall be the supreme Law of the Land; ... any Thing in the Constitution or Laws of any state to the Contrary notwithstanding.” (Article VI, clause 2) Lawyers call this “preemption” - and it means that the federal law will trump the state law. Congress can expressly preempt state law, but even if Congress doesn’t say so outright, courts may find that a state law is preempted because it conflicts with federal law or because Congress intended to “occupy the field.”
On the other hand, Congress can also expressly set a federal “floor” but allow the states to impose stricter rules. For example, as the legislative history of the Wiretap Act states, “The proposed provision envisions that States would be free to adopt more restrictive legislation, or no legislation at all, but not less restrictive legislation.” S. Rep. No. 1097, at 98 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2187.
So an obvious question is how the Kerry-McCain bill addresses state privacy laws. Our main conclusion: Kerry-McCain would preempt many state privacy laws, because § 405(a) of the bill expressly preempts all state laws “relating to” covered entities “to the extent that such provisions relate to the collection, use, or disclosure of” either “covered information” as defined in the bill or “personally identifiable information or personal identification information addressed in provisions of the law of a State.” (There are some carve-outs for state laws concerning the collection, use, or disclosure of health or financial information, required notifications pursuant to a data breach, and state laws that “relate to acts of fraud.” § 405(b)(2).)
The broad scope of preemption results from three factors. First, a comprehensive privacy law—regulating offline as well as online activity—by definition runs into the many state laws that currently protect information privacy. Second, Kerry-McCain isn’t a federal “floor” law like the Wiretap Act. It’s the opposite, setting a federal “ceiling.” So if it were enacted, states would be hampered from passing stronger protections for consumer privacy. Third, Kerry-McCain reaches entities like common carriers and non-profit organizations that the Federal Trade Commission (which under the bill would develop regulations) normally can’t regulate.
Thus, for example, Kerry-McCain likely preempts all state laws that protect the privacy of your phone records. Current California law protects telephone subscribers’ personal calling patterns, including numbers called, from being made available without first obtaining the residential subscriber’s written consent. Cal. Pub. Util. Code § 2891(a), et seq.; Cal. Penal Code § 638(a) (prohibiting any person from purchasing, selling, or offering or conspiring to purchase or sell “any telephone calling pattern records or list, without written consent of the subscriber”).
Such preemption might not be so bad if Kerry-McCain replaced the lost state protection with equivalent federal protection—but it doesn’t. California law provides a private right of action (to sue the telephone company and its employees) under § 2891(e); there’s no private right of action under Kerry-McCain.
The preemptive effect of Kerry-McCain would also affect enforcement of California law more broadly. Recall the earlier discussion of Business & Professions Code § 17200; it may be preempted as well. But even if it’s not, § 405(b) of the bill radically changes the enforcement picture, because of all state officials, only state attorneys general may bring actions that sound “in whole or in part” upon violations of Kerry-McCain—county district attorneys, city attorneys, etc., cannot. Remedies are restricted as well. Actions are authorized only in cases of economic or physical harm. § 403(a)
In short, we think that Kerry-McCain would preempt many state laws and weaken enforcement of those laws that it doesn’t preempt. We think that strips away the hard-won consumer protections many states have enacted, and could prevent new state-level protections from being passed in the future. We hope that the bill can be amended to eliminate these problems.