A New Federal Law Should Be the Floor – Not the Ceiling – for Online Privacy and Civil Rights Protections, Groups Say
30 May 2019 – Any new federal law protecting online privacy and digital rights should be a floor, not a ceiling, and must not preempt or block state-level protections, a coalition of nine digital rights groups told lawmakers and reporters today.
All 50 states plus the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have laws on the books that safeguard online privacy and security – such as data breach notification requirements, identity theft protections, electronic health record protections, data disposal rules and data protections for schoolchildren.
Broad preemption – in which federal policy would supersede state policy – would wipe out these protections and block future safeguards, leaving consumers worse off and less secure than they are today – while tech companies would be permitted to conduct business as usual without stricter oversight. That’s exactly why tech titans are using their giant bank accounts, army of lobbyists and Washington insider connections to rig the rules in their favor, leaving states and the public with no meaningful recourse, the groups said.
As has been widely reported, big tech companies are pushing for preemption to avoid having to comply with the California Consumer Privacy Act (CCPA), set to take effect in 2020. Their ostensible support for a federal law is actually a red herring – an attempt to “hit delete on all state data protection laws,” as Federal Trade Commissioner Rohit Chopra put it.
In their document, the groups outlined several key reasons why any new federal privacy law must not interfere with states’ ability to implement and enforce stronger protections:
- States are laboratories of democracy in our system of government – able to respond more quickly and more precisely to emerging challenges and test innovative solutions that, if successful, can be adopted nationwide.
- Local regulators are better positioned than the federal government to recognize which communities are disproportionately impacted and how. Often, they are the first to notice and act when consumers are harmed by reckless and exploitative corporate practices.
- Any new law – even the strongest law possible – will be out of date within a few years, given the rapid pace of technological change and deliberate efforts by tech companies to outwit and outmaneuver regulators. States can update protections and add new ones more quickly than federal lawmakers, who can take years or decades to act.
- Stronger state protections can mitigate a systemic crisis, as recent history suggests. If state regulators’ hands hadn’t been tied by preemption in the 1990s and 2000s, they could have reined in the home lending abuses that led to the 2008 financial crisis.
Tech giants often misleadingly claim that a patchwork of state laws would interfere with their ability to do business, but the reality is that they simply can follow the strongest state law and give consumers everywhere the same robust protections. There’s no reason – either technical or financial – that some the most profitable companies in human history should have any problem complying with even a wide variety of high privacy, security and anti-discrimination standards. The truth is that the tech titans don’t want to be held accountable by the public, the groups said.
QUOTES FROM EXPERTS
“Given that technology evolves at hyperspeed and usually behind closed doors, any federal law enacted today soon will be out of date. Big Tech knows that preemption in a federal law would allow the industry to get away with continuing business as usual – constant exploitation of consumers’ intimate personal information and their civil rights – now and long into the future.”
- Kristen Strader, digital rights advocate, Public Citizen
“States are the laboratories of democracy and have led the way on privacy and security in the U.S. – all 50 states passed data security laws before Congress was able to. Congress shouldn’t step in now to prevent states from protecting the privacy of their residents.”
- Christine Bannan, consumer protection counsel, EPIC
“The number one demand of the powerful interests demanding a federal privacy law is to preempt the states. Special interests don’t want citizens, let alone consumers, to have broad rights against privacy harms or set limits on facial surveillance. Those are just two of the many areas where states are taking the lead, but it is highly unlikely Congress will do anything good.”
- Ed Mierzwinski, senior director for consumer programs. U.S. PIRG
“A federal privacy law will be helpful only if it provides strong baseline protections and federal enforcement, not if it blocks the states from enforcing the laws they already have on the books and responding to future privacy challenges.”
- Susan Grant, director of consumer protection and privacy, Consumer Federation of America