As states have continued to debate and pass new comprehensive privacy statutes – such as those in Virginia and Colorado – a common refrain from business leaders is the need for a comprehensive federal privacy statute that will lessen the need to comply with a patchwork of state laws. Indeed, the absence of serious privacy protections at the federal level – something akin to PIPEDA in Canada or the GDPR in Europe – has long spurred states to act as online data gathering and brokering has grown and advanced well beyond what most extant federal law contemplates. But a recent meeting of the California Privacy Protection Agency (“CPPA”) – the state agency responsible for enforcing the California Privacy Rights Act of 2020 – suggests that at least some states may not be content to be mere forerunners to comprehensive national legislation.
The CPPA called a special meeting in late July to consider the American Data Protection and Privacy Act (“ADPPA”) that was advanced out of the Energy and Commerce Committee of the US House of Representatives. Agency staffers authored two memoranda for consideration that strongly opposed the current ADPPA draft because it would pre-empt many salient features of existing California law. In one sense, this is hardly surprising; the calls for uniformity and predictability that have led to momentum for the ADPPA necessarily seek to limit differences in state law, not preserve them. The issue was hotly debated in the Energy and Commerce Committee as California representatives called for the creation of a “federal floor” akin to that offered in the health information space by HIPAA – that is, a minimum federal standard that could be supplemented by more stringent state laws – rather than a uniform standard. But the amendment offered by the California delegation was not approved, at least for now, leading not only the CPPA but also California Governor Gavin Newsom publicly to opposed the ADPPA. Governor Newsom sent a letter to Energy and Commerce Committee Chairman Frank Pallone arguing that national legislation should “not undermine the state protections Californians already enjoy.”
While both the CPPA and Newsom phrased their opposition in terms of consumer protection, it is hard to consider the fraught state/federal privacy dynamic without also considering the privacy chaos unleashed by the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. Federal regulators have moved swiftly to use the government’s primary existing tools – namely the Federal Trade Commission Act and HIPAA – to protect against or at least mitigate the effects of state laws that may attempt to gather data about individuals seeking, receiving, or providing reproductive health care. But California officials and those in other states also know that elections in 2024 and beyond could bring federal authorities with very different priorities when it comes to privacy. That knowledge is likely to continue to influence privacy debates in statehouses across the country.