Tech Companies Push for Federal Privacy Law to Preempt California

A group of 40 major technology companies is pushing for a federal privacy law that would preempt the California Consumer Privacy Act before it takes effect, according to an article today by Reuters. Known as the Internet Association, they are supporting broad data subject access rights including reasonable access to personal information, the ability to correct or delete data, and data portability.

The proposals by the Internet Association were called “forward looking and very aggressive” by the group’s president and chief executive officer, Michael Beckerman. The group has called for new rules that are technology and sector neutral, covering data privacy at everyone from grocery stores and physical retailers to credit card firms and internet service providers, in addition to websites and mobile apps.

The White House has said in the past that it is working on a consumer privacy policy and it will be released this fall. Several different congressional representatives from the Senate Commerce Committee have also announced that they are planning to introduce legislation on the issue, in addition to the handful of bills that are already being considered in the U.S. House and Senate.

Federal preemption under the Supremacy Clause allows a national law to take effect despite a conflicting state law. In the absence of a federal law, state law can provide more protections to consumer, employees, and others on a variety of issues. However, if a state law interferes or conflicts with a national law, a federal court may require a state to stop enforcing it.

Section 1798.196 of the California Consumer Privacy Act reinforces the concept of preemption. It says: “This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.”

The press release from the Internet Association set forth six principles for the new privacy law, focused on transparency, controls, access, correction, deletion and portability. It also set forth several considerations for policymakers, including fostering privacy and security innovation, a national data breach notification law, clear notifications that avoid notice fatigue, technology and sector neutrality, a performance based approach rather than prescriptive regulations, and a risk-based framework that depends on the sensitivity of the personal information.

The push for a national privacy law by businesses comes at the same time that Americans are placing more importance on personal data privacy. A recent survey conducted by James Madison’s Montpelier on the personal importance of Constitutional issues found that personal data privacy rivaled civil rights and voting rights among Americans.

Ninety-five percent (95%) of respondents from the 2,500 U.S. adults surveyed said that data privacy was somewhat or extremely important to them. This nearly matched the percentage for civil rights and voting rights, while exceeding the responses for freedom of the press, freedom of religion and the right to bear arms.

The survey also asked how should the U.S. Constitution be amended or expanded. 42% of respondents said there should be more clarity on American’s privacy rights and 42% said that there should be more data privacy protections. They ranked #4 and #5 on the list of 12 options, beaten only by more restrictions on gun ownership, more clarity on Americans’ civil rights, and greater levels of gender equality.

With both the public and businesses supporting changes on privacy, the question is really whether Congress and the White House can come to an agreement on what a privacy law should look like and when it will happen. It seems unlikely that anything will happen during the short legislative window this fall before the national elections in November, and the legislature may look very different next year. Despite the push for a federal privacy law and preemption, it is still far too early in the process for business’ to halt their preparations for California. And it looks like many of the core concepts of the California Consumer Privacy Act (particularly, the right to access and the right to delete) will be rolled into a new federal law anyway.

More from Clarip

Read the latest privacy news on the Clarip Blog.

Try our GDPR data mapping software to improve your Article 30 Records of Processing Activities and vendor risk management under Article 28.