So far, 2017 has been a bad year for consumer privacy protections at the federal level. Congress repealed rules protecting internet customers’ browsing histories and other personal information from unwanted disclosure. The Federal Communications Commission (FCC) proposed a rollback of Title II “net neutrality” rules that includes a provision ceding its privacy protection role to the Federal Trade Commission (FTC), which has less authority to make and enforce privacy rules. In response, Americans have been showing up to their representatives’ town hall meetings to decry the broadband privacy repeal and demand stronger protections for their personal information. Enter the states.
State lawmakers are working to protect consumer privacy where the federal government has fallen short. The California legislature is considering privacy rules for IoT devices, and a geolocation privacy bill has received bipartisan support in Illinois. In May, 47 state attorneys general reached an $18 million settlement with Target over its 2013 data breach. And lawmakers in dozens of states have introduced bills attempting to codify the broadband privacy protections that Congress wiped away.
State privacy laws are not new. States have often led the way on consumer privacy in the absence of federal leadership. California’s 2004 Online Privacy Protection Act (Cal-OPPA) required websites to have privacy policies. In 2012, Maryland became the first state to prohibit employers from demanding employees’ social media passwords.
As the federal government continues to ignore constituents’ calls for basic privacy rights, the role of the states in protecting privacy is more important than ever. That’s why it’s disappointing to see federal lawmakers and industry groups attempt to gut states’ authority to protect consumers.
Last month, Rep. Marsha Blackburn introduced the BROWSER Act, a bill that would codify federal privacy protections, but in exchange for broad preemption of states’ authority to protect consumer privacy. While the bill would require opt-in consent for the use and sharing of sensitive personal information—a generally good idea—it fails to recognize the importance of federal-state cooperation in making and enforcing privacy laws.
Since at least the 1960s, the federal and state governments have recognized the importance of working together to protect consumers from unfair and deceptive business practices. In the past three decades, this federal-state cooperation has extended to digital privacy. State attorneys general have advanced privacy by bringing enforcement actions and shaping landmark state privacy laws such as Cal-OPPA. Forty-seven states have passed data breach legislation to help protect Americans’ sensitive personal information—including financial and health records—from disclosure. State AGs can often respond more quickly to unfair and deceptive business practices in their jurisdictions. Federal agencies simply lack the resources to police everyone’s privacy practices, and state AGs fulfill an invaluable role in addressing gaps in enforcement.
The U.S. needs a good federal solution to protect consumer privacy, and that solution can include limited preemption to prevent genuine conflicts between federal and state law. But overly broad state preemption, such as the provision found in the BROWSER Act, is a bad deal for consumers. It would reverse a long tradition of state leadership and cooperation in consumer privacy protection.