"It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country."
--New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting).
EPIC's State Policy project, launched in the Spring of 2015, provides expertise to shape strong state privacy and open government laws.
State Policy News
- California Enacts Genetic Information Privacy Act: This week, Governor Gavin Newsom signed the California Genetic Information Privacy Act, which had been passed unanimously by the California Senate and Assembly in September. The Act requires direct-to-consumer genetic testing companies to provide consumers with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. The law imposes civil penalties for a violations, enforced by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor. EPIC tracks state genetic privacy laws through its State Policy Project. (Oct. 8, 2021)
- Florida House of Representatives Passes Florida Privacy Protection Act: The Florida House of Representatives today passed the Florida Privacy Protection Act, HB 969, on a 118-1 vote. The bill gives Floridians the right to know what information companies have collected about them, the right to delete and correct that information, the right to opt-out of the sale or sharing of their personal information, strong limits on the retention of their data, and additional protections for their children’s privacy. Critically, the bill would create robust enforcement mechanisms, including a private right of action, to ensure companies do not flout the law. EPIC and a coalition of privacy and consumer organizations had previously sent letters to Florida Governor Ron DeSantis, the Florida House Commerce Committee, and Florida's Senate Rules Committee urging them to preserve private rights of action the bill. "The inclusion of a private right of action in HB 969 and SB 1734 is the most important tool the Legislature can give to Floridians to protect their privacy," the groups wrote. "The statutory damages set in privacy laws are not large in an individual case, but they can provide a powerful incentive in large cases and are necessary to ensure that privacy rights will be taken seriously and violations not tolerated. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined." The Senate Rules Committee removed the private right of action provisions from the Senate bill, but the Senate could restore the crucial enforcement provision on the floor this week. (Apr. 21, 2021)
- EPIC Urges Florida Lawmakers to Pass Strong Privacy Law (Apr. 14, 2021) +
- EPIC, Coalition Urge Florida Lawmakers to Preserve Private Right of Action (Apr. 5, 2021) +
- Virginia Governor Signs Consumer Data Protection Act (Mar. 3, 2021) +
- EPIC to Maryland Legislators: Security Questions Need Upgrade (Feb. 9, 2021) +
- Tech Companies Block Washington State Privacy Law (Mar. 13, 2020) +
- EPIC, Coalition Recommend Changes to Pending Washington Privacy Law (Mar. 5, 2020) +
- EPIC Advises New York Senate on Privacy Legislation (Nov. 21, 2019) +
- Pew: States Battle Big Tech Over Data Privacy Laws (Jul. 31, 2019) +
- Utah Becomes First State to Require Warrant for Data Held by Third-parties (Apr. 1, 2019) +
- Idaho Enacts Law Requiring Transparency in Pre-Trial Risk Assessments (Mar. 28, 2019) +
- EPIC to Senate Committee: Privacy Rules Can Help Level Playing Field for Small Business (Mar. 26, 2019) +
- California AG Proposes Stronger Enforcement for State Privacy Law (Feb. 28, 2019) +
- State Consumer Protection Report Highlights Privacy Cases (Feb. 12, 2019) +
- New Hampshire Voters Establish Constitutional Right to Informational Privacy (Nov. 8, 2018) +
- California Bans Anonymous Bots, Regulates Internet of Things (Oct. 2, 2018) +
- California Passes Milestone Privacy Law (Jun. 28, 2018) +
- Secret Ballot At Risk in Colorado As Governor Considers "Ballot Selfie" Bill (Mar. 16, 2017) +
- EPIC Urges Massachusetts High Court to Protect Email Privacy (Oct. 24, 2016) +
- Massachusetts Court Upholds Privacy Rights of Cell Phone Users (Sep. 28, 2016) +
- Secret Ballot At Risk in Maryland After Election Board Vote (Sep. 27, 2016) +
- EPIC, Verified Voting, Common Cause Release Report on Ballot Secrecy (Aug. 18, 2016) +
- EPIC Urges Wisconsin Legislature to Safeguard Student Privacy (Aug. 17, 2016) +
- States Adopt New Student Privacy Safeguards (Jun. 21, 2016) +
- Amendment Would Overturn Model Facial Recognition Privacy Law (May. 27, 2016) +
- NY Attorney General Reports 40% Increase in Data Breaches (May. 5, 2016) +
- Privacy in the States: Data Breach Notification in TN, Drone Surveillance in OR (Apr. 15, 2016) +
- EPIC to Testify before Pennsylvania Senate on Domestic Drone Surveillance (Mar. 14, 2016) +
- EPIC FOIA - Information about Controversial DNA Forensic Technique Released (Feb. 23, 2016) +
- California AG Releases 2016 Data Breach Report, Retail and Financial Sectors Most Vulnerable (Feb. 18, 2016) +
- In Court: EPIC Urges Massachusetts to Protect Student Privacy (Nov. 23, 2015) +
- EPIC Obtains Documents on Secret DNA Forensic Source Code (Nov. 10, 2015) +
- New Mexico Supreme Court Finds Warrantless Aerial Surveillance Violates Fourth Amendment (Oct. 19, 2015) +
- EPIC Pursues Public Release of Secret DNA Forensic Source Code (Oct. 14, 2015) +
- California Rejects Warrantless Surveillance, Enacts "CalECPA" (Oct. 9, 2015) +
- California Enacts Innovative Privacy Protections for Drones and SmartTVs (Oct. 9, 2015) +
- EPIC Urges Wisconsin to Protect SSNs of Job Seekers (Sep. 15, 2015) +
- In the States: California Governor Vetoes Drone Privacy Bill (Sep. 14, 2015) +
- In the States: Delaware Enacts Several Privacy Laws (Aug. 10, 2015) +
- In the States: NH Adopts Location Privacy Law (Jul. 28, 2015) +
- States Adopt Privacy Laws for Student Data, Breach Notification, License Plate Readers, and Drones (Jul. 2, 2015) +
- EPIC Urges California Supreme Court to Protect Open Records Law (Jun. 25, 2015) +
- South Carolina Requires Police Body Cameras, But Blocks Public Access to Footage (Jun. 12, 2015) +
- Florida Blocks Public Access to Police Body Camera Footage (May. 27, 2015) +
- California AG Urges Congress to Reform Data Breach Notification Bill (May. 21, 2015) +
- New Drone Privacy Law Signed by Florida Governor (May. 17, 2015) +
- EPIC Launches State Policy Project (May. 5, 2015) +
- EPIC Comments on Maryland Drone Bill (Mar. 17, 2015) +
More top news
- EPIC: Privacy Issues A-Z
- Privacy Journal: Compilation of State and Federal Privacy Laws
- National Conference of State Legislatures (NCSL): NCSL provides research and tools for state legislatures and others interested in state-level policy on a wide range of topics, including telecommunications and information technology.
- Council of State Governments (SGA): CSG is a region-based forum that fosters the exchange of insights and ideas to help state officials shape public policy.
- National Governor's Association (NGA): The NGA is the bipartisan organization of the nation’s governors.
- National Association of Attorneys General (NAAG): The NAAG is the bipartisan organization of the nation’s attorneys general.
- National League of Cities (NLC): The NLC is a resource for idea-sharing among cities nationwide.
- The United States Conference of Mayors (UCSM): USCM is the official non-partisan organization of cities with populations of 30,000 or more.
- OpenStates.org: OpenStates.org, a project of the Sunlight Foundation, is a collection of tools that make it possible for citizens to track what is happening in state legislatures by aggregating information from all 50 states, Washington D.C., and Puerto Rico.
- LegiNation: LegiNation is a legislative tracking resource which provides great tools for creating bill sheets and receiving updates on tracked bills via e-mail.
- GovTrack: GovTrack now provides tracking services of state bills in addition to bills filed in Congress. It uses a combination of data from LegiNation, and LegiScan, Inc, as well as some information from Open States.
In the context of legislation, preemption refers to whether a law restricts the authority of states, counties, or cities to enact or enforce their own policies. Preemption is an issue of legislative power--if the federal government preempts the states on a field of law, that action effectively expands the jurisdiction of Congress to the detriment of states and local governments. Congress' power to preempt state and local laws stems from the Supremacy Clause of the U.S. Constitution.
Federal preemption can take two forms--federal floor and federal ceiling preemption. In most consumer and civil rights legislation, federal law serves as a floor of protections. This "federal floor preemption" only supersedes weaker state laws, and it allows states, counties, and local governments to pass stronger laws. Under federal floor preemption, federal law only supersedes state and local law that conflicts with or is contrary to federal law.
Historically Privacy Law Allows States to Provide Greater Protections
In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.
Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle communications to privacy), and medical records.
The National Association of Attorneys General Privacy Subcommittee has also argued that the states have a traditional role in regulating privacy:
Consumer protection has traditionally been an area where the states' power to ensure fair competition and informed consumer choice has been preserved, not eliminated. This structure has worked well for many years and no need to alter it in the area of privacy has been demonstrated. Preemption of state law will only undermine consumer confidence in their dealings with the financial institutions, e-tailers and other on and offline businesses. This conclusion is especially powerful with respect to financial information, where Congress has already recognized the utility of privacy protections enacted at the state level.
There is a presumption in American law that state and local governments are primarily responsible for matters of health and safety. Hillsborough County v. Automated Medical Laboratories, 471 U.S. 707 (1985) (there is a "presumption that state or local regulation of matters related to health and safety is not invalidated under the Supremacy Clause"). Privacy is included in the category of health and safety issues as an area of regulation historically left to the states. For instance, in Hill v. Colorado, the Supreme Court upheld a law protecting the privacy and autonomy of individuals seeking medical care, as the law was intended to serve the "traditional exercise of the States' 'police power to protect the health and safety of their citizens.'" 530 U.S. 703 (2000).
EPIC's previous work on preemption
EPIC has previously argued against federal ceiling preemption. EPIC has testified before Congress that, particularly in the rapidly changing world of information security, the states must be given room to innovate:
"Because states enjoy a unique perspective that allows them to craft innovative programs to protect consumers, they should be permitted to continue to operate as "laboratories of democracy" in the privacy and data security arena. State legislatures are closer to their constituents and the entities they regulate; they are the first to see trends and problems, and are well-suited to address new challenges and opportunities that arise from evolving technologies and business practices. This is why privacy bills have typically created a federal baseline and allowed the states to adopt more stringent safeguards if they wish.
There is an additional reason that we believe weighs against preemption in the information security field: these problems are rapidly changing and the states need the ability to respond as new challenges emerge." (Source)
EPIC has also argued against preemption in federal court. In ABA v. Brown (formerly ABA v. Lockyer), financial services companies sued to invalidate the California Financial Information Privacy Act, the strongest financial privacy protection in the nation at the time, arguing that the law was preempted by the federal Fair Credit Reporting Act. EPIC and a coalition of groups representing 41 million individuals argued in an amicus brief that preemption of state law weakens protections against identity theft and consumer privacy. The Supreme Court ultimately upheld the California law.
Additional EPIC statements on preemption:
- EPIC's testimony on the SAFE Data Act before the U.S. House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade. (2011)
- EPIC's testimony on Identity Theft: A Victim's Bill of Rights before the U.S. House Committee on Oversight and Government Reform, Information Policy, Census and National Archives Subcommittee. (2009)
- EPIC's comments to the FCC opposing preemption of junk fax laws. (2006)
- EPIC's comments urging the FCC not to preempt strong anti-telemarketing laws. (2005)
- EPIC's ABA v. Brown Amicus brief opposing preemption. (2004)
- EPIC comments to the Office of the Comptroller of the Currency on Rules, Policies, and Procedures for Corporate Activities; Bank Activities and Operations; Real Estate Lending and Appraisals, Docket No. 03-02. (2003).
- EPIC's testimony, Consumer Privacy Protection Act of 2002, HR 4678, before the Subcommittee on Commerce, Trade and Consumer Protection, House Committee on Energy and Commerce. (2002).
- EPIC's testimony, Hearing on Privacy in the Commercial World, before the Subcommittee on Commerce, Trade, and Consumer Protection Committee on Energy and Commerce U.S. House of Representatives. (2001).
If you have questions, please contact EPIC's State Policy Coordinator.
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.