15 State Attorneys General Ask Congress to Respect State Privacy Laws
The American Privacy Rights Act (APRA), the successor of the American Data Privacy and Protection Act (ADPPA), has been criticized by 15 State Attorneys General who are urging Congress not to proceed with the proposed federal data privacy law in its current form.
A draft of the APRA was released in April 2024 that addressed some of the problems with the ADPPA that prevented the bill from progressing. While the APRA could win over some of the critics of the ADPPA, one of the main sticking points was the preemption of state laws and that issue has not been properly addressed in the APRA. If the APRA is passed, residents of states with weak privacy protections would benefit and get new rights and protections for their personal data, but states with strong data privacy laws would see their protections watered down.
One of the states with the strongest privacy protections is California. California was the first state to enact a comprehensive privacy law in 2018, and since then, 17 other states have followed suit and introduced laws that give consumers better rights over their personal data, those states being Colorado, Connecticut, Maryland, Virginia, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, New Hampshire, and Kentucky.
California Attorney General Rob Bonta recently wrote to Congress to push back against the APRA, and his letter was co-signed by Attorneys General in 14 other states – Connecticut, Delaware, District of Columbia, Hawaii, Illinois, Maine, Maryland, Massachusetts, Minnesota, Nevada, New York, Oregon, Pennsylvania, and Vermont – whose residents are likely to be less well protected if the legislation is passed. While the APRA addresses some of the issues with the ADPPA that led to the latter being shelved, Attorney General Bonta and the co-signers are unhappy with some of the provisions of the current draft of the APRA.
Bonta and the co-signers of the letter are not opposed to a federal data privacy law, and they welcome many of the provisions of the APRA such as the data minimization by default, strong consent requirements, and protections for minors under 17 years of age; however they are opposed to a data privacy law that sets a floor for data privacy and consumer privacy rights rather than a ceiling.
The main issue with the proposed privacy law is that the draft currently being considered prohibits states from adopting, maintaining, enforcing, or continuing in effect, any law, regulation, rule, or requirement that is covered by the provisions of the APRA. States will be forced to accept the provisions of APRA and will not be able to improve protections.
The state Attorneys General recommend enacting a federal privacy law that respects rather than preempts more rigorous and protective state laws, especially given the fast pace of change with technology. As has been demonstrated on multiple occasions, states have been able to rapidly pass laws in response to changing data collection practices and advances in technology.
Residents in states with comprehensive data privacy laws have been enjoying the privacy protections and rights that state laws give them, and businesses have adapted and implemented mechanisms to respect consumer rights. For instance, the online user-enabled global opt-out mechanisms such as the Global Privacy Control. If APRA is enacted, there would be at least two more years of waiting before consumers could exercise their privacy rights under the Global Privacy Control.
Some states have passed laws that require reasonable data safety safeguards to be implemented by businesses and have introduced special protections for data types that could be used to commit identity theft. “States have played a critical role in nimbly adapting to real-world circumstances and setting new minimum data privacy standards that have not impeded business or curtailed technology. Congress should seek to preserve, not jeopardize, these protections,” wrote the Attorneys General.
In the letter, the State Attorneys General highlighted other federal laws that have been successful at improving data privacy and security while respecting states that want to improve protections further. The Health Insurance Portability and Accountability Act (HIPAA) sets minimum standards for data privacy and security for healthcare organizations. If states want to improve protections further still – Texas for example with HB300 – they are free to do so. States also have the authority to enforce compliance with HIPAA.
The state Attorneys General criticized the language of the APRA with respect to enforcement. While state Attorneys General are given a role in enforcement of the APRA, their ability to investigate violations will be hampered due to the current language of the bill.
“Ordinarily, a violation of a federal law or standard could also be a violation of state consumer protection law. But [APRA] Section 20 would act as a bar to investigate violations of the federal law, because it prohibits them from forming the basis for state consumer protection claims,” explained the Attorneys General in the letter. “This language unnecessarily interferes with robust enforcement capabilities.”
