You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

Privacy Preemption Watch

Top News

  • National Association of Attorneys General to Focus on "Privacy in Digital Age": The National Association of Attorneys General has elected Maryland Attorney General Doug Gansler president during its summer meeting. Gansler announced a new initiative for the organization -- "Privacy in the Digital Age" -- that will “bring the energy and legal weight of this organization to investigate, educate and take necessary steps to ensure that the Internet’s major players protect the privacy of online consumers while balancing their legitimate business interest.” Recently AG Gansler met with consumer and privacy advocates at a meeting hosted by the Privacy Coalition. And earlier this year, the organization sent a letter asking Google for a meeting to discuss the company’s plans to consolidate the personal information of users of Google’s products and services. For more information, see EPIC: Google Consent Order and EPIC: Privacy Preemption Watch. (Jun. 22, 2012)
  • Supreme Court Maintains California Financial Privacy Law : Today the Supreme Court denied review of the California law that provides customers with privacy safeguards for financial data. The law limits the sale of personal information by financial firms to affiliates, and imposes opt-in requirements. The Ninth Circuit upheld substantial portions of the California Financial Information Privacy Act. EPIC filed a brief in that case favoring the law. Financial firms argued that the California statute conflicts with other federal rules. The Justice Department recommended that the Supreme Court leave the state statute in place. See EPIC ABA v. Brown and EPIC Privacy and Preemption Watch. (Jun. 29, 2009)
  • Obama Administration Recommends that Supreme Court Preserve California Financial Privacy Law, Dismiss Bankers' Appeal: In a filing this week, the Department of Justice urged the nation's highest court to leave intact California's financial privacy law, saying the law does not impose hardships on banks. The California law provides strong financial privacy safeguards, including the right to curtail sale of personal information by financial firms to affiliated companies, and to bar the sale of data to non-affiliates unless consumers explicitly "opt-in." A consortium of financial services companies have challenged the law and, in December 2008, asked the Supreme Court to consider the case. The firms argued that the California statute conflicts with other federal rules. The Supreme Court requested the Administration's view on the case, and has often followed the Department's opinions. Earlier in the litigation, EPIC urged a federal appeals court to uphold the California privacy law. For more information, see EPIC's ABA v. Brown and Privacy and Preemption Watch pages. (Jun. 5, 2009)
  • Supreme Court Backs State Consumer Protection Law Today, America's highest court affirmed the authority of states to establish safeguards that provide stronger consumer protections than federal laws. Cigarette companies challenged a Maine consumer protection law that prohibits unfair or deceptive trade practices, claiming that a weaker federal law "pre-empted" the Maine measure. However, the Supreme Court upheld the state protections, holding that the Maine law was not pre-empted by the Federal Cigarette Labeling and Advertising Act or federal regulators' authority. Many states have passed strong consumer privacy laws that private companies hope to preempt with weaker federal laws. The decision also follows President-elect Barack Obama's statement that "a single courageous state may, if its citizens choose, serve as a laboratory." Obama's statement echoes Supreme Court Justice Louis Brandeis, who advocated for state lawmakers' broad freedom to create innovative consumer protections as "laboratories of democracy." (Dec. 15, 2008)
  • Federal Court Preempts Landmark California Financial Privacy Law. A federal district court has held (PDF) that Fair Credit Reporting Act supercedes, or "preempts," portions of California's landmark financial privacy law. The financial services industry challenged the law, known as SB 1, that allowed Californians to curtail the sale of personal information among a company's affiliates, that is, companies with the same ownership or control. Despite the ruling, provisions of California law that require opt-in consent before data can be sold to third parties (non-affiliates) are still valid. (Oct. 3, 2005)
  • Privacy Groups, Senators Oppose Preemption of Anti-Telemarketing Laws. EPIC and 11 consumer advocacy groups urged the Federal Communications Commission not to preempt strong anti-telemarketing laws. Retailers like the Sports Authority, banks, and telemarketers are trying to invalidate all state telemarketing laws, which would lead to a massive increase of unwanted sales calls. Sen. Bill Nelson and nine other senators also filed a letter (pdf) opposing preemption. For more information, see the Indiana Attorney General's Save the Do Not Call List and EPIC Telemarketing Preemption pages. (Jul. 29, 2005)
  • California SB 1 Upheld, Takes Effect Today. A federal judge has upheld (PDF 630k) California's SB 1, the strongest consumer financial privacy law in the country, which takes effect today. Under SB 1, individuals may opt-out of affiliate sharing, and banks are required to obtain opt-in consent before selling data to third parties. Bankers groups had challenged the law, arguing that the federal Fair Credit Reporting Act preempted it, but Judge Morrison C. England, Jr. ruled otherwise, holding that the federal Gramm-Leach-Bliley Act allows states to erect strong financial privacy protections. For more information, see EPIC's Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and ABA v. Lockyer Pages. (July 1, 2004)


In the context of legislation, preemption refers to whether a law restricts the authority of states, counties, or cities to enact or enforce their own policies. Preemption is an issue of legislative power--if the federal government preempts the states on a field of law, that action effectively expands the jurisdiction of Congress to the detriment of states and local governments. Congress' power to preempt state and local laws stems from the Supremacy Clause of the U.S. Constitution.

Federal preemption can take two forms--federal floor and federal ceiling preemption. In most consumer and civil rights legislation, federal law serves as a floor of protections. This "federal floor preemption" only supersedes weaker state laws, and it allows states, counties, and local governments to pass stronger laws. Under federal floor preemption, federal law only supersedes state and local law that conflicts with or is contrary to federal law.

Conversely, "federal ceiling preemption" prevents states and other political entities from passing stronger laws. It can act as an absolute bar to state and local legislation or enforcement.

In analyzing laws, courts look to Congressional intent in order to determine whether Congress preempted state or local authority. In the absence of express legislative intent, by default federal floor preemption applies, allowing states and local authorities to enact or enforce stronger policies. However, courts will find that federal ceiling preemption can apply where Congress enacts a law that "occupies the field" of regulation and thereby leaves "no room" for state action. This is referred to as "field preemption." For instance, courts have found that federal interests are dominant in foreign affairs regulations, and have thus invalidated state laws in that field. Hines v. Davidowitz, 312 U.S. 52 (1941). However, health and safety matters are generally thought to be state concerns, and legislation in these areas are normally not preempted.

In the 1990s, the preemption debate focused mainly on state legislatures that were preempting counties, towns, and cities from passing legislation on tobacco regulation. The tobacco companies had discovered that they could operate effectively on the state level, and prevent towns from passing regulations on cigarette vending machines and indoor air quality. Members of state legislative bodies were more likely to be influenced by tobacco interests, as their policy making decisions occurred at a level of abstraction that removed them from actual consequences of the laws passed. Local politicians, on the other had, directly experienced and were more accountable for the regulations that they promulgated.

Preemption is controversial in a number of areas, including financial services, utilities regulation, product and food safety, workplace safety, minimum wage, health care, ERISA, and gun control. This web page focuses on the policy rationale underlying preemption and privacy legislation.

Preemption Examples

Preemption and FCRA

Preemption is a frequently debated topic in the current Congress because provisions of the Fair Credit Reporting Act (FCRA) that preempt state law in six areas will soon expire. If Congress does not act to extend this preemption, state legislatures will be able to pass stronger consumer protections.

The FCRA, like many other privacy statutes, provides a federal baseline of protections for individuals. The FCRA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the FCRA. For instance, some states have passed laws requiring the credit reporting agencies (CRAs) to provide reduced cost, or free credit reports.

In a number of important areas state legislation is preempted until January 1, 2004. After that date, states may enact stronger laws on prescreening (what constitutes a "firm offer" of credit, rules for opting out of receiving prescreened offers of credit), compliance duties (time in which a CRA must respond to reports of inaccuracies), user duties (notice and other requirements when a credit report is used for an adverse action), content of reports (length of time negative information can appear on the report), the duties of furnishers (accuracy of information provided, correction duties, notice of closed or disputed accounts), affiliate sharing, and the disclosures that CRAs must make to consumers.

In 1996, when the most recent amendments to the FCRA passed, certain state laws were grand fathered in, and are not preempted by the federal law. Stricter laws exist on affiliate sharing (Vermont) and on duties of furnishers (California and Massachusetts).

Preemption and the OCC

The Office of the Comptroller of the Currency (OCC) announced that it would amend its regulations regarding "visitorial powers" over national banks in 2003. Visitorial powers include the authority to supervise national banks through on-site examinations, and to take administrative enforcement action against national banks, such as proceedings for issuing cease and desist orders and civil penalties or ordering the removal of a national bank director or officer. The OCC's interpretation of these powers, however, would expand the agency's authority and eliminate the authority of states to sue national banks in court to enforce state laws, including consumer protection and privacy laws. EPIC filed comments opposing a broad reading of the OCC's visitorial powers in April 2003.

Preemption and Consumer Privacy

Preemption is a critical issue in the broader consumer privacy debate. H.R. 1636, the Consumer Privacy Protection Act of 2003, introduced by Representative Cliff Stearns (R-FL), contains a super-preemption clause that would supersede all state common and statutory law. Such a broad provision would prevent states from passing privacy laws in every sector (medical, financial, insurance, educational, etc.) and would prevent courts from developing new protections for privacy from state Constitutional and statutory provisions.

  • Testimony of Marc Rotenberg, Consumer Privacy Protection Act of 2002, HR 4678, before the Subcommittee on Commerce, Trade and Consumer Protection, House Committee on Energy and Commerce, September 24, 2002.
  • Testimony of Marc Rotenberg, Hearing on Privacy in the Commercial World, before the Subcommittee on Commerce, Trade, and Consumer Protection Committee on Energy and Commerce U.S. House of Representatives, March 1, 2001.

Policy Rationale

Historically Most Privacy Law Allows States to Provide Greater Protections

In privacy and consumer protection law, federal ceiling preemption is an aberration. Historically, federal privacy laws have not preempted stronger state protections or enforcement efforts. Federal consumer protection and privacy laws, as a general matter, operate as regulatory baselines and do not prevent states from enacting and enforcing stronger state statutes. The Electronic Communications Privacy Act, the Right to Financial Privacy Act, the Cable Communications Privacy Act, the Video Privacy Protection Act, the Employee Polygraph Protection Act, the Telephone Consumer Protection Act, the Driver's Privacy Protection Act, and the Gramm-Leach-Bliley Act all allow states to craft protections that exceed federal law.

Although the federal government has enacted privacy laws, most privacy legislation in the United States is enacted at the state level. Many states have privacy legislation on employment privacy (drug testing, background checks, employment records), Social Security Numbers, video rental data, credit reporting, cable television records, arrest and conviction records, student records, tax records, wiretapping, video surveillance, identity theft, library records, financial records, insurance records, privileges (relationships between individuals that entitle communications to privacy), and medical records.

The National Association of Attorneys General Privacy Subcommittee has also argued that the states have a traditional role in regulating privacy:

Consumer protection has traditionally been an area where the states' power to ensure fair competition and informed consumer choice has been preserved, not eliminated. This structure has worked well for many years and no need to alter it in the area of privacy has been demonstrated. Preemption of state law will only undermine consumer confidence in their dealings with the financial institutions, e-tailers and other on and offline businesses. This conclusion is especially powerful with respect to financial information, where Congress has already recognized the utility of privacy protections enacted at the state level.

There is a presumption in American law that state and local governments are primarily responsible for matters of health and safety. Hillsborough County v. Automated Medical Laboratories, 471 U.S. 707 (1985) (there is a "presumption that state or local regulation of matters related to health and safety is not invalidated under the Supremacy Clause"). Privacy is included in the category of health and safety issues as an area of regulation historically left to the states. For instance, in Hill v. Colorado, the Supreme Court upheld a law protecting the privacy and autonomy of individuals seeking medical care, as the law was intended to serve the "traditional exercise of the States' 'police power to protect the health and safety of their citizens.'" 530 U.S. 703 (2000).

Preemption Stops States From Performing In Their Traditional Role as "Laboratories of Democracy"

"It is one of the happy incidents of the federal system that a single courageous State may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country."
--New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting).

States enjoy a unique perspective that allows them to craft innovative programs to protect consumers. State legislatures are closer to their constituents and the entities they regulate. They are the first to see trends and problems, and are well-suited to address new challenges and opportunities that arise from evolving technologies and business practices.

An entire appendix to the 1977 Report of the Privacy Protection Study Commission was devoted to "Privacy Law in the States." This portion of the report speaks strongly to the value of state privacy protection:

Through constitutional, statutory, and common law protections, and through independent studies, the 50 States have taken steps to protect the privacy interests of individuals in many different types of records that others maintain about them. More often than not, actions taken by State legislatures, and by State courts, have been more innovative and far reaching than similar actions at the Federal level...the States have also shown an acute appreciation of the need to balance privacy interests against other social values.

The report concludes:

This volume [the appendix to the 1977 report] underscores the central role the States can play as protectors of personal privacy and, more broadly, individual liberty...The States have demonstrated that they can, and do, provide conditions for experiments that preserve and enhance the interests of the individual in our technological, information-dependent society.

State lawmakers have expressed similar observations about the role of diverse decision making authority. As North Carolina State Representative Dan Blue has argued:

Federal preemption of state and local law presents a very serious challenge to our constitutional system of federalism...One of the advantages of federalism is that allows for greater responsiveness and innovation through local self-government. State and local legislatures are accessible to every citizen. They work quickly to address problems identified by constituents. The large number of state and local legislatures encourages innovation. A new policy is tested in one jurisdiction. If it works, other jurisdictions try it. If a mistake is made, it can quickly be corrected. But, if the policy jurisdiction of a state or locality has been preempted, then it cannot respond and it cannot innovate.

Federal preemption can dilute more vigorous protections and policy debates that occur at the state level. Roopali Mukherjee and Rohan Samarajiva found in a detailed study (Regulating "Caller ID:" emulation and learning in US state-level telecommunication policy processes, Telecommunications Policy, Vol. 20 No. 7 pp. 531-542, 1996) of Caller ID policy approaches that the Federal Communications Commission's position was much weaker than those developed by the states:

...the FCC's rules deviated from the dominant trend state by state PUCs. Moreover, the FCC's rules pre-empted stronger protections effective in 37 states by that time...

...It appears that the FCC was effectively insulated from the emulation and learning processes at work at the state level...The FCC's record on telecommunications privacy issues is minimal. Outflow [of personal information] concerns, in particular, have received little or no attention. Where privacy concerns have been raised, the FCC has consistently overridden them with concerns regarding competition. Decisions on Customer proprietary Network Information (CPNI) and Automatic Number Identification (ANI) exemplify the FCC's stance...

...while the majority of state regulators moved to higher-privacy solutions by 1994, the FCC stayed with per-call blocking. This suggests that emulation and learning did not take place at the federal level. FCC Commissioners and staff were unlikely to have been heavily involved in policy networks in which state regulators participated quite vigorously. In the absence of learning from state-level networks, the FCC remained unconvinced about outflow concerns, and thereby with higher-privacy solutions.

State Legislators and Law Enforcers are More Accountable to the Public Interest

State and local governing bodies are more accountable to their constituents. As a result, it is likely that stronger protections will emerge from state and local legislatures, and more vigorous enforcement will be pursed by state actors.

There is a particular danger that preemption of state enforcement authority will leave individuals with no remedies to privacy violations. In the states, attorneys general are elected, and thus have direct pressure from constituents to enforce consumer protection laws. Since the federal attorney general and agency officials are appointed, there is a risk that they will be less accountable to the public as political appointees.

A common tactic of an industry wishing to dilute enforcement power is to lobby Congress in order to reduce funding of regulating agencies. For instance, Microsoft Corporation took this approach against the Department of Justice's Antitrust Division in order to frustrate the government's antitrust suit against the corporation. When this tactic is successful and there is no state or individual enforcement authority in a law, the individual may be left with no realistic option to enforce her rights.

EPIC Executive Director Marc Rotenberg has testified before Congress that one risk of federal ceiling preemption is that federal regulators may not be as responsive to individuals' problems:

As a general matter preemption is inconsistent with the structure of privacy law in the United States, and similar proposals have often killed important efforts to enact privacy legislation. But it is a particularly bad idea in this context where the FTC [Federal Trade Commission] would have so much control over the establishment of regulation as well as the provision of safe harbor status. Inadequate regulations or inattention to industry practices by the FTC could not be remedied by state or local authorities. States must retain the right to develop new safeguards to protect the interests of their citizens.

North Carolina State Representative Dan Blue argues a similar position:

Federal regulatory agencies are not always successful in their mission of protecting the public. Moreover, over the past twenty years there has been something of an abdication by the federal government in such fields as consumer, environmental, and public health and safety protection. And, federal regulation, is often sluggish, bogged down in the elaborate federal administrative process and able to respond only slowly to the demands of the public. Federal agencies, in other words, frequently are surpassed in performance by state officials who often can act quickly and effectively to protect their citizens.

States can act more quickly and aggressively because the structure of state administrative law is simpler and allows for swift decision-making. Also, state regulators are often more responsive to public opinion. For example, in most states, a popularly elected Attorney General is responsible for enforcement of antitrust, environmental, and consumer protection laws. State agencies, especially when they work cooperatively, also may have more law enforcement resources than comparable federal agencies. I would point in particular to the effectiveness of cooperative efforts of state attorneys general in addressing public health, consumer protection, and antitrust issues.

Appeals to Efficiency In Nationally-Uniform Laws Are Specious

Especially in the financial services and credit reporting areas, there has been an argument that a national ceiling of laws is needed in order to prevent "balkanization" or a "patchwork" of state laws. However, there is nothing that differentiates these business from other industries that operate at the national level with varying state laws. In fact, many states currently have credit reporting laws that increase protections for consumers, and reduce the costs for access to consumer credit reports.

As the National Association of Attorneys General Privacy Subcommittee has argued:

Many businesses...argue the importance of a single, federal standard by citing the need for uniformity. They assert that a "patchwork" of state laws will make compliance costly and may stifle the development of markets both on and offline. In fact, businesses have long accommodated themselves to a range of state consumer protection statutes while maintaining a profitable enterprise. Courts have, for years, engaged in a process of reconciling potentially or actually conflicting laws through application of established legal principles to various factual situations. Such a tailored response is especially appropriate with respect to evolving technologies and new applications of those technologies. This flexible approach accommodates the needs of both businesses and consumers, while preserving state sovereignty in an area where states have traditionally had a significant role.

The Same New Technologies That Have Enabled Profiling Could Enable Compliance With Different State Laws

Not enough attention has been paid to the possibility that the same technologies that enable profiling and consumer segmentation could be used for compliance with different state laws. There has never been a better time to experiment with this approach.



Previous Top News

  • FOIA Doc's Show Bias Towards Preemption at Treasury. EPIC has obtained documents (PDF 430k) under the Freedom of Information Act regarding the Department of the Treasury's consideration of preemption in the Fair Credit Reporting Act. The documents show that the agency decided to back preemption in January 2003, and that little or no policy debate was held within the agency on whether preemption would help or harm the public. Furthermore, it appears that the agency only consulted with two consumer-oriented advocates, while meeting with many industry representatives. (Jan. 28, 2004).
  • FCRA Hearings Held. In a series hearings before the House Financial Services Committee, a number of experts have testified in favor of stronger protections in the Fair Credit Reporting Act. They include Joel Reidenberg of Fordham Law School, Ed Mierzwinski of US PIRG, Anthony Rodriguez of the National Consumer Law Center, Julie Brill of the Vermont Attorney General Office, Richard LeFebvre of AAA Credit, Evan Hendricks of Privacy Times, and Travis Plunkett of Consumer Federation of America.
  • FCRA Preemption Bills Introduced. Two bills that would broadly preempt states from passing stronger credit reporting laws were introduced in the Congress. S. 660, introduced by Senator Tim Johnson (D-SD) would extend preemption in the Fair Credit Reporting Act (FCRA) in perpetuity. A second bill, H.R. 1766, would extend FCRA preemption, and prohibit states from regulating information sharing among financial services entities. For more information, see the EPIC FCRA Page. (Apr. 24)
  • EPIC Opposes Preemption of State Privacy Enforcement. In comments to the Office of the Comptroller of the Currency, EPIC argued that the agency lacks the legal authority to prevent states from enforcing consumer protection and privacy laws against banks and their affiliates. The EPIC comments respond to the agency's proposed rule (pdf) that interprets the OCC's "visitorial powers" so broadly that states could not enforce their own consumer protection and privacy laws against banks. (Apr. 8)
  • EPIC Urges Expiration of FCRA Preemption. In an address to the American Banking Association US 2003 Conference, EPIC Legislative Counsel Chris Hoofnagle argued that Congress should allow preemption in the Fair Credit Reporting Act to expire. (Feb. 2003)
  • NAAG Opposes FCRA Preemption. The National Association of Attorneys General passed a resolution opposing preemption in the Fair Credit Reporting Act. The resolution supports general reform of the FCRA, including greater accuracy, access, and enforcement provisions. For more information, see the EPIC FCRA Page. (Dec. 2002)
  • President Bush Supports Federalism, Establishes Federalism Working Group. President Bush announced a new federalism initiative and commissioned a working group to develop a new federalism executive order. This new order would replace President Clinton's federalism executive order 13132. (Feb. 2001)

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security