On May 8, attorneys general (AG) from 14 states and the District of Columbia sent a letter to Congressional leadership opposing provisions of the recently proposed federal American Privacy Rights Act (APRA). In addition to the District of Columbia, the signatory states include California, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Maryland, Minnesota, Nevada, New York, Oregon, Pennsylvania, and Vermont. Their objections primarily center on the APRA’s preemption clause, which would nullify 16 state comprehensive data privacy laws that have been enacted since 2018.
The AGs write, “We encourage Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents. A federal legal framework for privacy protections must allow flexibility to keep pace with technology; this is best accomplished by federal legislation that respects — and does not preempt — more rigorous and protective state laws.”
The currently enacted state comprehensive privacy laws have common elements among them that allow for greater consumer control of personal information and impose minimum data handling requirements on data controllers and processors. However, some state laws, such as California, are more stringent than others, thus creating a complex regulatory patchwork that companies must navigate. California, for example, includes strict consumer opt-out requirements and risk assessments that other state laws do not mandate. The proposed federal APRA also falls short of these stricter requirements.
There has long been tension in the privacy realm between state and federal authorities, including the prospect of federal preemption of state privacy laws. For example, over the past 15 years, industry sectors have pushed for a federal data breach notification law that preempts the patchwork of 50+ state and territorial notification laws, however, no such legislation has successfully passed Congress. Similarly, attempts to pass federal comprehensive privacy legislation, most recently in 2022, have failed in committee, partly due to the lobbying by states.
Industry advocates argue that federal legislation that preempts the wildly varying patchwork of state laws, would provide a unifying standard which companies could more easily comply with. State authorities, however, often argue that they are better positioned, with more focused resources, to address violations in their own jurisdictions, and can do so most effectively by having a wide variety of enforcement tools at their disposal, such as consumer protection acts that augment state privacy laws. Accordingly, state authorities have generally supported federal laws, such as the Health Insurance Portability Accountability Act and the Children’s Online Privacy Protection Act that provide dual enforcement authority between state and federal regulators and allow for preemption only where state laws directly contradict federal law.
The current AG letter signals that the states will continue their lobbying push against federal preemption in the privacy realm. Companies must therefore remain vigilant to keep abreast of the patchwork of state privacy laws to ensure compliance and avoid myriad pitfalls. In addition to the 16 enacted state comprehensive privacy laws, 14 other states are currently considering similar privacy legislation, including Maryland, which recently passed legislation that is now awaiting the governor’s signature. Stay tuned as we continue to monitor and provide updates to the ever-changing privacy landscape.
Troutman Pepper State Attorneys General Team
Ashley Taylor – Co-leader and Firm Vice Chair Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation. |
|
Clay Friedman – Co-leader Clayton is a partner in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and co-leader of the State Attorneys General practice, multidisciplinary teams with decades of experience crafting effective strategies to help deter or mitigate the risk of enforcement actions and litigation. |
|
Judy Jagdmann Judy is a partner in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based in the Richmond office. She brings experience serving as chair and commissioner of the Virginia State Corporate Commission (VSCC) from 2006 through 2022, which includes regulating the utilities, insurance, banking, and securities industries. She also served as Virginia’s attorney general from 2005-2006. |
|
Stephen Piepgrass Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries. |
|
Avi Schick A former deputy attorney general of New York, Avi applies his experience in bet-the-company matters, representing clients in criminal and civil investigations and enforcement actions before state and federal regulators, prosecutors and enforcement agencies. |
|
Michael Yaghi Michael is a partner in the firm’s State Attorneys General and Regulatory Investigations, Strategy + Enforcement (RISE) Practice Groups, nationwide teams that advise clients on consumer protection enforcement matters and other regulatory issues. |
|
Samuel E. “Gene” Fishel Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office of the Attorney General of Virginia, and as special assistant U.S. attorney in the Eastern District of Virginia for 20 years. |
|
Tim Bado Tim is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, where he represents corporations and individuals facing potential civil and criminal exposure. Tim’s experience in government investigations, enforcement actions, and white-collar litigation spans a number of industries, including financial services, pharmaceutical, health care, and government contracting, among others. |
|
Chris Carlson Chris Carlson represents clients in regulatory, civil and criminal investigations and litigation. In his practice, Chris regularly employs his prior regulatory experience to benefit clients who are interacting with and being investigated by state attorneys general. |
|
Natalia Jacobo Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice. She focuses her practice on two primary areas: government contracting and state attorney general work. |
|
Namrata Kang Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. |
|
Michael Lafleur Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general. |
|
Susan Nikdel Susan is an associate in the firm’s Consumer Financial Services Practice Group, and focuses her practice on consumer financial services matters. She has defended several of the nation’s largest and most influential financial institutions in individual and class action litigation involving the Telephone Consumer Protection Act (TCPA), Fair Credit Reporting Act (FCRA), Fair Debt Collection Practices Act (FDCPA), and other consumer privacy statutes. |
|
John Sample John is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on a wide range of general and complex litigation matters, including shareholder disputes, fraud, products liability, breach of contract, and Biometric Information Privacy Act claims. |
|
Whitney Shephard Whitney is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. She represents clients facing state and federal regulatory investigations and enforcement actions, as well as related civil litigation. |
|
Trey Smith Trey is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice. He focuses his practice on helping financial institutions and consumer facing companies navigate regulatory investigations and resulting litigation. |
|
Daniel Waltz Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom. |
|
Stephanie Kozol Stephanie is Troutman Pepper’s senior government relations manager in the state attorneys general department. |