by Mark Vandenberg*
Rapid technological developments in the early part of the 21st century have exposed massive amounts of users’ private data to many different companies. Data privacy laws that seemed adequate even just a few years ago are no longer sufficient to handle the evolving privacy issues relevant today. While the federal Telecommunications Act of 1996 provided much needed updates to federal privacy law at that point in time, there has been no similar action from Congress in the past twenty-five years. To deal with this inaction, states have begun to issue their own laws to protect their citizens’ data.1
The federal government has weighed in on this issue in the past few years, though not with conventional, affirmative legislation from Congress. In 2017, using the Congressional Review Act, which allows Congress to “overturn a rule issued by a federal agency,”2 Congress passed a joint resolution3 to undo a 2016 Federal Communications Commission (“FCC”) Rule regarding customer privacy requirements for broadband Internet access service (“BIAS”) providers.4 The 2016 ISP Privacy Order, among other things, had instituted rules requiring BIAS providers to “obtain customers’ opt-in approval for use and sharing of sensitive customer [personal information].”5 However, because of the Joint Resolution, the 2016 ISP Privacy Order is no longer in effect.
Furthermore, the FCC promulgated a rule in 2018 which also purported to impact data privacy.6 The RIF Order included a number of measures, including transferring jurisdiction of broadband privacy enforcement from the FCC back to the Federal Trade Commission (“FTC”), who had regulated it before the FCC.7 The RIF Order also sought to declare that the order had preemptive effect on future state laws because of its “deregulatory approach.”8 This portion of the RIF Order was ultimately overturned by the D.C. Circuit for a failure to ground its preemption directive in any statutory authority,9 though the court left for another day whether “particular state law[s]” might be preempted by the RIF Order.10
The question then is: is there a place for states to regulate their own citizens in this data privacy space or would state regulations be preempted by federal law? If state action can move forward, then states can experiment with different data privacy protections, perhaps developing best practices that could be shared with states that have not yet adopted privacy protections or even the federal government. On the other hand, if state or local legislation is preempted by federal law, then is existing federal law robust enough to ensure strong data privacy protections?
This Contribution argues that federal law related to data privacy protection does not preempt state or local legislation because no aspect of federal law occupies the field of regulation nor does federal law conflict with state or local statutes that seek to protect data privacy. Further, unless Congress can pass comprehensive data privacy protections, state and local action may be the best path forward, as different state and local bodies can experiment with different types of data privacy protections that provide digital safety to their citizens.
The preemption doctrine materializes from the Supremacy Clause of Article VI of the Constitution, which commands “that the laws of the United States ‘shall be the supreme Law of the Land; . . . any Thing in the Constitution or Laws of any state to the Contrary notwithstanding.’”11 There are two distinct categories of preemption: express and implied.12 Given that Congress has clearly not expressly preempted state or local data privacy laws, this Contribution will focus on implied preemption, which is further broken down into “field” and “conflict” preemption.13
A state law is subject to field preemption “where ‘Congress has legislated comprehensively to occupy an entire field of regulation, leaving no room for the States to supplement federal law.’”14 It is subject to conflict preemption “where ‘compliance with both state and federal law is impossible,’ or where ‘the state law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.’”15
All preemption jurisprudence, including both field and conflict preemption, is governed by two guiding principles. First, the “ultimate touchstone in every pre-emption case” is “the purpose of Congress.”16 Second, in every preemption case, “particularly . . . those in which Congress has legislated in a field which the States have traditionally occupied, . . . we start with the assumption that the historic police powers of the States were not to be superseded by [federal law] unless that was the clear and manifest purpose of Congress.”17
Beyond the Joint Resolution and the RIF Order previously discussed, the only affirmative piece of federal legislation that addresses data privacy is contained at 47 U.S.C. § 222, originally drafted as part of the Communications Act of 1934. The section’s general purpose speaks to “[e]very telecommunications carrier[’s] . . . duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.”18
However, the Communications Act contemplates state involvement in related matters. For instance, 47 U.S.C. § 253 expressly states that “[n]othing in this section [including § 222] shall affect the ability of a State to impose, on a competitively neutral basis . . . requirements necessary to . . . protect the public safety and welfare, ensure the continued quality of telecommunications services, and safeguard the rights of consumers.”19 47 U.S.C. § 253(d) also provides a clear process for the FCC to undertake when it believes that a state law or regulation may be violating the section’s requirement: the FCC may, after providing “notice and an opportunity for public comment . . . preempt the enforcement” of said law or regulation.
Taking the field preemption question first, comprehensiveness of federal law is key, as there must be “no room for the States to supplement federal law.”20 Likewise, the federal law in question must also demonstrate a “clear and manifest purpose” to preempt any state or local law.21 As already stated, the Communications Act does precisely the opposite, acknowledging that states should continue to be able to implement laws “necessary to . . . protect the public safety and welfare” without concerns of federal preemption.22 The Joint Resolution that overruled the FCC’s 2016 Order concerning data privacy merely stated “[t]hat Congress disapproves [the ISP Privacy Order] . . . and such rule shall have no force or effect.”23 Accordingly, the Joint Resolution did not contain a “clear and manifest purpose” to preempt state law, as the Joint Resolution merely discarded with the 2016 Order and provided no further explanation of its purpose.24
The Supreme Court has taken an exacting view of what is required to find field preemption. In Pacific Gas & Electric Co. v. State Energy Resources Conservation & Development Commission, 461 U.S. 190 (1983), the Court found that the Atomic Energy Act, “despite its comprehensiveness,” did not in fact reserve the entire field regarding the construction of nuclear power plants to the federal government.25 Rather, the Court found that the federal government had reserved to itself questions of “safety . . . involved in the construction and operation of a nuclear plant,” while reserving for the states the “traditional responsibility in the field of regulating electrical utilities for determining questions of need, reliability, cost and other related state concerns.”26 If a comprehensive federal statute concerning a matter as crucial and as tied up in federal policy as nuclear plant safety can be found to have not preempted the field entirely, then surely the Joint Resolution’s bare recitation that a federal regulation will not go into place is not nearly enough to comprehensively regulate the field.27
Conflict preemption similarly does not preclude states and localities from developing data privacy laws. Conflict preemption results when either a) complying with a state or local law makes simultaneous compliance with federal law impossible or b) the state or local law diverges with the purpose of Congress.28 To the first point, any state or local data privacy law would merely need to avoid forcing companies into an impossibly conflicting position, which, given the paucity of federal law specifically concerning data privacy, should not be difficult.
Some would argue that the Joint Resolution and the RIF Order speak to a federal policy of de-regulating the internet to the extent that any state or local laws implementing restrictions to boost data privacy would conflict with a clear purpose of Congress (or federal agency, namely the FCC). However, as discussed above, the Joint Resolution evinces no clear purpose. Similarly, the RIF Order, while generally advocating for a deregulatory approach, simultaneously wanted to ensure that broadband providers “provide consumers with strong privacy and data security protections.”29
Finally, beyond the specific arguments about conflict and field preemption, there is a strong general presumption against preemption in matters dealing with historic police powers such as safety,30 which suggests challenges to state and local data privacy laws would necessarily start at a disadvantage.
Accordingly, there is a clear need and a place for state and local governments to implement data privacy protections without concern of federal preemption. A push for more of these local laws may also have the effect of encouraging Congress to develop a federal policy on data privacy that would preempt the incoming set of data privacy protections. Given the interstate (and even international) nature of the Internet, this would almost certainly be best for maintaining consistency and predictability for BIAS providers across the country (and the globe). In the meantime, though, enterprising states and localities should take up the mantle of protecting their citizens’ privacy.
* Mark Vandenberg is a J.D. Candidate (2022) at New York University School of Law. This piece is a commentary on a problem produced for the 2021 National Telecommunications and Technology Moot Court Competition, hosted by the Catholic University of America. The question presented was whether a state law regulating how contact tracing applications treated users’ geolocation data was preempted by federal law. This Contribution is a distillation of one side of the argument assigned to the team, and the views expressed do not necessarily represent the views of the author.
1. See State Laws Related to Digital Privacy, Nat’l Conf. of State Legislatures (July 22, 2021), https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx (providing examples of state laws related to digital privacy).
2. Maeve P. Carey & Christopher M. Davis, Cong. Rsch. Serv., R43992, The Congressional Review Act (CRA): Frequently Asked Questions 1 (updated 2020) (“CRA FAQ”).
3. See S.J. Res. 34, Pub. L. No. 115–22, 131 Stat. 88 (2017) (hereinafter “Joint Resolution”).
4. Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, 81 Fed. Reg. 87,274 (Dec. 2, 2016) (“ISP Privacy Order”).
5. ISP Privacy Order, 81 Fed. Reg. at 87,275.
6. See Restoring Internet Freedom, 83 Fed. Reg. 7,852 (Feb. 22, 2018) (“RIF Order”) (vacated in part, Mozilla Corp. v. FCC, 940 F.3d 1, 86 (D.C. Cir. 2019)).
7. RIF Order, 83 Fed. Reg. at 7,886; see also ACA Connects-Am.’s Commc’ns Ass’n v. Frey, 471 F. Supp. 3d 318, 326 (D. Me. 2020) (noting that the “FCC reinterpreted broadband Internet as an information service . . . rather than as a telecommunications service . . . thereby placing it outside the FCC’s regulatory ambit”) (citing Mozilla Corp., 940 F.3d at 78).
8. Mozilla Corp., 940 F.3d at 85.
9. See id. at 74.
10. Id. at 86.
11. Cipollone v. Liggett Grp., Inc., 505 U.S. 504, 516 (1992) (quoting U.S. Const. art. VI, cl. 2).
12. Id. (“Congress’ intent may be ‘explicitly stated in the statute’s language or implicitly contained in its structure and purpose.’” (quoting Jones v. Rath Packing Co., 430 U.S. 519, 525 (1977))).
13. See Oneok, Inc. v. Learjet, Inc., 575 U.S. 373, 377 (2015).
14. Hughes v. Talen Energy Mktg., LLC, 758 U.S. 150, 163 (2016) (quoting Nw. Cent. Pipeline Corp. v. State Corp. Comm’n of Kan., 489 U.S. 493, 509 (1989)).
15. Oneok, 575 U.S. at 377 (quoting California v. ARC America Corp., 490 U.S. 93, 100, 101 (1989)).
16. Hughes, 758 U.S. at 163 (citation omitted) (emphasis added).
17. Wyeth v. Levine, 555 U.S. 555, 565 (2009) (quoting Medtronic, Inc. v. Lohr, 518 U.S. 470, 485 (1996)) (quotation marks omitted).
18. 47 U.S.C. § 222(a).
19. See also P.R. Tel. Co. v. Telecomms. Regul. Bd. of P.R., 189 F.3d 1, 9 (1st Cir. 1999) (“[Section] 253 also contains provisions that preserve state regulatory authority . . . .”).
20. Hughes, 758 U.S. at 163.
21. Wyeth, 555 U.S. at 565.
22. 47 U.S.C. § 253(d).
23. Joint Resolution, S.J. Res. 34, Pub. L. No. 115–22, 131 Stat. 88.
24. Courts, when ascertaining the meaning of a joint resolution passed pursuant to the Congressional Review Act, must begin with the text itself. See, e.g., Nuclear Energy Inst., Inc. v. EPA, 373 F.3d 1251, 1309 (D.C. Cir. 2004) (“As with any other statute, our interpretation of the Resolution begins with its text and the presumption that Congress ‘says in a statute what it means and means in a statute what it says there.’” (quoting Conn. Nat’l Bank v. Germain, 503 U.S. 249, 254 (1992))).
25. 461 U.S. at 205.
27. See also Fla. Lime & Avocado Growers, Inc. v. Paul, 373 U.S. 132, 145 (1963) (discussing regulation of two different aspects of agricultural commerce and stating that, “Congressional regulation [in one part of the field at issue] does not, ipso facto, oust all state regulation [in another]. Such a displacement may not be inferred automatically[.]”).
28. Oneok, Inc. v. Learjet, Inc., 575 U.S. 373, 377 (2015).
29. RIF Order, 83 Fed. Reg. at 7,886.
30. Wyeth v. Levine, 555 U.S. 555, 565 (2009) (citation omitted).