by Mark Vandenberg*

Rapid tech­no­log­i­cal devel­op­ments in the ear­ly part of the 21st cen­tu­ry have exposed mas­sive amounts of users’ pri­vate data to many dif­fer­ent com­pa­nies. Data pri­va­cy laws that seemed ade­quate even just a few years ago are no longer suf­fi­cient to han­dle the evolv­ing pri­va­cy issues rel­e­vant today. While the fed­er­al Telecom­mu­ni­ca­tions Act of 1996 pro­vid­ed much need­ed updates to fed­er­al pri­va­cy law at that point in time, there has been no sim­i­lar action from Con­gress in the past twen­ty-five years. To deal with this inac­tion, states have begun to issue their own laws to pro­tect their cit­i­zens’ data.1

The fed­er­al gov­ern­ment has weighed in on this issue in the past few years, though not with con­ven­tion­al, affir­ma­tive leg­is­la­tion from Con­gress. In 2017, using the Con­gres­sion­al Review Act, which allows Con­gress to “over­turn[] a rule issued by a fed­er­al agency,”2 Con­gress passed a joint res­o­lu­tion3 to undo a 2016 Fed­er­al Com­mu­ni­ca­tions Com­mis­sion (“FCC”) Rule regard­ing cus­tomer pri­va­cy require­ments for broad­band Inter­net access ser­vice (“BIAS”) providers.4 The 2016 ISP Pri­va­cy Order, among oth­er things, had insti­tut­ed rules requir­ing BIAS providers to “obtain cus­tomers’ opt-in approval for use and shar­ing of sen­si­tive cus­tomer [per­son­al infor­ma­tion].”5 How­ev­er, because of the Joint Res­o­lu­tion, the 2016 ISP Pri­va­cy Order is no longer in effect.

Fur­ther­more, the FCC pro­mul­gat­ed a rule in 2018 which also pur­port­ed to impact data pri­va­cy.6 The RIF Order includ­ed a num­ber of mea­sures, includ­ing trans­fer­ring juris­dic­tion of broad­band pri­va­cy enforce­ment from the FCC back to the Fed­er­al Trade Com­mis­sion (“FTC”), who had reg­u­lat­ed it before the FCC.7 The RIF Order also sought to declare that the order had pre­emp­tive effect on future state laws because of its “dereg­u­la­to­ry approach.”8 This por­tion of the RIF Order was ulti­mate­ly over­turned by the D.C. Cir­cuit for a fail­ure to ground its pre­emp­tion direc­tive in any statu­to­ry author­i­ty,9 though the court left for anoth­er day whether “par­tic­u­lar state law[s]” might be pre­empt­ed by the RIF Order.10

The ques­tion then is: is there a place for states to reg­u­late their own cit­i­zens in this data pri­va­cy space or would state reg­u­la­tions be pre­empt­ed by fed­er­al law? If state action can move for­ward, then states can exper­i­ment with dif­fer­ent data pri­va­cy pro­tec­tions, per­haps devel­op­ing best prac­tices that could be shared with states that have not yet adopt­ed pri­va­cy pro­tec­tions or even the fed­er­al gov­ern­ment. On the oth­er hand, if state or local leg­is­la­tion is pre­empt­ed by fed­er­al law, then is exist­ing fed­er­al law robust enough to ensure strong data pri­va­cy protections?

This Con­tri­bu­tion argues that fed­er­al law relat­ed to data pri­va­cy pro­tec­tion does not pre­empt state or local leg­is­la­tion because no aspect of fed­er­al law occu­pies the field of reg­u­la­tion nor does fed­er­al law con­flict with state or local statutes that seek to pro­tect data pri­va­cy. Fur­ther, unless Con­gress can pass com­pre­hen­sive data pri­va­cy pro­tec­tions, state and local action may be the best path for­ward, as dif­fer­ent state and local bod­ies can exper­i­ment with dif­fer­ent types of data pri­va­cy pro­tec­tions that pro­vide dig­i­tal safe­ty to their citizens.


The pre­emp­tion doc­trine mate­ri­al­izes from the Suprema­cy Clause of Arti­cle VI of the Con­sti­tu­tion, which com­mands “that the laws of the Unit­ed States ‘shall be the supreme Law of the Land; . . . any Thing in the Con­sti­tu­tion or Laws of any state to the Con­trary notwith­stand­ing.’”11 There are two dis­tinct cat­e­gories of pre­emp­tion: express and implied.12 Giv­en that Con­gress has clear­ly not express­ly pre­empt­ed state or local data pri­va­cy laws, this Con­tri­bu­tion will focus on implied pre­emp­tion, which is fur­ther bro­ken down into “field” and “con­flict” pre­emp­tion.13

A state law is sub­ject to field pre­emp­tion “where ‘Con­gress has leg­is­lat­ed com­pre­hen­sive­ly to occu­py an entire field of reg­u­la­tion, leav­ing no room for the States to sup­ple­ment fed­er­al law.’”14 It is sub­ject to con­flict pre­emp­tion “where ‘com­pli­ance with both state and fed­er­al law is impos­si­ble,’ or where ‘the state law stands as an obsta­cle to the accom­plish­ment and exe­cu­tion of the full pur­pos­es and objec­tives of Con­gress.’”15

All pre­emp­tion jurispru­dence, includ­ing both field and con­flict pre­emp­tion, is gov­erned by two guid­ing prin­ci­ples. First, the “ulti­mate touch­stone in every pre-emp­tion case” is “the pur­pose of Con­gress.”16 Sec­ond, in every pre­emp­tion case, “par­tic­u­lar­ly . . . those in which Con­gress has leg­is­lat­ed in a field which the States have tra­di­tion­al­ly occu­pied, . . . we start with the assump­tion that the his­toric police pow­ers of the States were not to be super­seded by [fed­er­al law] unless that was the clear and man­i­fest pur­pose of Con­gress.”17


Beyond the Joint Res­o­lu­tion and the RIF Order pre­vi­ous­ly dis­cussed, the only affir­ma­tive piece of fed­er­al leg­is­la­tion that address­es data pri­va­cy is con­tained at 47 U.S.C. § 222, orig­i­nal­ly draft­ed as part of the Com­mu­ni­ca­tions Act of 1934. The section’s gen­er­al pur­pose speaks to “[e]very telecom­mu­ni­ca­tions carrier[’s] . . . duty to pro­tect the con­fi­den­tial­i­ty of pro­pri­etary infor­ma­tion of, and relat­ing to, oth­er telecom­mu­ni­ca­tion car­ri­ers, equip­ment man­u­fac­tur­ers, and cus­tomers.”18

How­ev­er, the Com­mu­ni­ca­tions Act con­tem­plates state involve­ment in relat­ed mat­ters. For instance, 47 U.S.C. § 253 express­ly states that “[n]othing in this sec­tion [includ­ing § 222] shall affect the abil­i­ty of a State to impose, on a com­pet­i­tive­ly neu­tral basis . . . require­ments nec­es­sary to . . . pro­tect the pub­lic safe­ty and wel­fare, ensure the con­tin­ued qual­i­ty of telecom­mu­ni­ca­tions ser­vices, and safe­guard the rights of con­sumers.”19 47 U.S.C. § 253(d) also pro­vides a clear process for the FCC to under­take when it believes that a state law or reg­u­la­tion may be vio­lat­ing the section’s require­ment: the FCC may, after pro­vid­ing “notice and an oppor­tu­ni­ty for pub­lic com­ment . . . pre­empt the enforce­ment” of said law or regulation.


Tak­ing the field pre­emp­tion ques­tion first, com­pre­hen­sive­ness of fed­er­al law is key, as there must be “no room for the States to sup­ple­ment fed­er­al law.”20 Like­wise, the fed­er­al law in ques­tion must also demon­strate a “clear and man­i­fest pur­pose” to pre­empt any state or local law.21 As already stat­ed, the Com­mu­ni­ca­tions Act does pre­cise­ly the oppo­site, acknowl­edg­ing that states should con­tin­ue to be able to imple­ment laws “nec­es­sary to . . . pro­tect the pub­lic safe­ty and wel­fare” with­out con­cerns of fed­er­al pre­emp­tion.22 The Joint Res­o­lu­tion that over­ruled the FCC’s 2016 Order con­cern­ing data pri­va­cy mere­ly stat­ed “[t]hat Con­gress dis­ap­proves [the ISP Pri­va­cy Order] . . . and such  rule shall have no force or effect.”23 Accord­ing­ly, the Joint Res­o­lu­tion did not con­tain a “clear and man­i­fest pur­pose” to pre­empt state law, as the Joint Res­o­lu­tion mere­ly dis­card­ed with the 2016 Order and pro­vid­ed no fur­ther expla­na­tion of its pur­pose.24

The Supreme Court has tak­en an exact­ing view of what is required to find field pre­emp­tion. In Pacif­ic Gas & Elec­tric Co. v. State Ener­gy Resources Con­ser­va­tion & Devel­op­ment Com­mis­sion, 461 U.S. 190 (1983), the Court found that the Atom­ic Ener­gy Act, “despite its com­pre­hen­sive­ness,” did not in fact reserve the entire field regard­ing the con­struc­tion of nuclear pow­er plants to the fed­er­al gov­ern­ment.25 Rather, the Court found that the fed­er­al gov­ern­ment had reserved to itself ques­tions of “safe­ty . . . involved in the con­struc­tion and oper­a­tion of a nuclear plant,” while reserv­ing for the states the “tra­di­tion­al respon­si­bil­i­ty in the field of reg­u­lat­ing elec­tri­cal util­i­ties for deter­min­ing ques­tions of need, reli­a­bil­i­ty, cost and oth­er relat­ed state con­cerns.”26 If a com­pre­hen­sive fed­er­al statute con­cern­ing a mat­ter as cru­cial and as tied up in fed­er­al pol­i­cy as nuclear plant safe­ty can be found to have not pre­empt­ed the field entire­ly, then sure­ly the Joint Resolution’s bare recita­tion that a fed­er­al reg­u­la­tion will not go into place is not near­ly enough to com­pre­hen­sive­ly reg­u­late the field.27


Con­flict pre­emp­tion sim­i­lar­ly does not pre­clude states and local­i­ties from devel­op­ing data pri­va­cy laws. Con­flict pre­emp­tion results when either a) com­ply­ing with a state or local law makes simul­ta­ne­ous com­pli­ance with fed­er­al law impos­si­ble or b) the state or local law diverges with the pur­pose of Con­gress.28 To the first point, any state or local data pri­va­cy law would mere­ly need to avoid forc­ing com­pa­nies into an impos­si­bly con­flict­ing posi­tion, which, giv­en the pauci­ty of fed­er­al law specif­i­cal­ly con­cern­ing data pri­va­cy, should not be difficult.

Some would argue that the Joint Res­o­lu­tion and the RIF Order speak to a fed­er­al pol­i­cy of de-reg­u­lat­ing the inter­net to the extent that any state or local laws imple­ment­ing restric­tions to boost data pri­va­cy would con­flict with a clear pur­pose of Con­gress (or fed­er­al agency, name­ly the FCC). How­ev­er, as dis­cussed above, the Joint Res­o­lu­tion evinces no clear pur­pose. Sim­i­lar­ly, the RIF Order, while gen­er­al­ly advo­cat­ing for a dereg­u­la­to­ry approach, simul­ta­ne­ous­ly want­ed to ensure that broad­band providers “pro­vide con­sumers with strong pri­va­cy and data secu­ri­ty pro­tec­tions.”29

Final­ly, beyond the spe­cif­ic argu­ments about con­flict and field pre­emp­tion, there is a strong gen­er­al pre­sump­tion against pre­emp­tion in mat­ters deal­ing with his­toric police pow­ers such as safe­ty,30 which sug­gests chal­lenges to state and local data pri­va­cy laws would nec­es­sar­i­ly start at a disadvantage.

Accord­ing­ly, there is a clear need and a place for state and local gov­ern­ments to imple­ment data pri­va­cy pro­tec­tions with­out con­cern of fed­er­al pre­emp­tion. A push for more of these local laws may also have the effect of encour­ag­ing Con­gress to devel­op a fed­er­al pol­i­cy on data pri­va­cy that would pre­empt the incom­ing set of data pri­va­cy pro­tec­tions. Giv­en the inter­state (and even inter­na­tion­al) nature of the Inter­net, this would almost cer­tain­ly be best for main­tain­ing con­sis­ten­cy and pre­dictabil­i­ty for BIAS providers across the coun­try (and the globe). In the mean­time, though, enter­pris­ing states and local­i­ties should take up the man­tle of pro­tect­ing their cit­i­zens’ privacy.

* Mark Van­den­berg is a J.D. Can­di­date (2022) at New York Uni­ver­si­ty School of Law. This piece is a com­men­tary on a prob­lem pro­duced for the 2021 Nation­al Telecom­mu­ni­ca­tions and Tech­nol­o­gy Moot Court Com­pe­ti­tion, host­ed by the Catholic Uni­ver­si­ty of Amer­i­ca. The ques­tion pre­sent­ed was whether a state law reg­u­lat­ing how con­tact trac­ing appli­ca­tions treat­ed users’ geolo­ca­tion data was pre­empt­ed by fed­er­al law. This Con­tri­bu­tion is a dis­til­la­tion of one side of the argu­ment assigned to the team, and the views expressed do not nec­es­sar­i­ly rep­re­sent the views of the author.

1. See State Laws Relat­ed to Dig­i­tal Pri­va­cy, Nat’l Conf. of State Leg­is­la­tures (July 22, 2021), (pro­vid­ing exam­ples of state laws relat­ed to dig­i­tal privacy).

2. Maeve P. Carey & Christo­pher M. Davis, Cong. Rsch. Serv., R43992, The Con­gres­sion­al Review Act (CRA): Fre­quent­ly Asked Ques­tions 1 (updat­ed 2020) (“CRA FAQ”).

3. See S.J. Res. 34, Pub. L. No. 115–22, 131 Stat. 88 (2017) (here­inafter “Joint Resolution”).

4. Pro­tect­ing the Pri­va­cy of Cus­tomers of Broad­band and Oth­er Telecom­mu­ni­ca­tions Ser­vices, 81 Fed. Reg. 87,274 (Dec. 2, 2016) (“ISP Pri­va­cy Order”).

5. ISP Pri­va­cy Order, 81 Fed. Reg. at 87,275.

6. See Restor­ing Inter­net Free­dom, 83 Fed. Reg. 7,852 (Feb. 22, 2018) (“RIF Order”) (vacat­ed in part, Mozil­la Corp. v. FCC, 940 F.3d 1, 86 (D.C. Cir. 2019)).

7. RIF Order, 83 Fed. Reg. at 7,886; see also ACA Connects-Am.’s Commc’ns Ass’n v. Frey, 471 F. Supp. 3d 318, 326 (D. Me. 2020) (not­ing that the “FCC rein­ter­pret­ed broad­band Inter­net as an infor­ma­tion ser­vice . . . rather than as a telecom­mu­ni­ca­tions ser­vice . . . there­by plac­ing it out­side the FCC’s reg­u­la­to­ry ambit”) (cit­ing Mozil­la Corp., 940 F.3d at 78).

8. Mozil­la Corp., 940 F.3d at 85.

9. See id. at 74.

10. Id. at 86.

11. Cipol­lone v. Liggett Grp., Inc., 505 U.S. 504, 516 (1992) (quot­ing U.S. Con­st. art. VI, cl. 2).

12. Id. (“Con­gress’ intent may be ‘explic­it­ly stat­ed in the statute’s lan­guage or implic­it­ly con­tained in its struc­ture and pur­pose.’” (quot­ing Jones v. Rath Pack­ing Co., 430 U.S. 519, 525 (1977))).

13. See Oneok, Inc. v. Lear­jet, Inc., 575 U.S. 373, 377 (2015).

14. Hugh­es v. Tal­en Ener­gy Mktg., LLC, 758 U.S. 150, 163 (2016) (quot­ing Nw. Cent. Pipeline Corp. v. State Corp. Comm’n of Kan., 489 U.S. 493, 509 (1989)).

15. Oneok, 575 U.S. at 377 (quot­ing Cal­i­for­nia v. ARC Amer­i­ca Corp., 490 U.S. 93, 100, 101 (1989)).

16. Hugh­es, 758 U.S. at 163 (cita­tion omit­ted) (empha­sis added).

17. Wyeth v. Levine, 555 U.S. 555, 565 (2009) (quot­ing Medtron­ic, Inc. v. Lohr, 518 U.S. 470, 485 (1996)) (quo­ta­tion marks omitted).

18. 47 U.S.C. § 222(a).

19. See also P.R. Tel. Co. v. Telecomms. Reg­ul. Bd. of P.R., 189 F.3d 1, 9 (1st Cir. 1999) (“[Sec­tion] 253 also con­tains pro­vi­sions that pre­serve state reg­u­la­to­ry authority . . . .”).

20. Hugh­es, 758 U.S. at 163.

21. Wyeth, 555 U.S. at 565.

22. 47 U.S.C. § 253(d).

23. Joint Res­o­lu­tion, S.J. Res. 34, Pub. L. No. 115–22, 131 Stat. 88.

24. Courts, when ascer­tain­ing the mean­ing of a joint res­o­lu­tion passed pur­suant to the Con­gres­sion­al Review Act, must begin with the text itself. See, e.g., Nuclear Ener­gy Inst., Inc. v. EPA, 373 F.3d 1251, 1309 (D.C. Cir. 2004) (“As with any oth­er statute, our inter­pre­ta­tion of the Res­o­lu­tion begins with its text and the pre­sump­tion that Con­gress ‘says in a statute what it means and means in a statute what it says there.’” (quot­ing Conn. Nat’l Bank v. Ger­main, 503 U.S. 249, 254 (1992))).

25. 461 U.S. at 205.

26. Id.

27. See also Fla. Lime & Avo­ca­do Grow­ers, Inc. v. Paul, 373 U.S. 132, 145 (1963) (dis­cussing reg­u­la­tion of two dif­fer­ent aspects of agri­cul­tur­al com­merce and stat­ing that, “Con­gres­sion­al reg­u­la­tion [in one part of the field at issue] does not, ipso fac­to, oust all state reg­u­la­tion [in anoth­er]. Such a dis­place­ment may not be inferred automatically[.]”).

28. Oneok, Inc. v. Lear­jet, Inc., 575 U.S. 373, 377 (2015).

29. RIF Order, 83 Fed. Reg. at 7,886.

30. Wyeth v. Levine, 555 U.S. 555, 565 (2009) (cita­tion omitted).