FTC Commissioners discuss state privacy preemption
On May 8, the FTC Commissioners participated in a subcommittee hearing before the House Committee on Energy and Commerce entitled, “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” During the hearing, the Commissioners were questioned about the agency’s privacy and data security enforcement and regulatory activities, including whether they would support preemption of state privacy laws by a federal privacy statute. Using the California Consumer Privacy Act (covered by InfoBytes here) as an example, some Congressmen worried about the prospect of conflicting privacy legislation in other states, creating “confusion and uncertainty in the business community.”
Split along party lines, Democratic Commissioners expressed caution with federal preemption of state privacy laws; Commissioner Chopra, citing to federal preemption laws leading up to the mortgage crisis, warned of “unintended consequences.” Democratic Commissioner Slaughter recognized the “desire for uniformity, consistency, clarity, and predictability” that a federal law would provide, but noted that the appropriateness of preemption should be based on “whether a federal law meets or exceeds…the level of protections that states can provide and whether it allows them the opportunity to fill any gaps that may remain after a federal law is developed.” Republican Commissioners stressed the importance of having a federal law that would preempt the current “patchwork” of state laws, which Commissioner Phillips argued is “essential” in order to provide businesses clarity and reduced compliance costs, while also providing consumers with more power to understand expectations. FTC Chairman Simons noted that even if federal law preempts state privacy laws, Congress should grant concurrent enforcement authority to the states’ attorneys general.
The hearing also discussed, among other things, (i) the need for additional resources to increase agency staff focused on privacy issues; (ii) giving the FTC authority to levy civil money penalties, as Section 5 of the FTC act does not allow the Commission to seek civil penalties for first-time privacy violations; and (iii) the need for targeted rule-making authority.