Federal Policy Should Preempt Onerous State-Level Data Privacy Laws

January 20, 2015

The debate continues to heat up around data privacy laws and whether the federal government should preempt state legislation in this area. Just this week, we wrote about the Administration’s announcement of two new proposals concerning data security, including the Personal Data Notification and Protection Act, which focuses on setting a federal standard. ANA has long advocated for federal data security legislation as more and more cybersecurity incidents occur, with recent examples including Sony, Home Depot, Target and CENTCOM.
The New York Times editorial board joined the debate recently in an editorial titled, “Still Waiting for Strong Privacy Laws,” stating that a uniform federal law wouldn’t “adequately protect the privacy of Americans,” and that the President should be “careful not to give Congress an opportunity to undermine state laws.” ANA is advocating for federal data security legislation because we have already seen the stark issues that can come with inconsistencies and variations in state laws. The New York Times editorial tried to dismiss this concern by noting that “As a practical matter, privacy advocates say, companies are not hamstrung by having to follow different state policies because they usually do whatever is required by the strongest state law in all states.” This point of view, however, overlooks the fact that a more stringent law in one particular state, though it may sound good in theory, does not necessarily mean that it takes into consideration the best interests of consumers all across the country. Overly-restrictive laws implemented by one state could yield an over-abundance of unnecessary alerts about data breaches or security issues which eventually and inevitably will be ignored.

In early 2014, ANA joined with fifteen other industry groups to ask Congress to find a way to preempt the current patchwork of 47 inconsistent state laws and develop a system that would allow businesses to better comply with data breach standards. We have already stressed that this legislation should preempt the state laws in the area and only require reporting for material breaches.

We recognize the challenges in creating a policy on the federal level. However, it is imperative that we do not work hard to establish a federal rule, only to allow individual states to once again undermine rational data breach standards with a plethora of approaches.

We know this debate will continue as efforts to enact a national breach law have been tried unsuccessfully for the last eight years. The advertising industry looks forward to continuing to support the implementation of strategic and smart safeguards that will still allow an industry reliant on the appropriate use of data to develop a sound approach that is beneficial to consumers nationwide.

You must be logged in to submit a comment.