In the United States, we’re dependent on the overlapping and sometimes confusing patchwork of legislation and regulations because the US employs a sectoral versus comprehensive approach to privacy. This legal patchwork sometimes includes state laws in addition to federal, which most see as simply another hurdle towards doing business in that state. In some cases, related but more stringent laws in the state were already passed. In those situations only minor modifications are needed for state compliance with a newly signed federal statute.
The Federal Trade Commission and State Attorneys General enforce federal and state laws of consumer privacy protection for Unfair or Deceptive Trade Practices (UDTP). One recent example was the State of Maine’s consumer protections, which are more restrictive than the federal laws with respect to cigarette labeling. The State brought suit against a tobacco manufacturer for violating the state’s deceptive trade law, which the manufacturer argued was out of line due to the Federal Cigarette Labeling Act. The Supreme Court decision upheld the State’s right to pass more restrictive legislation, pointing out:
Neither the Labeling Act’s pre-emption provision nor the Federal Trade Commission’s actions in this field pre-empt respondents’ state law fraud claim. Pp. 5–20.
(a) Congress may indicate pre-emptive intent through a statute’s express language or through its structure and purpose. See Jones v. Rath Packing Co., 430 U. S. 519, 525. When the text of an express pre-emption clause is susceptible of more than one plausible reading, courts ordinarily “accept the reading that disfavors pre-emption.”
The rationale in (a) requires express language for a federal law to negate a State’s right to create more restrictive legislation. The first citing by the high court becomes the contentious issue for House Bill H.R. 2221, proposed by Illinois Representative Bobby Rush. The bill tackles several tough interstate commerce issues, placing the FTC in charge of disposal regulations for obsolete or abandoned paper records containing personal information, breach notifications and verification requirements for information brokers. Section 6 of the so-called Data Accountability and Trust Act includes a provision reading:
(a) …This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to those entities covered by the regulations issued pursuant to this Act, that expressly–
- requires information security practices and treatment of data in electronic form containing personal information similar to any of those required under section 2; and
- requires notification to individuals of a breach of security resulting in unauthorized acquisition of data in electronic form containing personal information.
(b) Additional Preemption-
- IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.
This would strike several of the state privacy and notification laws (possibly including California’s SB 1386), stripping the State’s rights and growing Washington’s power. It also bars the State Attorneys General from bringing suit, possibly in an effort to avoid a double jeopardy situation. There are numerous case studies of the FTC and State Attorneys General working hand-in-hand for consumer protection; why this law tries to hamstring the situation is a bit of a mystery.
One more interesting note on Representative Rush’s proposal – the bill also places an encryption exemption on breach notification. As we noted in a recent post on corporate disposal policies, hackers and researchers seem to notice protection missteps and use them to bypass security provisions just like encryption.
The encryption of data in electronic form shall establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the encryption has been or is reasonably likely to be compromised.
The law has a 10 year lifespan, which should be a decent requirement before the Advanced Encryption Standard (AES), currently the de-facto encryption standard (and as yet to be compromised), ages beyond its effectiveness.
Update: President Obama’s May 20th, 2009 Memorandum on the Subject of Preemption and State’s Rights quotes Justice Brandeis saying, ”[i]t is one of the happy incidents of the federal system that a single courageous state may, if its citizens choose, serve as a laboratory; and try novel social and economic experiments without risk to the rest of the country.”
CIPP Candidate Preparation
In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:
- Regulatory Authorities (CIPP: I.A.c) including: The Federal Trade Commission
- Enforcement of U.S. Privacy and Security Laws (CIPP: II.B.d, I.A.c) including: Unfair and Deceptive Trade Practices (UDTP), and enforcement powers under the FTC Act section 5
- Privacy and Data Protection Regulation (Foundations: I.F.a, I.F.b) including: Sectoral legal framework
- National data protection regimes (Foundations: I.F.b) including: State’s Rights
- Specific Privacy and Security laws (CIPP: I.B.g) including: Breach notification
- Information Security (Foundations: II.C) including: Encryption