Analysis & Opinions - Belfer Center for Science and International Affairs, Harvard Kennedy School

Preemption in Federal Data Security and Privacy Legislation

  • Tatyana Bolton
  • Brandon Pugh
  • Sofia Lesmes
  • Cory Simpson
| June 14, 2022

Preemption is the ability of the federal government to overrule or replace state law in favor of federal law. It is rooted in the U.S. Constitution’s Supremacy Clause, and it remains a central challenge in passing federal data security and privacy legislation.

Five U.S. states have passed comprehensive data privacy laws. In 2021, at least 25 states introduced comprehensive legislation, along with even more that introduced less-comprehensive legislation to address specific privacy issues. In fact, in the span of time it took us to write this article, the United States went from three to five states with comprehensive data privacy laws. State laws could all be affected by a preemptive federal law, so determining whether and how existing and future state laws should operate with federal law is an essential part of developing federal privacy legislation.

This has fueled a debate on whether federal privacy legislation should allow for stronger state privacy frameworks or whether it should prevent states from having their own frameworks at all. On one side of the debate, a federal law could set minimum requirements and allow states to make new or stricter laws. Proponents of this approach believe that states are best suited to account for their unique needs and to innovate. On the other side, a federal law could displace state frameworks and serve as the uniform standard, with or without carve-outs for state action and existing federal law. Proponents of this strong preemption approach assert that it would end the current patchwork of laws that have led to inconsistent protections for consumers and avoid the industry-related compliance challenges that would come with meeting the requirements of 50+ frameworks.

Fortunately, the preemption debate does not need to be resolved by taking one side or the other. The solution exists along a spectrum, depending on how much Congress wants to allow state laws to complement federal law. A balance can be achieved by having a uniform federal privacy law that can preempt states on substantive provisions covered at the federal level but also preserve existing privacy-related federal frameworks and carve out areas for traditional state authority and emerging areas.

This publication—the first in a series of three main articles—explores the various forms preemption can take and provides recommendations to reach consensus among these options. For more, read our explainer about tough questions and answers here.


Consideration #1: Preemption and Savings Clauses

Preemption allows federal law to overrule or replace state law in a field or topic, but a savings clause, which is referred to as a carve-out for simplicity, can be added to prevent certain areas of state law from being preempted. Such a clause determines how federal law interplays with state law. Of note, preemption and savings clauses often arise with regard to federal legislation so they are not unique to privacy legislation. In certain situations, preemption is impermissible and considered commandeering (e.g., Murphy v. NCAA). Congress should be aware of these limitations as they craft preemption for privacy legislation.

Consideration #2: Carve-Outs for State Action

At least 10 areas could be considered for carve-outs in federal privacy legislation to keep existing state law intact, and statutory language should address how carve-outs involving covered data are handled. Doing so would result in uniform legislation while allowing states to retain control over certain areas. The areas that should be considered for carve-outs broadly fall into two categories: areas of traditional state control and emerging areas/gap-fillers.

Areas of traditional state control to consider include, but are not limited to:

  • Civil Rights Laws—Establishing carve-outs for these laws helps avoid canceling protections in states with more robust civil rights laws. If a federal data privacy law contains a civil rights clause, it may address some of these restrictions, but states still may provide additional protections.
  • State Statutes Surrounding Unfair and Deceptive Acts and PracticesEvery state has a consumer protection law that prohibits deceptive practices, and many others prohibit unfair or unconscionable practices. The effectiveness, strength and applicability of these laws vary widely across the country.
  • State Constitutional Law—States may offer their denizens additional rights under their state constitution that are not offered at the federal level.
  • State Laws Relating to Tort, Contract and Property in Statute or Common Law—These areas have evolved at the state level over time and often reflect a state view.
  • State Criminal Law—All 50 states have computer crime laws of varying scope, from unauthorized access to targeting specific types of crime.
  • Laws Governing Specific Relationships—Common examples in state statute include landlord-tenant, employer-employee relationships, library patrons and student privacy.
  • State Laws Pertaining to Government Activities—States often regulate state government agencies or state government employee actions relating to privacy, including prohibiting or permitting certain actions. For example, a state may regulate the collection and preservation of public records.

Emerging areas and gap-fillers to consider include, but are not limited to:

  • State Cybersecurity Laws—Some states have laws that require businesses to follow rules related to encryption, data breaches, incident reporting, ransomware and other cybersecurity practices that could go further than the provisions in a federal data privacy bill.
  • State Versions of Federal Laws That Allow for Stronger Provisions—Multiple federal privacy laws do not preempt stricter privacy protections at the state level like the Health Insurance Portability and Accountability Act (HIPAA) and the Cable Communications Policy Act of 1984, among others. In fact, some federal laws preempt “contrary” state laws but include an exception for state laws providing greater protections.
  • State Laws Governing an Area the Federal Law Does Not Address or Contemplate—Federal privacy legislation is unlikely to account for certain privacy concerns unique to certain states, so states should retain the ability to legislate in these areas to avoid gaps, such as anti-paparazzi laws and audio recordings between parties.
  • Biometrics—This area requires special consideration because aspects such as definitions, collection versus use and enforcement mechanisms are still widely debated. While some bills do contain biometric definitions and provisions already, and one state—Illinois—has passed a law governing this particular data, this hotly debated topic should be considered outside of existing debates on comprehensive data security data privacy legislation.

Consideration #3: Carve-Outs for Existing Federal Laws 

Multiple pieces of current, privacy-related federal law could be explicitly carved out so they are not modified by a new law. Statutory language should address how data is treated when it may be subject to a sectoral privacy law and a comprehensive privacy law, including whether compliance with a sectoral law satisfies requirements set by a new comprehensive law. Existing privacy-related federal laws already have regulatory frameworks in place, and any changes should be addressed through different legislation or amendments to the original statute. These broadly fall into six categories, including but not limited to:

  • Student Privacy—Family Educational Rights and Privacy Act (FERPA)
  • Health Privacy—HIPAA and Health Information Technology Economic and Clinical Health (HITECH) Act
  • Financial Privacy—Gramm-Leach-Bliley Act (GLBA), Fair Debt Collection Practices Act (FDCPA) and Fair Credit Reporting Act (FCRA)
  • Children’s Privacy—Children’s Online Privacy Protection Act (COPPA)
  • Federal Government Practices—Privacy Act of 1974 and E-Government Act of 2002
  • Other Laws—Communications Assistance for Law Enforcement Act (CALEA), Communications Act of 1934, Electronic Communications Privacy Act (ECPA), Driver’s Privacy Protection Act of 1994, Controlling Assault of Non-Solicited Pornography and Marketing Act, Restore Online Shoppers’ Confidence Act, part C of title XI of the Social Security Act, Telemarketing and Consumer Fraud and Abuse Prevention Act, Telephone Consumer Protection Act, Genetic Information Nondiscrimination Act and Federal Aviation Act of 1958

Consideration #4: Other Aspects: The scope of preemption is important, but there are other aspects to consider when including preemption language. These include:

  • Language and definitions need clear meaning—Otherwise, uncertainty can be introduced in the laws and regulations, which could lead to litigation and force courts to decide what is and is not preempted or additional agency action may be required. For example, if new legislation has language targeting laws that “directly conflict,” a debate could ensue on what falls under that provision. To ensure that clear language and definitions are established, a federal agency like the FTC could be empowered to review cases of preemption as either an advisory body for federal courts or with decision-making authority. In addition, Congress could leave certain provisions open to states or a federal agency like the FTC to define (e.g., the federal law may not establish a uniform age of consent to define minors and teens).
  • Grandfather existing state privacy laws—Specific state laws could be grandfathered in or each one enacted prior to federal legislation to allow them to continue despite a new federal law. For example, California’s privacy legislation could be allowed to remain in effect, while others are preempted.
  • Enforcement by state governments—State attorneys general or other state agencies could be empowered to assist in enforcing federal legislation, including bringing civil actions on behalf of residents of their state and/or investigating violations. This could be helpful in enforcement against largely local bad actors. They already play a role in enforcing other pieces of federal privacy legislation. Specific considerations would need to include whether notification needs to be made to the FTC first, whether the FTC has a right of first refusal, where actions can be brought, and the role of state-level data protection authorities.


Taking these options into consideration, we offer three main recommendations related to preemption in federal data security and privacy legislation: preemption should not be approached as all-or-nothing, rights and provisions of a federal law should be compared to existing and proposed state laws, and state governments should have a role in enforcement.

Recommendation #1: Preemption should not be approached as all-or-nothing

A federal privacy law should preempt states on substantive provisions covered by the federal law but should also include carve-outs. It is important to prohibit states from making stricter or additional protections, as failure to restrict this action would inevitably result in returning to the existing patchwork of state restrictions. Federal legislation must also be strong enough to provide adequate privacy and security protections to consumers while taking into account the needs of businesses and groups that will be tasked with complying with it.

This allows for a uniform approach for both consumers and industry while protecting areas of state concern through carve-outs. It will prevent entities from having to follow various state frameworks and any subsequent amendments, which would result in large compliance costs, uncertainty on what is needed to comply and the need to monitor all 50 states regularly. A single standard also produces greater trust and ensures that all individuals enjoy the same protections regardless of where they reside or travel.

Specifically, we suggest that federal privacy legislation include:

  • Clear Statutory Language That Explicitly Preempts States from Making Their Own Privacy Laws, but That Includes Carve-Outs for Certain Areas—This would prevent states from making distinct, inconsistent frameworks. Select carve-outs are important, however, because they respect and uphold the long history of states having control over unique issues that affect their area, they account for areas that are best addressed by having a local approach instead of a national one and they can help fill gaps not covered by federal law.

We recommend carve-outs for areas of traditional state concern (civil rights laws; state statutes surrounding unfair and deceptive acts and practices; state constitutional law; state laws relating to tort, contract, and property in statute or common law; state criminal law; laws governing specific relationships; and state laws pertaining to government activities) and for emerging areas and gap-fillers (state cybersecurity laws, state versions of federal laws that allow for stronger provisions and state laws governing an area the federal law does not address or contemplate; biometrics require special consideration, as highlighted above).

We also recommend that carve-out implementation be considered in statute in the following ways:

    • If an issue area has been addressed by federal statute, the statute should preempt any state level law covering the same topic. For example, if biometric provisions are substantively included in a federal law, states should not be able to make additional or stricter standards.
    • If state laws regulate the collection, use, maintenance or other handling of covered data addressed by federal legislation, then those provisions of state law should be preempted, even if that state law encompasses a carve-out enumerated above.
    • State laws should not be used to litigate claims related to violations of the federal data security and privacy law.
    • Actions by states should be monitored to ensure that additional or new protections are not being created under a carve-out, including under unfair and deceptive acts and practices statutes. For example, a new privacy protection could be created by a state as a tort or an unfair and deceptive practice as a way to expand provisions and get around preemption.
  • A Prohibition of Grandfathering Existing State Frameworks or Laws Outside of Those Covered as Carve-Outs—One or multiple existing state laws, such as California’s, should not be singled out and allowed to stand while preempting others. A basic premise of the U.S. legal system and our constitutional framework is that all states are equal. Selective preemption of some states’ laws would undermine that concept. Furthermore, allowing some existing frameworks to persist would result in inconsistencies from the outset.
  • Clear Statutory Language That Explicitly Excludes Select Federal Laws from Being AffectedCertain existing laws have agreed-upon regulatory frameworks that have existed for years. If these current frameworks were affected by a new law, it would result in burdensome compliance actions and costs for companies and would weaken data security by subjecting unique data to a broader law instead of a sector-specific law. Although this means that some entities would have to follow multiple frameworks, the challenges of making changes to existing laws would outweigh the benefits of a single framework. Therefore, any changes suggested to these existing frameworks should be considered through separate legislation or amendments to their original statute.

The federal carve-outs we recommend excluding from a federal privacy law are 11 of the statutes previously mentioned. They pertain to student privacy, health privacy, financial privacy, children’s privacy and other categories. These include FERPA, HIPAA, HITECH Act, GLBA, FCRA, COPPA, CALEA, ECPA, Communications Act of 1934 (except as noted below), Driver’s Privacy Protection Act of 1994, and the Federal Aviation Act of 1958. Specifically, data covered by and used in accordance with these existing federal privacy laws should be excluded, but if a covered entity collects data not subject to the other laws, it should follow the provisions in the comprehensive federal legislation for that other data. This will help avoid dual systems for the same data.

Also, we recommend that a data privacy federal law aims to have entities covered by the statute be regulated by only one agency for data privacy and security, rather than multiple. In the area of data security and privacy, specifically, Congress could consider allowing the FTC to solely regulate the area to avoid confusion and duplication with the Federal Communications Commission. Of note, certain provisions of existing statutes currently prevent the FTC from regulating data security and privacy fully, such as those related to common carriers; therefore, existing statues may need to be amended or superseded to allow for this approach.

Recommendation #2: Rights and provisions of a federal law should be compared to existing and proposed state laws.

The substance of a final privacy bill will reflect how the politics surrounding preemption are addressed. For example, advocates of California’s privacy framework may be less likely to oppose broader preemption if the rights and structures currently in place are comparable or stronger in a federal law. On the other hand, if federal law offers fewer protections and still preempts state laws, many are likely to see the federal law as a step backward.

This means that preemption is directly related to other areas of disagreement in the privacy debate like a private right of action (PRA), rulemaking authority and enforcement mechanisms. For example, if the FTC has rulemaking authority, there is an increased likelihood of conflict with state laws and regulations in the absence of broader preemption.

Recommendation #3: State governments should have a role in enforcement. 

Permitting state attorneys general, consumer protection officials, or other state officials to share in enforcement will amplify enforcement efforts and make sure local concerns are being addressed. States should be able to conduct investigations into violations affecting their state and bring civil suits in federal court. However, the FTC or a designated federal agency should have the right to be heard in any case brought to help ensure consistency and expertise.

In addition, states should be permitted to maintain state-level data protection authorities, like the California Privacy Protection Agency. However, the agencies should not be permitted to take action that is inconsistent with federal legislation or that is exclusively granted to a federal agency. Sample roles could include serving as a subject-matter expert for implementation, addressing previously mentioned carve-outs, training and raising awareness.

About this series: This is part of a series considering the major stumbling blocks of federal data security and data privacy efforts. It draws upon existing research and interview data to identify the most salient issues within data security and data privacy and recommend the most appropriate courses of action in an effort to find compromise on federal legislation.

For more information on this publication: Belfer Communications Office
For Academic Citation: Zabierek, Lauren, Tatyana Bolton, Brandon Pugh, Sofia Lesmes and Cory Simpson.“Preemption in Federal Data Security and Privacy Legislation.” Belfer Center for Science and International Affairs, Harvard Kennedy School, June 14, 2022.

The Authors