The Washington PostDemocracy Dies in Darkness

Opinion Should Congress override state privacy rules? Not so fast.

(Loic Venance/AFP/Getty Images)

CONGRESS IS delving into data privacy at last. The House held a hearing on the subject Tuesday, and the Senate follows Wednesday. Testimony from industry groups and advocates previewed plenty of buzzy topics that legislators are likely to probe, from discriminatory pricing to limits on processing certain types of data. But lawmakers are split most starkly over preemption, or the question of whether a federal law should supersede state statutes. That may sound like a technicality, but it is highly consequential.

Those who favor Congress overriding, or preempting, state standards claim that local protection regimes create a “patchwork” too complicated for companies to comply with. Tech companies want a harmonized approach to privacy across the United States, like the European Union has tried to achieve with its General Data Protection Regulation. Republicans on the Hill so far seem inclined to agree. Privacy advocates counter that the push for preemption is a cynical ploy to neuter stricter rules, such as those in the California Consumer Protection Act, signed into law last summer. Supporters of that legislation believe its protections will trickle across the country, much as California’s heightened auto-emissions standards have led to more eco-friendly cars nationwide.

There’s a plausible case for preemption. Grappling with varying data-governance regimes is different from grappling with varying building codes, because data necessarily travels across borders. For companies, the alternative to navigating this conundrum is to identify the strictest set of rules (say, California’s) and apply them everywhere. But there is a philosophical argument to be made against allowing a single state to determine the experience of consumers across the country. There are practical hurdles, too: Privacy law is more complicated than auto emissions. Rules from one state could conflict with another’s, and determining which is “strictest” is not as easy as it may sound.

Still, an anemic federal privacy regime that undoes robust state efforts without offering a viable alternative would leave everyone worse off. A better idea, if Congress can agree only on weak rules, would be to set a baseline that states can improve on. After all, the argument for such a scheme would go, technology moves fast, Congress historically does not, and states might prove more nimble. Experimentation at the local level sometimes inspires smarter policy on Capitol Hill.

Preemption so far has been treated as an all-or-nothing proposition. It doesn’t have to be. Congress could set overriding federal rules in some areas of privacy regulation and allow states more leeway in others. Legislators could also ensure that preemption clauses in any bill sunset after a certain number of years, so Congress could assess whether federal regulation has succeeded and whether technological advances require new protections. There is more opportunity for harmony on the Hill than the conversation so far has allowed.

Read more:

The Post’s View: Our privacy regime is broken. Congress needs to create new norms for a digital age.

The Post’s View: Tech companies are open to privacy regulations. Congress should act.

Steven Hill: How to rein in Big Tech

Neema Singh Guliani: The tech industry is suddenly pushing for federal privacy legislation. Watch out.

Woodrow Hartzog and Neil Richards: It’s time to try something different on Internet privacy