For years, state attorneys general have led the nation in regulating consumer data privacy—using multistate investigations to enforce federal and state law and address the largest alleged violations.
The American Privacy Rights Act, a comprehensive consumer data privacy bill, threatens to disrupt this system. It has potential to diminish AGs’ power and the mechanism they’ve developed through years of deliberate action and regulatory evolution. A coalition of AGs has asked Congress to reconsider language in the bill as a result.
To understand the impact ARPA may have on the current system, some historical context is necessary. Some states have adopted comprehensive consumer data privacy laws in the absence of equivalent federal legislation, plugging enforcement gaps and creating ad-hoc national privacy enforcement that has grown in sophistication.
Those jurisdictions take their responsibility seriously, spending time and money to develop institutional expertise, attract top talent, and build a regulatory ecosystem that allows them to act effectively and swiftly amid changing technology. California and Texas have specialized regulatory enforcement groups focused on enforcing consumer data privacy laws.
Even in states that lack a dedicated regulatory enforcement group, most AG offices employ attorneys and specialists who have dedicated their careers to data privacy—many are considered among leading experts in their field.
This multistate enforcement ecosystem is propelled by decades-long relationships between these specialized attorneys who share and pool resources, allowing AGs to operate at levels far exceeding those of other comparable regulatory enforcers at the federal and global levels.
Given the long-term effort to build such a complex enforcement system, it’s easy to see why AGs are reluctant to cede authority to the federal government and hand over the reins.
Institutional competition between state and federal government isn’t what drives these concerns. State and federal governments frequently partner in large investigations, and there’s no indication this would change under ARPA.
Rather, there are concerns over the preemption language in ARPA and the perception that the legislation would upend a mature regulatory framework. The AGs are focused how much ARPA’s preemption language could limit their ability to bring claims under consumer protection laws, which gives AGs broad authority to pursue novel and unique data privacy violations.
The civil investigative demand—which is like a subpoena and used to initiate an investigation—is AGs’ primary enforcement tool. The legal predicate for issuing a CID often is an alleged violation of a state consumer protection law. APRA threatens this practice because it provides that “a violation of this Act or a regulation promulgated under this Act may not be pleaded as an element of any violation of such law.”
State AGs interpret this language (to prohibit violations of federal law) from serving as a basis for state consumer protection claims. Absent an alleged consumer protection violation based on a federal predicate, the concern is that CIDs couldn’t be issued unless AGs could identify another separate state law violation. AGs generally view APRA as potentially crippling their investigative and enforcement authority—especially in areas where the law hasn’t caught up with technology.
The federal government’s regulatory prowess is another concern. As drafted, the Federal Trade Commission would play a primary role in shaping enforcement under APRA, not the states. APRA contemplates an entirely new bureau at the FTC to engage in oversight and rulemaking.
To the extent these rules are inconsistent with state regulations, industries would have to adapt to yet another standard, and AGs would have to modify their enforcement priorities and practices.
As AGs know from experience, it can take years for a new federal agency bureau to get off the ground and decades to build the professional relationships required to execute enforcement at a high level. These are years that state privacy regulators feel they don’t have, in light of the rapid development of new technologies and the sweeping impact that artificial intelligence will have.
The debate surrounding APRA and its preemption clause underscores the ongoing tensions, juxtaposed with collaboration and cooperation, between federal and state jurisdictions over data privacy. Comprehensive federal legislation could disrupt the status quo and alter this balance, which could upend regulation and enforcement in the US.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Stephen Piepgrass is partner at Troutman Pepper who leads the firm’s regulatory investigations, strategy and enforcement (RISE) practice group.
Daniel Waltz is an associate and member of Troutman Pepper’s RISE practice and state attorneys general team.
Natalia A. Jacobo is an associate in Troutman Pepper’s RISE practice.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.