Back to www.cdt.org                    
  IMAGE MAP
CDT's data privacy page
Considering Consumer Privacy

The Impact of Privacy Pre-emption on Consumers and Commerce

Eliot Spitzer, Attorney General
State of New York

The Impact of Privacy Pre-emption on Consumers and Commerce [pdf]

Pre-emption Proposals Put Commerce and Consumer Privacy at Risk

Many in favor of safe and successful e-commerce agree on the need to illuminate the playing field with baseline privacy standards, standards that give businesses the clarity they need to operate and consumers the transparency they need to see the operations and trust in the outcome. Without such standards, e-commerce will continue to fall short of its exciting potential.

Unfortunately, some recent proposals for a federal privacy standard include a feature that is commercially counterproductive and harmful to consumers. This feature is a pre-emption clause. The proposed clauses impair or outright preclude states' efforts to protect their citizens' privacy. Why? Some e-commerce players fear that state efforts to protect consumers will confuse and limit the growth of online commerce. To quote the oft-repeated slogan, industry proponents of pre-emption fear a patchwork of state regulation.

But the real patchwork problem is here and now, impacting consumers. The patchwork is made up of privacy costs that vary in visibility and clarity from site to site and good-faith privacy promises that lack any reasonable method of verification or enforcement. A federal privacy standard that includes the proposed pre-emption provisions would impose an even higher privacy penalty on consumers and, in turn, all players in a market affected by consumer confidence.

Brands of Pre-emption

States have always been on the front lines of consumer protection. Their attorneys general are directly accountable to their constituents and their state courts. State consumer protection officials constitute a responsive, experienced, and indispensable enforcement resource. Extraordinary deliberation should therefore be accorded to any proposal to limit how, when, or if a state protects its own residents.

The pre-emption proposals fall into two categories: the enforcement pre-emption proposals seek to deter or prohibit states from taking enforcement actions to address business misconduct; the legislative pre-emption proposals seek to preclude states from formulating laws and regulations to protect their citizens. Some of these provisions curtail state authority so drastically that they essentially foreclose basic privacy protections.

Enforcement Pre-emption

In bills such as the Consumer Privacy Protection Act proposed by Representative Cliff Stearns (H.R. 4678 in the last Congress), the pre-emption language threatens to flat-out prohibit state officials from taking any action whatsoever against commercial misuse of consumers' personally identifiable information.

A pre-emption clause that shackles states' enforcement ability would pose a serious threat to consumers' interests. Any such proposal should be stringently tested against the backdrop of the states' longstanding record of valuable enforcement activities.

On the privacy front, states have a proven track record of thoughtful responses to identity theft, data spills, unwanted commercial surveillance, and other abuses of consumers' data. The newly-enacted federal Children's Online Privacy Protection Act (COPPA) was first invoked by states during the Toysmart bankruptcy proceedings. Similarly, the multistate agreement with DoubleClick represents the first Web disclosure standards to comprehensively address verification and enforcement, while at the same time maintaining a sensitivity to the need for commercial innovation in using technology. In the states' settlement with Eli Lilly regarding the privacy of subscribers to Lilly's prozac.com reminder service, states articulated technology protocols for employee access to consumer databases. A multistate assurance with Ziff Davis Media outlined reasonable e-commerce network security practices. States also have succeeded in requiring several major national banks to stop secretly selling customer account data to third-party telemarketers and have required those telemarketers to drop their misleading sales pitches.

Through these efforts, states have not only protected consumers' privacy, they have helped define the rules of the road for safe and successful commerce. Such actions have often been welcomed by industry and advocates as important contributions to a better functioning marketplace.

Further, and notwithstanding the excellent record and commitment of federal consumer protection officials, enforcement pre-emption rests on an unrealistic assumption that a single, centralized agency has sufficient resources to field investigations and conclude cases for the whole country. The fact is, state agencies collectively constitute an irreplaceable resource for understanding what businesses do and how consumers react. State agencies benefit from close access to their citizens. They have access to their own unique resources for understanding technology and investigating the facts. No single agency can replicate the diversity and depth of talent, dedication, and investigative insight that states offer their constituent consumers and generously share with their federal and state colleagues.

The proposed limits on state officials and burden on federal officials would mean that, in a world in which e-commerce is struggling to succeed but also struggling to figure out how to fulfill its privacy obligations, consumers would have far fewer protections and protectors.

Legislative Pre-emption

Recent legislative pre-emption proposals Ð those that prohibit states from enacting laws to protect their residents' privacy Ð are an unwarranted departure from states' recognized role in protecting consumers.

Congress specifically chose not to pre-empt the states' ability to set higher financial privacy standards for businesses when Congress enacted the Financial Modernization Act of 1999 (the Gramm-Leach-Bliley Act). Instead, Congress set a baseline standard. The same respect for state authority appears in the Health Insurance Portability and Accountability Act (HIPAA).

In the proposals at issue Ð for a general-purpose, national privacy law that is not specific to any particular industry Ð it is even more crucial that federal law leave room for states to build on a baseline standard. But Senator Fritz Hollings' Online Personal Privacy proposal (S.B. 2201 in the last Congress) as well as Representative Stearns' proposed bill (H.R. 4678 in the last Congress) threaten to preclude states from passing any rule regarding commercial use of personal information, online or off.

Pre-emption proponents find it is easy to get people to nod their heads with the assertion that only a national privacy standard makes sense, especially for e-commerce. They speculate that a patchwork of state laws will surely stifle commerce with costly compliance. In reality, state and federal agencies have put a great deal of effort into communicating with each other, joining together to learn about new business/technology models and undertaking joint actions Ð a testament to the key values they hold in common.

Even differences among enforcement approaches are critical to a dynamic that allows rules to keep pace with the evolution of commerce. States have always been the laboratory for the development of effective laws and processes to protect consumers and promote fair competition. States' efforts have shown how to make it safer for consumers in a world of hyperlinked businesses to shop, open a bank account, go to the doctor, fill a prescription, read email Ð or pick up the phone during dinner. Likewise, businesses have a successful history of accommodating themselves to a range of state consumer protection statutes.

Some in industry argue that states' accustomed authority should be set aside because state privacy laws might interfere with the very workings of e-commerce technology. This argument in support of legislative pre-emption is without a sound technological basis.

First, industry representatives assert that the borderless functioning of Internet communications necessitates a borderless and uniform federal privacy rule. But the privacy protection at issue here is not about imposing rules Ð state or federal Ð on how the Internet functions. It is about determining standards for how businesses choose to behave while using it. In fact, it is about addressing problems consumers face as businesses innovatively harvest and market data from customer interactions, whether online or offline. Regardless of the medium, when it comes to business-to-consumer interactions, business is still business.

Second, some businesses have alleged that adapting their own processes to state laws poses too great a burden. And yet businesses have already demonstrated more than enough technological flexibility. The byword of e-commerce is personalization Ð business applications that engage automatically in customized interactions, customer by customer.

This trend toward automated personalization is one of the main reasons for the privacy debate in the first place. By and large, when it comes to transactions involving personal information, businesses do know where their customers are and adapt their transactions accordingly. Commercial transactions often require that consumers provide location data, whether to ship a book or display a local weather report. Online businesses frequently locate consumers with nothing more than consumers' IP (Internet Protocol) addresses, as evidenced by online advertisers that have been displaying geographically targeted ads for years and the growing market in geolocator software used by industry for fraud prevention. Wireless subscribers, too, will soon have the option of providing their locations with pinpoint accuracy.

If businesses can tailor interactions from consumer to consumer based on city, zip code, or prior purchase history and find new ways to generate revenue from consumer data in the process, then businesses can tailor their practices to state-level measures that protect those consumers' interests.

In sum, industry's patchwork predictions and technology characterizations provide no basis for federal legislation that bars states from passing laws, in harmony with federal laws, to protect and enhance their residents' privacy.

Conclusion

There are real problems facing commerce and consumers. Both online and offline, commercial uses of technology offer new opportunities for individuals but also impose new costs on them.

If states are barred from promulgating and enforcing rules regarding their residents' personal information, what remains of states' well-established leadership role in protecting consumers? In the rapidly evolving age of personal information, the proposed pre-emptions would swallow state consumer protection, pre-empting consumers' privacy in the process. It is crucial to the interests of consumers and commerce alike to take care to preserve the vigor of all consumer protection resources.

Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam
Navigation bar
Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action!
Previous Headlines | Legislative Tracking | CDT's Privacy Policy
  The Center For Democracy & Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
(v) 202.637.9800
(f) 202.637.0968
Contact CDT

Copyright © 2005 by Center for Democracy and Technology.
The content throughout this Web site that originates with CDT can be freely copied and used as long as you make no substantive changes and clearly give us credit. Details.
CDT Mission Get Involved Staff Policy Posts Resource Library Search the Site Jobs Take Action