In a letter (pdf) to members of the U.S. House Energy and Commerce Committee, Privacy Lives and nine consumer groups said state preemption language should be stricken from H.R. 2221, the Data Accountability and Trust Act, introduced by Illinois Rep. Bobby Rush. When federal and state laws conflict, “preemption” allows federal laws to trump state laws. Consumer advocates continue to urge (pdf) that any federal laws set a floor for regulation (which allows states to create stronger laws) not a ceiling (which bars states from creating more protective laws).
The groups submitted the letter ahead of a hearing on Wednesday, Sept. 30, by the full U.S. House Committee on Energy and Commerce to markup H.R. 2221. (During markup, legislators debate, amend, and rewrite proposed legislation.) The groups said:
We applaud the sponsors for including in the bill some of the strongest public policy provisions of any bill before the Congress to address the myriad data security and privacy problems that have been identified following years of well-publicized security breaches at some of the nation’s largest firms. In addition, the bill imposes Fair Information Practice-based privacy duties on the class of virtually unregulated data brokers like Choicepoint.
However, the bill approved in subcommittee includes unacceptable preemptive language that restricts further state and individual consumer action, despite strong evidence that the states have led, and will continue to lead, if allowed, on identity theft and other privacy protection issues. We believe strongly that federal law should always serve as a floor, not a ceiling.
The groups pointed to Choicepoint as an example. There have significant privacy problems that arise because commercial databrokers, such as ChoicePoint and LexisNexis, build massive profiles (which have included false data) on individuals, including their credit and work histories. Such files can be used for criminal purposes. For example, in February 2005, Choicepoint sold the records of at least 145,000 Americans to a criminal ring engaged in identity theft. The public learned of Choicepoint’s sale of sensitive data to criminals because California’s security breach law (pdf) demanded it; federal law did not. We need the states to continue to have the freedom to create strong privacy protections for consumers.
The groups in the coalition are:
Center for Digital Democracy
Consumer Federation of America
Electronic Frontier Foundation
Privacy Rights Clearinghouse
U.S. Public Interest Research Group
World Privacy Forum