The CPPA and Federal Preemption of State Data Privacy Laws?

Without a federal consumer data privacy law construct, legislators from several states have been promulgating their own, individual regulations. Of the five states that have comprehensive laws on the books (California, Colorado, Connecticut, Virginia and Utah), California was the pioneer, the first to enact a state consumer privacy law when it passed the California Consumer Privacy Act (“CCPA”) in 2018. In a nutshell, the CCPA gives consumers more control over the personal information that businesses collect about them. The California law and accompanying regulations (yet to be finalized), now enforced by the California Privacy Protection Agency (“CPPA”), provide strict, extensive protections for consumers in the State of California. The CPPA is now concerned about the potential reach of the long-awaited, federal consumer data privacy legislation now before Congress.

CPPA’s Concern About the ADPPA’s Federal Reach

The House Energy and Commerce Committee introduced the American Data Privacy and Protection Act (“ADPPA”) during last year’s Congressional session. As we reported at that time, the bill (H.R. 8152), has bipartisan support, making it likely that it will become law in some form at some point in time. The ADPPA would establish requirements for how companies handle consumer personal data, which includes information that identifies — or is reasonably linkable — to an individual. 

According to the bill summary, the ADPPA would require most companies to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Further, the ADPPA would prohibit companies from transferring consumer personal data without affirmative express consent. Among other things, the bill would establish consumer data protections, including the right to access, correct, and delete personal data. Of great significance to the CPPA is the fact that the bill would preempt state privacy laws, except for certain categories of state laws.

CPPA Board Voices Concerns Over Federal Law 

On February 23, 2023, the California Attorney General Rob Bonta, Governor Gavin Newson, and the CPPA sent a joint letter to Congress opposing the prospect that federal privacy laws would preempt state regulations. Essentially, the authors requested that Congress, “set the floor and not the ceiling in any privacy law, and to allow states to provide additional protections in response to changing technology and data privacy protection practices.” The CPPA is concerned that the new law would weaken existing state consumer privacy protections and prevent state legislators from passing new regulations. 

Balancing Federal Law and CPPA Concerns

There is a strong industry-wide sentiment that it would be helpful to have a federal law that preempts stronger state regulatory efforts. Without a comprehensive federal law that would streamline the process, companies are expected to follow the patchwork of different state laws now in effect across the Country. The California Attorney General, Governor, and CPPA have made clear that they hope to eliminate the federal preemption provision now contained in the proposed legislation.

The House Energy & Commerce Committee is expected to reintroduce the ADPPA in the new legislative session. If Congress passes the ADDPA, it will be some time before a federal privacy law would go into effect. Regardless of the measure’s fate, businesses still need to navigate present state privacy law waters. Checking all of the privacy law compliance boxes across five states (with more to come) takes significant time and requires legal specialization. Hiring experienced data privacy attorneys can take that burden off a business’ to-do list. 

The attorneys at Klein Moynihan Turco have years of experience in the area of consumer data privacy and can help your business stay compliant in a rapidly-changing sector. If you need assistance with updating your privacy practices and/or complying with 2023’s new privacy laws, please email us at or call us at (212) 246-0900. 

The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Related Blog Posts:

Proposed Federal Privacy Law Hearing Reveals Progress And Sticking Points

Coming Soon: A Federal Privacy Policy Mandate

New FTC Data Privacy Laws?


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

TCPA vicarious tcpa law woman holding cellphone telemarketing laws

TCPA Vicarious Liability

An Illinois federal district court judge recently held that State Farm Mutual Automobile Insurance Company (“State Farm”) may be vicariously liable for alleged Telephone Consumer

Read More »