Federal vs. State Authority and Preemption

Federal vs. State Authority and Preemption: A Comprehensive CIPP/US Study Guide

Introduction

Understanding the relationship between federal and state authority — and particularly the doctrine of preemption — is one of the most foundational topics for the CIPP/US exam. Privacy professionals must grasp how federal and state privacy laws interact, overlap, and sometimes conflict. This guide will walk you through why this topic matters, what it entails, how it works in practice, and how to approach exam questions confidently.

Why Is This Topic Important?

The United States does not have a single, comprehensive federal privacy law. Instead, it relies on a sectoral approach, with federal laws covering specific industries or types of data (e.g., HIPAA for health information, GLBA for financial data, COPPA for children's online data). In the absence of a comprehensive federal framework, states have stepped in aggressively to fill the gaps, creating their own privacy and data protection laws.

This patchwork creates significant complexity for organizations operating across multiple states. Understanding which law applies — federal, state, or both — is critical for compliance. The doctrine of preemption determines when a federal law overrides or displaces a state law, and when state laws can impose additional or stricter requirements. For privacy professionals, getting this wrong can mean non-compliance with applicable regulations and exposure to legal liability.

On the CIPP/US exam, this topic is tested frequently because it reflects the real-world challenge of navigating the U.S. privacy landscape.

What Is Federal vs. State Authority?

The U.S. Constitution establishes a system of federalism, where governmental power is shared between the federal (national) government and state governments. Both levels of government have the authority to enact laws, including laws that address privacy and data protection.

Federal Authority: The federal government derives its power from the U.S. Constitution, primarily the Commerce Clause (Article I, Section 8), which grants Congress the power to regulate interstate commerce. Most federal privacy laws are enacted under this authority.

State Authority: Under the Tenth Amendment, powers not delegated to the federal government are reserved to the states. States have broad police powers — the authority to legislate for the health, safety, and welfare of their residents. Privacy regulation falls squarely within this authority, which is why states have been prolific in enacting privacy legislation, from data breach notification laws to comprehensive consumer privacy laws (e.g., the California Consumer Privacy Act/CCPA, the Virginia Consumer Data Protection Act/VCDPA, and many others).

What Is Preemption?

Preemption is a legal doctrine rooted in the Supremacy Clause of the U.S. Constitution (Article VI, Clause 2), which establishes that federal law is the "supreme Law of the Land." When a valid federal law conflicts with a state law, the federal law prevails and the state law is preempted — meaning it is rendered unenforceable to the extent of the conflict.

However, preemption is not automatic and is not always total. The degree and type of preemption depend on the specific federal statute and how Congress intended it to interact with state laws.

Types of Preemption

There are several types of preemption that are important to understand:

1. Express Preemption
This occurs when Congress explicitly states in the text of a federal statute that it preempts state law in a particular area. The statute will contain a preemption clause that defines the scope of federal preemption.

Example: The CAN-SPAM Act of 2003 expressly preempts state laws that specifically regulate commercial email, though it does not preempt state laws that are not specific to email (such as general fraud or computer crime statutes).

2. Implied Preemption
Even without an express preemption clause, federal law can implicitly preempt state law. Implied preemption takes two forms:

• Conflict Preemption: A state law is preempted when it directly conflicts with a federal law, making it impossible to comply with both simultaneously, or when the state law stands as an obstacle to accomplishing the full purposes and objectives of Congress.

• Field Preemption: A state law is preempted when Congress has legislated so comprehensively in a particular area that it has effectively "occupied the field," leaving no room for state regulation, even if there is no direct conflict.

3. Floor Preemption (Minimum Standards Preemption)
Some federal laws set a floor — a minimum standard of protection — and explicitly allow states to enact laws that provide greater or more stringent protections. This is an extremely important concept in U.S. privacy law.

Example: HIPAA establishes a federal floor for health information privacy. State laws that provide stronger privacy protections than HIPAA are not preempted and remain enforceable. However, state laws that are less protective than HIPAA are preempted by the federal standard.

4. Ceiling Preemption (Maximum Standards Preemption)
Some federal laws set a ceiling — a maximum standard — preventing states from enacting laws that impose more stringent requirements in the regulated area. This type of preemption is less common in privacy law but does occur.

Example: The Fair Credit Reporting Act (FCRA), as amended by the FACT Act, contains specific provisions that preempt state laws on certain topics (such as the content of credit reports and credit score disclosures), effectively setting a ceiling in those specific areas while allowing states to regulate in other related areas.

How Preemption Works in Key U.S. Privacy Laws

Let's examine how preemption operates across major federal privacy statutes that are frequently tested on the CIPP/US exam:

HIPAA (Health Insurance Portability and Accountability Act)
• Preemption Type: Floor preemption
• How it works: HIPAA's Privacy Rule generally preempts contrary state laws. However, state laws that are more stringent (i.e., more protective of individual privacy) are NOT preempted. The Department of Health and Human Services (HHS) can also make exceptions for state laws needed for certain purposes (e.g., public health, health plan reporting).
• Key takeaway: Organizations subject to HIPAA must comply with both HIPAA and any state laws that offer stronger privacy protections.

GLBA (Gramm-Leach-Bliley Act)
• Preemption Type: Floor preemption
• How it works: GLBA generally does not preempt state laws that provide greater protection to consumers regarding financial privacy. States may impose stricter requirements on financial institutions.
• Key takeaway: Many states have enacted financial privacy laws that go beyond GLBA's requirements, and these remain enforceable.

FCRA (Fair Credit Reporting Act)
• Preemption Type: Mixed — contains both floor and ceiling provisions
• How it works: FCRA, particularly after the FACT Act amendments, contains specific provisions that preempt state law in certain narrow areas (e.g., identity theft red flags, credit score disclosures). In other areas, FCRA sets a floor, and states can impose greater protections.
• Key takeaway: The preemption analysis under FCRA requires careful examination of the specific provision at issue.

CAN-SPAM Act
• Preemption Type: Ceiling preemption (for email-specific laws)
• How it works: CAN-SPAM expressly preempts state laws that specifically regulate commercial email. However, it does not preempt state laws of general applicability, such as fraud, trespass, or computer crime statutes.
• Key takeaway: States cannot impose their own unique requirements on commercial email content and sending practices, but they can still use general-purpose laws to address email-related misconduct.

COPPA (Children's Online Privacy Protection Act)
• Preemption Type: Floor preemption
• How it works: COPPA does not preempt state laws that provide greater protections for children's online privacy. States may impose additional or stricter requirements.
• Key takeaway: Organizations must comply with COPPA as a baseline and also with any applicable state children's privacy laws that go further.

FERPA (Family Educational Rights and Privacy Act)
• Preemption Type: Conditional — operates through funding conditions rather than traditional preemption
• How it works: FERPA does not directly preempt state law in the traditional sense. Instead, it conditions federal funding on compliance with its requirements. State laws can supplement FERPA, and many states have enacted student privacy laws.

State Privacy Laws and the Preemption Landscape

The explosion of comprehensive state privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, and others) has made preemption analysis more complex. Key observations include:

• No comprehensive federal privacy law exists (as of this writing): Because the U.S. lacks a single omnibus federal privacy law, states have considerable freedom to legislate in areas not covered by sector-specific federal laws.

• Proposed federal legislation: Various proposed federal privacy bills (such as the American Data Privacy and Protection Act, or ADPPA) have included preemption provisions that would override many state privacy laws. Whether future federal legislation will set a floor or a ceiling is a highly debated policy question.

• Data breach notification laws: All 50 states, the District of Columbia, and U.S. territories have enacted data breach notification laws. There is no comprehensive federal breach notification law, so state laws are the primary authority in this area. If a federal law were enacted, its preemption provisions would significantly impact this landscape.

• State laws with their own preemption provisions: Some state privacy laws include their own preemption or exemption provisions. For example, the CCPA/CPRA exempts certain data that is already regulated under HIPAA, GLBA, FCRA, and other federal statutes, acknowledging that those federal frameworks already provide protections.

Practical Framework for Analyzing Preemption

When analyzing whether a state law is preempted by a federal law, follow these steps:

1. Identify the applicable federal law — Does a federal law apply to the same subject matter, industry, or type of data?

2. Check for an express preemption clause — Does the federal statute contain explicit language preempting state law? If so, what is the scope?

3. Determine the type of preemption — Does the federal law set a floor (allowing stricter state laws), a ceiling (prohibiting stricter state laws), or completely occupy the field?

4. Compare the state law to the federal law — Is the state law more protective, less protective, or in direct conflict with the federal law?

5. Apply the preemption rule — Based on the type of preemption and the comparison, determine whether the state law survives or is preempted.

Key Principles to Remember

• Preemption does not mean all state laws are automatically overridden by any federal law.
• The type and scope of preemption varies significantly from statute to statute.
• In U.S. privacy law, floor preemption is the most common model — most federal privacy laws allow states to provide stronger protections.
• When a federal law sets a ceiling, states cannot impose stricter requirements in that specific area.
• The absence of federal legislation in an area generally leaves states free to regulate.
• When both federal and state laws apply, organizations must typically comply with both (i.e., follow the stricter standard).

Exam Tips: Answering Questions on Federal vs. State Authority and Preemption

Tip 1: Know the Preemption Provisions of Major Federal Privacy Laws
The exam will test your knowledge of how specific federal laws interact with state laws. Memorize whether each major statute (HIPAA, GLBA, FCRA, CAN-SPAM, COPPA, FERPA) uses floor preemption, ceiling preemption, or a combination. This is one of the highest-yield topics to study.

Tip 2: Understand the Difference Between Floor and Ceiling Preemption
Many exam questions hinge on whether a state can enact stronger protections. If the federal law sets a floor, the answer is generally yes. If it sets a ceiling, the answer is generally no. Pay close attention to the wording of the question — words like "more stringent," "greater protection," or "additional requirements" are clues.

Tip 3: Look for the Word "Contrary"
Many preemption clauses (such as HIPAA's) use the word "contrary" — they preempt state laws that are contrary to the federal standard. On the exam, a state law that is more protective is typically not considered "contrary" and thus is not preempted. A state law that is less protective or that directly conflicts would be preempted.

Tip 4: Remember That CAN-SPAM Is an Outlier
CAN-SPAM is notable because it is one of the few federal privacy-related laws that sets a ceiling — it preempts state laws that specifically regulate commercial email. This is a commonly tested distinction. Don't confuse it with the floor-preemption approach used by most other federal privacy laws.

Tip 5: Apply the "Stricter Standard" Rule
When the exam asks what an organization must do when both federal and state laws apply, and the federal law sets a floor, the answer is almost always that the organization must comply with the stricter of the two laws. This practical compliance principle is frequently tested.

Tip 6: Pay Attention to Exemptions in State Laws
The CCPA/CPRA and other state privacy laws exempt certain data or entities already covered by federal statutes (e.g., HIPAA-covered data, GLBA-covered data). Exam questions may test whether you understand these carve-outs and why they exist — they exist to avoid regulatory duplication and potential conflict with federal preemption doctrines.

Tip 7: Don't Assume Preemption Where None Exists
If the question involves a type of data or an industry not covered by a specific federal law, there is likely no preemption, and state law governs. For example, there is no comprehensive federal law on data breach notification, so state breach notification laws are not preempted.

Tip 8: Watch for "Complete" vs. "Partial" Preemption
Some federal laws preempt state laws only in specific, narrow areas while allowing state regulation in related but different areas. FCRA is a prime example. The exam may test whether you can distinguish between preempted and non-preempted areas within the same federal statute.

Tip 9: Know the Constitutional Basis
The exam may include questions about the constitutional foundations of preemption. Remember: the Supremacy Clause (Article VI) is the basis for preemption, the Commerce Clause (Article I, Section 8) is the primary basis for federal privacy legislation, and the Tenth Amendment reserves unenumerated powers to the states.

Tip 10: Use Process of Elimination
If you encounter a preemption question and are unsure of the answer, start by eliminating options that contradict core principles. For example, an answer stating that "all state privacy laws are preempted by federal law" is almost certainly wrong because the U.S. has no comprehensive federal privacy law. Similarly, an answer stating that "states can never regulate in areas covered by federal law" is too broad and likely incorrect because most federal privacy laws permit stricter state laws.

Tip 11: Understand Policy Arguments
The exam may include scenario-based questions that touch on the policy debate around preemption. Proponents of strong federal preemption argue it creates uniformity and reduces compliance burdens. Opponents argue it can weaken protections and remove states' ability to respond to local concerns. Understanding both sides helps with nuanced questions.

Tip 12: Practice with Scenarios
The best way to prepare is to practice applying preemption analysis to fact patterns. For example: "A state enacts a law requiring financial institutions to provide consumers with an opt-in choice before sharing data with affiliates. GLBA requires only an opt-out. Is the state law preempted?" (Answer: No — GLBA sets a floor, and the state law is more protective, so it survives.)

Summary

Federal vs. state authority and preemption is a cornerstone topic of U.S. privacy law and the CIPP/US certification. The key concepts to master are:

• The U.S. system of federalism grants both federal and state governments the power to regulate privacy.
• The Supremacy Clause establishes that federal law prevails when there is a conflict.
• Preemption can be express or implied, and can set a floor (minimum standard) or a ceiling (maximum standard).
• Most federal privacy laws (HIPAA, GLBA, COPPA) set a floor, allowing states to impose stricter protections.
• CAN-SPAM is a notable exception, setting a ceiling for state email-specific laws.
• FCRA uses a mixed approach with both floor and ceiling provisions depending on the topic.
• In the absence of applicable federal law, states are free to legislate — which is why state privacy laws have proliferated.
• Organizations must comply with the stricter applicable standard when both federal and state laws apply.

By mastering these principles and applying the exam tips above, you will be well-prepared to answer preemption questions accurately and efficiently on the CIPP/US exam.