In a May 8, 2024, letter signed by the attorneys general of 14 other states, California Attorney General Rob Bonta urged Congress not to pass a version of the American Privacy Rights Act (APRA) that would preempt state consumer privacy laws. A copy of the letter can be found here.
The letter takes specific aim at a provision of the draft APRA providing that no state may “adopt, maintain, enforce, or continue in effect any law, regulation, rule, or requirement covered by the provisions” of the APRA or any regulations promulgated under it. While the APRA contains numerous exceptions to this preemption clause, according to Bonta, it would still wipe out numerous stronger state privacy laws in the 17 states that have passed them.
Bonta further argued that states are better at adapting to new technology and protecting consumer privacy, explaining that “[a] federal legal framework for privacy protections must allow flexibility to keep pace with technology; this is best accomplished by federal legislation that respects — and does not preempt — more rigorous and protective state laws.”
At the same time that California’s Consumer Privacy Rights Act may be facing federal preemption, the Consumer Privacy Protection Agency is holding three statewide stakeholder sessions on the CPPA’s proposed regulations on automated decision-making technology, risk assessments, and cybersecurity audits. While the CPPA has not begun the official rulemaking process for the draft regulations, the CPPA intends to “inform the public about the draft regulations, answer common questions, and gather feedback” at these sessions. The locations and times are available here.