State Privacy Enforcement Officials Argue for Strong State Role in Federal Privacy Law

• In a letter to a congressional Privacy Working Group, officials from California and New Jersey argued against preemptive federal privacy legislation.

• States, they argued, should (1) serve as vital laboratories for innovative privacy protections and (2) contribute robust enforcement capacities to strengthen protection of Americans’ privacy rights.

On April 7, 2025, officials from California and New Jersey sent a joint letter to a congressional Privacy Working Group recommending that any new federal privacy legislation should afford states wide latitude to adopt and enforce strong privacy protections.  The letter, from Tom Kemp, Executive Director of the California Privacy Protection Agency (CPPA), and Matthew J. Platkin, Attorney General of New Jersey, was directed to the Privacy Working Group established by the House Committee on Energy and Commerce in February 2025 to consider a federal comprehensive data privacy and security framework.  Rather than preempting the comprehensive laws currently in place in nearly 20 states, the officials argued that any new federal privacy legislation “should establish a floor of protections while allowing states the ability to adopt stronger protections.”

While the officials wrote in favor of federal privacy legislation, they cautioned that federal protections “should not come at the expense of protections that consumers already enjoy.”  “States play a crucial ongoing role in addressing emerging privacy challenges,” they wrote.  The letter also emphasized that states have the “flexibility and nimbleness to adapt quickly to novel technologies and data practices,” whereas federal lawmaking “moves more deliberately.”  States, they argue, are “powerful laboratories for successful privacy protections” and “should remain vital testing grounds for creative approaches to emerging privacy concerns.”

The letter also advocated for “incorporating state enforcement powers into federal privacy legislation” for “a more robust, multi-layered protection system for Americans’ privacy rights.”  Citing the CPPA and the Texas Attorney General’s Consumer Protection Division, they note that states have developed specialized teams of experts who are well qualified to address emerging privacy concerns.  As demonstration of this concept, they noted the 2023 review of business privacy practices by the Connecticut Attorney General and enforcement actions by the CPPA and the Texas Attorney General related to alleged data brokerage violations.