Federal and State Preemption of Local Privacy Regulation

Abstract

In recent years, cities have started to regulate the collection, use, and disclosure of personal data by local government agencies. Much of this regulatory activity involves setting limits on police department acquisition and/or use of surveillance equipment and technology or establishing privacy principles safeguarding all data collection and use by city agencies. Obviously, the prospects for successful local policymaking in the privacy arena (“privacy localism”) extend no further than the preemptive effect of applicable federal and/or state law. If federal electronic surveillance law preempts local surveillance ordinances or city privacy laws, that’s game, set, and match. State preemption of privacy localism poses an even greater threat given that cities derive their power to govern not from any federal sources of law but from state constitutional and statutory provisions as interpreted by state courts. Thus, states can override local privacy initiatives in either of two ways: by enacting laws that preempt local privacy laws or withdrawing city authority to adopt such laws. In short, quite apart from its substantive merits, the success or failure of privacy localism largely rests on cities finding ways to avoid preemption and maintain local power. This Article examines in detail the threat of federal and state overrides of privacy localism. This is a narrow perspective on privacy localism but of vital importance for the reason just given: federal — and especially state — preemption has the capacity to stop local privacy regulation in its tracks. The inquiry into federal preemption of local privacy regulation requires a review of over two dozen federal privacy statutes. This turns out to be quite manageable because so few of them bear directly on local surveillance ordinances or local regulation of city data practices (which are the principle concerns of privacy localism). State preemption is harder to tackle given that there are approximately 700 state privacy laws, which makes for a crowded regulatory arena with a seemingly endless capacity to override local privacy law. The sheer number of state laws requires some simplifying assumptions to guide the state preemption analysis. Because Seattle and New York city are leading the way in regulating local police use of surveillance technologies and local data practices, this Article will mostly focus on Washington and New York state laws regulating (1) video cameras and/or facial recognition, automatic license plate readers (ALPRs), and drones; and (2) government records or personal data collected by government agencies insofar as they overlap with Seattle and New York City’s locally adopted privacy rules.