California AG leads call for federal data privacy ‘floor, not ceiling’

The potential creation of federal data privacy law ‘ceiling’ sparked concern among state attorneys general.
Rob Bonta
California Attorney General Rob Bonta speaks in San Francisco in November 2021. (Justin Sullivan / Getty Images)

A coalition of 10 state attorneys general, led by Rob Bonta of California, has called on Congress to adopt national data privacy legislation that “sets a federal floor, not a ceiling.”

In a letter dated July 19, Bonta and colleagues from Connecticut, Illinois, Maine, Massachusetts, Nevada, New Jersey, New Mexico, New York and Washington, urged congressional leaders to “respect the important work already undertaken by states to provide strong privacy protections for our residents.”

While the attorneys general agreed in their letter that national consumer protections should be strengthened, they attempted to dissuade members of Congress from supporting federal legislation that would inhibit states’ ability to enforce additional data privacy and security protections.  


Congress has a history of setting floors rather than ceilings for personal data protections, and this approach has worked well in the past, the letter argued. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, for example, established national protections for sensitive medical information, but allowed states to enforce their own standards, provided that they were not in contradiction with the federal law.

“Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices,” the attorneys general wrote in their letter. States are “better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight,” they wrote. States are also better positioned than the federal government to “align enforcement efforts with those areas most affecting our respective residents,” they said.

The attorneys general also expressed concern in their letter over two draft federal privacy bills currently in circulation — the American Data Privacy and Protection Act, or ADPPA, and the Consumer Online Privacy Rights Act, or COPRA. The texts of these bills as drafted “appear to substantially preempt many states’ ability to investigate” violations of the federal law at the state level, they said. 

California passed its landmark Consumer Privacy Act in 2018, and since then several states have pursued similar legislation to give consumers greater control over their personal information and how it is shared, used and stored by businesses.

California, Colorado, Connecticut, Utah and Virginia have so far enacted comprehensive consumer data privacy laws, while Michigan, Ohio, Pennsylvania, Massachusetts and New Jersey currently have data privacy bills in committee, according to the International Association of Privacy Professionals.


While Bonta has championed strong data privacy protections for Californians, he has also been accused of not holding his own office to the same high standards as the private sector. Last month, the California Department of Justice launched a data portal that accidentally included the personal information of thousands of Californians who were granted or denied a permit to carry a concealed weapon between 2011 and 2021.

Bonta said at the time he was “deeply disturbed and angered” by the leak and had launched an investigation into the incident.

Latest Podcasts